Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Deploying an RODC in a Perimeter Network

We need to deploy a RODC in a perimeter network and allow replication via IPsec through our ASA from the DC.  Was wondering if anyone here has done this and if so could you share with me what worked and didn't work.  We are using several Microsoft documents to do this deployment but none of the documents can agree on what ports are needed to be opened on the ASA to allow this traffic through, and from which direction.

Any help or advice would be greatly appreciated.  Thank you.

Jim

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Deploying an RODC in a Perimeter Network

Hi,

I have been doing this exercise during this week.

I have used this document:

http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports

And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.

Everything seems to be working with this setup ok.

It all has been done on one ASA (from DMZ to trusted server network).

But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.

Please rate if help.

Pavel

5 REPLIES
Cisco Employee

Deploying an RODC in a Perimeter Network

RODC as in Read-Only Domain Controller?

I see so many deployment guides on google as well.  Best thing to do is watch the logs on the ASA and look for denied packets due to access-list message and selectively open ports for those that are blocked.

http://forums.techarena.in/active-directory/1303925.htm

Enable logging on the ASA:

conf t

loggin on

logging buffered 7

exit

sh logg | i x.x.x.x (where x.x.x.x is the iP address of RODC)

-Kureli

Silver

Deploying an RODC in a Perimeter Network

Good work Kureli....Deserves a high 5!!   James, please rate the query and mark it as answered.   Regards,  Ankur thukral  Community Manager: Security and VPN

New Member

Re: Deploying an RODC in a Perimeter Network

Will do thank u.

New Member

Deploying an RODC in a Perimeter Network

Hi,

I have been doing this exercise during this week.

I have used this document:

http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports

And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.

Everything seems to be working with this setup ok.

It all has been done on one ASA (from DMZ to trusted server network).

But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.

Please rate if help.

Pavel

New Member

Re: Deploying an RODC in a Perimeter Network

Thank you for the info, I will look over the document.

James Fick

Security Engineer

2501 Jolly Road, Suite 180

Okemos, MI 48917

Tel: 517-324-8304

Fax: 517-324-7364

www.mphi.org<>

Working with You to Promote Health

6045
Views
9
Helpful
5
Replies
CreatePlease to create content