本文共 3198 字,大约阅读时间需要 10 分钟。
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:
Initially promoting a server to a domain controller.
Replicating traffic between domain controllers.
Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication, but not domain naming context—limiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:
Open the firewall wide to permit RPC's native dynamic behavior.
Limit RPC's use of TCP ports and open the firewall just a little bit.
Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that.
Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.
Pros
Cons
No special server configuration
Turns the firewall into "Swiss cheese"
Random incoming high-port connections
Insecure firewall configuration
Although configuring your environment to work this way is certainly possible, there are plenty of reasons not to do it—most importantly—it results in an insecure network. It does, however, require the least amount of configuration work.
To enable replication over dynamic RPC, configure your firewall to permit the following.
Service
Port/protocol
RPC endpoint mapper
135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service
137/tcp, 137/udp
NetBIOS datagram service
138/udp
NetBIOS session service
139/tcp
RPC dynamic assignment
1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS)
445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP)
389/tcp
LDAP ping
389/udp
LDAP over SSL
636/tcp
Global catalog LDAP
3268/tcp
Global catalog LDAP over SSL
3269/tcp
Kerberos
88/tcp, 88/udp
Domain Name Service (DNS)
53/tcp1, 53/udp
1
TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.For a reference of Windows port requirements, see:
832017 Service overview and network port requirements for the Windows Server systemIt is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as "TCP high ports," the rule needs to permit inbound traffic on any port above 1024. If your firewall permits this, there is very little reason even to have a firewall.
If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.
本文转自 VirtualTom 51CTO博客,原文链接:http://blog.51cto.com/virtualtom/592255,如需转载请自行联系原作者