Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Controlling AD Replication due to firewalls

Home Forums Microsoft Networking and Management Services Active Directory Controlling AD Replication due to firewalls

Viewing 1 post (of 1 total)
  • Author
    Posts

  • stephenmbell
    Member
    #624838

    Hello all —

    I have a rather small AD environment – but – some firewalls between some of my DCs. As a result, I would like to know the best way to control the flow of replication.

    I’ve got 1 forest, 3 domains – 1 parent, 2 children. The parent domain is for my corporate infrastructure – Call that company.pri. I’ve got a child domain that is for all of my retail (POS) systems across 400 locations – retail.company.pri. Because of the retail nature of our business, and PCI requirements, I have a second child domain – ops.company.pri – this is for other (NON POS) systems in our retail locations.

    In root domain – there are 5 domain controllers spread across 3 AD sites. Corp (2), Warehouse (2), DR (1).

    In retail domain, there are 3 domain controllers spread across 2 AD sites. Retail (2), DR (1)

    In ops domain, there are 3 domain controllers spread across 2 AD sites. Retail (2), DR (1).

    Retail DCs and OPs DCs are in the same AD site because of subnets. Each retail location is a /24 network – think 172.17.100.0/24. Within each /24, the network is broken into /26 subnets. Retail domain is the first /26 and Ops domain is the second /26. In my AD site – I have 1 large subnet tied to the retail AD Site – 172.17.0.0/15. I’m not sure if it would be better or worse to split the large subnet into 800 /26 subnets and break retail and ops into their own sites.

    Ideally, I think for security – it makes sense to segment our network so that ops systems cannot communicate with retail DCs. This would involve preventing replication between retail and ops domains directly (they are in the same site).

    I’ve got a firewall between Corp AD site and Retail AD site. Firewall between retail DC’s and ops DC’s within the Retail site. Firewall between Corp and DR, Warehouse and DR, Retail and DR. And another between corp dc / retail dc / ops dc in DR site.

    Everything I’ve read says – YOU ARE NOT SMARTER THAN KCC when it comes to replication and resiliency. I believe them. I’m probably not. However, KCC does not know about my firewalls and security requirements.

    How would you tackle this?

    Thanks
    Steve

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: