Главная страница Случайная страница
КАТЕГОРИИ:
АвтомобилиАстрономияБиологияГеографияДом и садДругие языкиДругоеИнформатикаИсторияКультураЛитератураЛогикаМатематикаМедицинаМеталлургияМеханикаОбразованиеОхрана трудаПедагогикаПолитикаПравоПсихологияРелигияРиторикаСоциологияСпортСтроительствоТехнологияТуризмФизикаФилософияФинансыХимияЧерчениеЭкологияЭкономикаЭлектроника
Prepare firewall rules for communication from the RODC to the writeable domain controller
|
|
Complete the following procedure to prepare the firewall for RODC-to-writeable domain controller communication. To complete this procedure, you need local server administrator credentials.
Note
This procedure is only applicable is you are using IPsec. If you do not plan to use IPsec, you can skip this procedure.
To prepare the firewall rules for communication from the RODC to the writeable domain controller
1. Prepare ports for RODC-to-writeable domain controller communication.
The choice of which ports to open depends in part on your decisions about:
a. Which authentication method to use for IPsec communication: certificates or the Kerberos authentication protocol.
b. Whether DNS updates are to be performed directly by client computers in the perimeter network or by a DHCP server.
2. Configure domain-based IPsec policy to enable communication between writeable domain controllers and RODCs after the RODC is placed in the perimeter network.
You must make a choice between certificates and the Kerberos protocol. Certificates eliminate the requirement for Kerberos port 88 to be open on the firewall. For more information about certificates, see Certificates (https://go.microsoft.com/fwlink/? LinkId=136020) and Certificate stores (https://go.microsoft.com/fwlink/? LinkId=136019).
For example, you might:
a. Modify IPsec policy settings in Group Policy that applies to the domain controllers that must communicate with IPsec.
b. Use the settings and methods in the following table.
IPFILTER: Ensure that the IP filter encompasses the writable domain controllers and the RODC that is being promoted. AUTHENTICATION: Add Certificate as an authentication mechanism and select the root certification authority (CA) for your enterprise. Ensure that the certificate method has priority over Kerberos authentication. FILTER ACTION: Set the security methods Integrity Only and Integrity and Encryption. Select the Fall back to unsecured communication if secure not established check box. When the settings are in place, mark the policy as assigned. 3. Prepare the certificate store on the RODC: a. Import the Root CA from the corporate CA into the Computer certificate store under Trusted Root CAs. b. Import the IPsec CA from the corporate CA into the Computer certificate store under Personal Certificates. 4. Create a local IPsec policy on the computer to be RODC. The policy should include the following: a. An appropriate IPFILTER to specify communication between the RODC and writeable domain controllers b. The AUTHENTICATION method set to Certificates with the Corporate Root CA cert specified c. The FILTER ACTION that specifies methods and configuration that match the domain-based IPsec policy 5. Assign the local IPsec policy, and test that communication between the RODC and the writeable domain controller is successful. |