authenticate from DMZ through firewall - limit to 1 DC?

Discussion in 'Active Directory' started by Jbrady33, Oct 8, 2008.

  1. Jbrady33

    Jbrady33 Guest

    HI All, quick overview of what I'm being asked to do:

    DMZ has several servers that need to authenticate to domain through Cisco
    firewall. We have a large network with 70 DC's, I want to limit these DMZ
    servers to always use 2. Not just suggest a preference with the site setup,
    but completey limit to these 2 DCs. (The firewall will only allow
    communication to these to servers)Any suggestions?

    Disclaimer - I know one proper way to do this would be a seperate domain in
    the DMZ with it's own login servers and a one way trust back to my domain,
    but that has fallen on deaf ears with the people who didn't plan this
    properly and want it NOW :)
    Jbrady33, Oct 8, 2008
    1. Advertisements

  2. Danny Sanders, Oct 8, 2008
    1. Advertisements

  3. Jbrady33

    Jorge Silva Guest

    As Danny suggested use IPSec for communication. To servers at DMZ use the 2
    DCs in question, create a Site and move the 2 DCs inside that site, assign
    the proper subnet, than assign the DMZ subnet were the servers are to that
    site where are the 2 DCs.

    By default the servers will attempt to use those 2 DCs for authentication
    because the subnet is within the same site.

    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Jorge Silva, Oct 8, 2008
  4. Jbrady33

    Jbrady33 Guest

    All good stuff, but I don't beielve either of these will forbide or force
    authentication to a specific DC if the client can see the DNS records of the
    other DC's. (The site in question has 5 DCs, the DMZ itself does not yet
    belong to a site at all)

    What about LdapSrvPriority and LdapSrvWeight registry values? Any help there?
    Jbrady33, Oct 8, 2008
  5. Jbrady33

    gordonah Guest


    the weight value is a simple load balancing mechanism, which won't help in
    your case as some calls will still go to other DCs (unless their weights are
    all set to 0?).

    Priority could help, as if the two DCs you want to use have a higher
    priority than other DCs, then they will always be used. However, as DNS is
    replicated all client/servers using this site will use the two DCs at the
    expense of the other three.
    One note re priority. The default value of 0 represents the highest
    priority, so you lower the value of other DCs rather than increase the value
    of the ones you want to use.

    In the absence of the DCs the DMZ servers expect to use, they will try and
    use others (directed via DNS response), even if they can't 'see' them on the

    Jorge's suggestion above seem to me to be the most efficient way. The site
    coverage of the two DCs in the new site for the DMZ, could also be configured
    to register as available in the original site as well (assuming load from DMZ
    servers is quite light).

    gordonah, Oct 9, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.