RE: AD replication over WAN

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 01/24/03

  • Next message: Todd Sabin: "Re: Attacking EFS through cached domain logon credentials"
    From: "Laura A. Robinson" <larobins@bellatlantic.net>
    To: "'Kim, Anthony'" <anthony.kim@vwcredit.com>, "'Deus, Attonbitus'" <Thor@HammerofGod.com>, "'Jim Harrison (SPG)'" <jmharr@microsoft.com>, "'Valentine M. Smith'" <vmsmith@grokking.org>, <focus-ms@securityfocus.com>
    Date: Fri, 24 Jan 2003 12:56:21 -0500
    
    

    Yes. This is because the File Replication Service requires a synchronous
    transport mechanism for its replication. Since FRS is responsible for
    replication of group policies and scripts (not to mention DFS, but that's
    another discussion), and since those are domain-specific in terms of their
    storage, you cannot replicate a domain partition via SMTP.

    With that said, in all of the AD implementations I've seen or worked on, I
    know of only one that used SMTP replication, and it was for a highly
    specialized and unique purpose. Generally speaking, if an environment is
    such that SMTP replication would be necessary, then it is probably also an
    environment that would better lend itself to placing the remote site in its
    own forest altogether.

    Laura

    > -----Original Message-----
    > From: Kim, Anthony [mailto:anthony.kim@vwcredit.com]
    > Sent: Monday, January 13, 2003 1:59 PM
    > To: 'Deus, Attonbitus'; Jim Harrison (SPG); Valentine M.
    > Smith; focus-ms@securityfocus.com
    > Subject: RE: AD replication over WAN
    >
    >
    > Interesting discussion.
    >
    > Reminded me of this helpful little thing:
    > http://www.microsoft.com/serviceproviders/columns/config_ipsec
    > _P63623.asp
    >
    > Also, is it still the case that replication via SMTP
    > transport can only be used for INTER-domain replication and
    > not for INTRA-domain replication?
    >
    >
    > -----Original Message-----
    > From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    > Sent: Monday, January 13, 2003 10:03 AM
    > To: Jim Harrison (SPG); Valentine M. Smith; focus-ms@securityfocus.com
    > Subject: RE: AD replication over WAN
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > At 06:43 PM 1/12/2003, Jim Harrison (SPG) wrote:
    > >Given that the replication path (port/protocol) is well-defined and
    > >generally understood, it also makes sense that they could
    > also provide a
    > >"door" to your AD controllers for those who wish to do you
    > harm for no
    > >apparent reason.
    > >
    > >With that in mind, it seems clear to me that a site-to-site
    > VPN is not
    > >only preferable, it's mandatory.
    > >
    >
    > Agreed- IP or RPC based replication should be via a VPN tunnel. You
    > could, however, use SMTP as a replication transport, in which case
    > certificates would be required and all replication
    > information would be
    > encrypted without the need to open up the DC's directly.
    >
    > AD
    >
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 7.1
    >
    > iQA/AwUBPiLjI4hsmyD15h5gEQIN1ACfQT+uu96rwT1a0l8BDoK8zynfYKAAnisP
    > f5Biz71mZTOYD3UEOtlu30FQ
    > =CkdT
    > -----END PGP SIGNATURE-----
    >
    >
    > **************************************************************
    > *********
    > DISCLAIMER:
    > The information transmitted may contain confidential material and is
    > intended only for the person or entity to which it is addressed. Any
    > review, retransmission, dissemination or other use of or taking of any
    > action by persons or entities other than the intended recipient is
    > prohibited. If you are not the intended recipient, please delete the
    > information from your system and contact the sender.
    >
    > **************************************************************
    > *********
    >