active directory replication over firewalls

8/14/2019 Active Directory Replication Over Firewalls

1/19

Active Directory Replication over Firewalls

2009 Microsoft Corporation. All rigreserv


Updated: January 31, 2006

By Steve Riley [ http://blogs.technet.com/steriley.aspx ]

This white paper explains how to get replication to function properly in environments where an ActiveDirectory directory forest is distributed among internal perimeter networks (also known as DMZ,demilitarized zones, and screened subnets) and external (Internet-facing) networks.

On This Page

Introduction

Full Dynamic RPCHow RPC Works

Limited RPC

Encapsulating Inside IPSec

Domain Controller Promotion with PPTP Tunnels

Domain Controller Promotion with IPSec and Machine Certificates

Comparison of the Two Methods of Promotion

Configuring IPSec Transport Mode for DC-to-DC Communication

Further Lockdown of DCs in a Perimeter Network

Is This a Legitimate Use of IPSec?

Introduction

Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory servicearchitecture:

q Initially promoting a server to a domain controller.

q Replicating traffic between domain controllers.

Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple

Mail Transfer Protocol [SMTP] can be used in certain situationsschema, configuration, and global catalogreplication, but not domain naming contextlimiting its usefulness.) Getting replication to functionproperly in environments where a directory forest is distributed among internal, perimeter networks andexternal (that is, Internet-facing) networks can be challenging. There are three possible approaches:

q Open the firewall wide to permit RPC's native dynamic behavior.

q Limit RPC's use of TCP ports and open the firewall just a little bit.

q Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the

firewall for that.

ttp://technet.microsoft.com/en-us/library/bb727063(printer).aspx (1 of 19)11/28/2009 3:18:52 PM
http://blogs.technet.com/sterileyhttp://blogs.technet.com/steriley


2/19


Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, andmore pros than cons at the bottom. So although this document describes how to do all three, most of itsfocus is on the IPSec approach because of its benefits over the other two.

Top of page

Full Dynamic RPC

Pros Cons

No special server configuration Turns the firewall into "Swiss cheese"

Random incoming high-port connections

Insecure firewall configuration

Although configuring your environment to work this way is certainly possible, there are plenty of reasonsnot to do itmost importantlyit results in an insecure network. It does, however, require the least

amount of configuration work.

To enable replication over dynamic RPC, configure your firewall to permit the following.

Service Port/ protocol

RPC endpoint mapper 135/tcp, 135/udp

Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp

NetBIOS datagram service 138/udp

NetBIOS session service 139/tcp

RPC dynamic assignment 1024-65535/tcp

Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp

Lightweight Directory Access Protocol (LDAP) 389/tcp

LDAP ping 389/udp

LDAP over SSL 636/tcp

Global catalog LDAP 3268/tcp

Global catalog LDAP over SSL 3269/tcp

Kerberos 88/tcp, 88/udp

Domain Name Service (DNS) 53/tcp1, 53/udp

Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp



3/19


WINS replication (if required) 42/tcp, 42/udp

1 TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.

It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as"TCP high ports," the rule needs to permit inbound traffic on any port above 1023. If your firewall permitsthis, there is very little reason even to have a firewall.

If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) filesfor name resolution. These files are stored in % SystemRoot%\ system32\ drivers\ etc. Look inside thefiles for information on how to use them.

Top of page

How RPC Works

An RPC service configures itself in the registry with a universally unique identifier (UUID) (similar to aglobally unique identifier [GUID]). UUIDs are well-known identifiers, unique for each service and commonacross all platforms. When an RPC service starts, it obtains a free high port and registers that port with

the UUID. Some services use random high ports; others try to use the same high ports all the time (ifthey are available). The port assignment is static for the lifetime of the service.

When a client wants to communicate with a particular RPC service, it cannot determine in advance whichport the service is running on. It establishes a connection to the server's portmapper service (on 135) andrequests the service it wants by using the service's UUID. The portmapper returns the corresponding portnumber to the client and closes the connection. Finally, the client makes a new connection to the serverby using the port number it received from the portmapper.

Because it is impossible to know in advance which port an RPC service will use, the firewall must permitall high ports through.

Top of page

Limited RPC

Pros Cons

More secure than dynamic RPConly one open high port Registry modification to all servers

This scenario gives you more security, but it does require making registry modifications to all your domaincontrollers. Registry modifications can be scripted with tools in the Microsoft Windows 2000 Resource Kit,

which helps eliminate configuration errors.

You must decide upon fixed port numbers for AD replication for the file replication service (FRS). TheInternet Assigned Numbers Authority (IANA) has set aside the range 49152 through 65535 for use byprivate and dynamic assignments.

Using the registry editor, navigate to this registry key:

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\



4/19


5/19


WINS replication (if required) 42/tcp, 42/udp

Replace and with the port numbers that you used in the registryvalues.

As before, if you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (forWINS) files for name resolution. These files are stored in % SystemRoot%\ system32\ drivers\ etc.Look inside the files for information on how to use them.

You still need the endpoint mapper because clients will not know that you fixed the ports. The endpointmapper always returns your fixed ports when clients request the port numbers associated with AD's andFRS's RPC UUIDs.

Here is some text that you can import into the registry. It sets the AD port to 49152 and the FRS port to49153. Copy it to the clipboard, paste it into a blank Notepad screen, save the file with a .REG extension,and then double-click that file in Windows Explorer. If you want to use a different port, use the WindowsCalculator (in scientific mode) to convert the number from decimal to hexadecimal. Remember to pad thevalue with four leading zeros, as you see in the following example.

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]"TCP/IP Port"=dword:0000c000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters]"RPC TCP/IP Port Assignment"=dword:0000c001

Top of page

Encapsulating Inside IPSec

Pros Cons

Provides the best firewall security IPSec policy configuration on all servers

Mutual authentication between DCs

Individualized policies, if required

Good reason to start deploying a public key infrastructure (PKI), ifdesired

IPSec provides a way to easily encapsulate and carry RPC traffic over a firewall. Besides simplifying thetransport of RPC, IPSec also increases security between the DCs because of IPSec's mutual authenticationfeature: by using either Kerberos or machine certificates, the DCs will "know" whom they are

communicating with before any actual information exchange occurs.

This document shows you how to create an appropriate IPSec policy by using the Microsoft ManagementConsole (MMC) interface. You can script policy creation with IPSECPOL.EXE , a tool available in theWindows 2000 Resource Kit. Be sure to thoroughly read and understand the IPSECPOL.EXE documentation before you try to use itunlike the GUI, the command-line tool has very little consistencychecking built in.

There is one decision that you must make before you beginwhether to use certificates for IPSecauthentication or built-in Kerberos for Windows 2000. Kerberos authentication requires that bothcomputers already be in the same domain, so if you prefer Kerberos, then you must use something otherthan IPSec for the domain controller promotion (DCPROMO) phase (because the target server is not yet a



6/19


member of the domain). Point-to-Point Tunneling Protocol (PPTP) tunnels work well for this and aredocumented here. If instead you want to use certificates for authentication, you must obtain a certificatefor each DC that will participate in IPSec replication. Please see http://www.microsoft.com/windows2000/

library/ [ http://www.microsoft.com/windows2000/library/ ] for documents that describe how to build a

Windows 2000 certificate authority and how to configure your domain for automatic enrollment ofmachine certificates.

For IPSec replication and IPSec or PPTP promotion, configure your firewall to permit the following.

Service Port/ protocol

DNS 53/tcp, 53/udp

PPTP establishment (if using PPTP) 1723/tcp

GRE, generic routing encapsulation (if using PPTP) IP protocol 47

Kerberos 88/tcp, 88/udp

IKE, Internet Key Exchange 500/udp

IPSec ESP, encapsulated security payload IP protocol 50

IPSec AH, authenticated header IP protocol 51

1 If you decide to use certificates for IPSec authentication instead of Kerberos, you can configure the servers tocarry Kerberos traffic inside IPSec. This will be covered in more detail later. Regardless of authenticationmode, Kerberos between domain controllers is still required.

Note that IPSec will not work through network address translation (NAT) devices. Because IPSec uses IPaddresses when computing packet checksums, IPSec packets whose source addresses were altered byNAT are discarded when they arrive at the destination.

Top of page

Domain Controller Promotion with PPTP Tunnels

If you choose to use PPTP tunnels for the promotion phase, you must configure Routing and RemoteAccess (RRAS) in the internal network. RRAS can run either on an internal domain controller or on aseparate server. For simplicity, it is best that the RRAS server exist in the same subnet as the root domaincontrollerthen no static route maintenance is necessary.

To configure RRAS:

q Select Start | P rograms | Administrative Tools | Routing and Remote Access.

q Right-click your server in the left-hand pane, and then click Configure and Enable Routing and

Remote Access. The RRAS setup wizard starts.

q Click Manually configured server.

http://www.microsoft.com/windows2000/library/http://www.microsoft.com/windows2000/library/http://www.microsoft.com/windows2000/library/http://www.microsoft.com/windows2000/library/


7/19


8/19


Figure 3: Server Properties, IP Address Assignment

q Right-click Ports (in the left pane of the MMC), and then click Properties. Configure Direct

parallel so that neither remote access nor demand dial connections are permitted; if you have any

modems on the server (as in the example below), configure them likewise. Configure Demand dial

(L2TP) so that there are zero ports and neither remote access nor demand dial connections are

permitted. You do not need to make any changes to Demand dial (PPTP ) unless you need more

than five ports. Close all dialog boxes.

http://technet.microsoft.com/en-us/library/Bb727063.adrep03_big(en-us,TechNet.10).gif


9/19


Figure 4: Ports Properties

RRAS is now ready to accept inbound PPTP connections for domain controller promotion.

Before promoting a perimeter network or external server to a domain controller, establish a PPTP tunnelto the internal RRAS server. Open the Properties page ofMy Network P laces and click Make NewConnection. In the wizard:

q Click Connect to a private network through the Internet.

q Do not dial any initial connection.

q Type the IP address of the internal RRAS server as the destination.

q Set the connection availability to For all users.

q Do not share the connection.

q Name the connection whatever you wish.

The connectoid then opens. Before connecting, click the Properties button. Click the Options tab, andthen click Include Windows logon domain. Close the dialog box.

Now log onto the RRAS server by using enterprise administrator credentials (the administrator of the root



10/19


11/19


12/19


IP Sec with machine certificates

q Provides good reason for deploying a PKI.

q Allows Kerberos to be included in IPSec processing.

q Fewer protocols through the firewallno PPTP, possibly no Kerberos.

q Single step for promotion and ongoing replication.

Although neither method is preferred over the other, using IPSec with machine certificates is probably themore "forward looking" approach, especially because most organizations plan to deploy PKIs of some kind.

Top of page

Configuring IPSec Transport Mode for DC-to-DC Communication

Now it is time to configure policies on all domain controllers to use IPSec transport mode to communicatewith each other. With this configuration, you must permit only IPSec and related protocols over thefirewall, which is much simpler and more supportable. Note that you are not creating IPSec tunnels.Instead, you are using IPSec transport modeend-to-end IPSecto secure the communications sessionsbetween the servers.

On every domain controller, you must create an IPSec policy for replication, along with a corresponding IPfilter list and filter action. Select Start | P rograms | Administrative Tools | Local Security Policy.

Figure 5: Local Security Settings

Next, click IP Security Policies on Local Machine (in the left-hand pane of the MMC). This displays thedefault policies, where you will add a new one for replication. First, however, you must create the filter listand action.

The filter list indicates which IP addresses, ports, and protocols trigger the application of IPSec. You wantto secure all the traffic between the domain controllers only, not any traffic between a domain controllerand some other machine. Right-click in the MMC's right-hand pane and click Manage IP filter lists andfilter actions. You will be on the Manage IP Filter Lists tab. A filter list is simply a list of filters; you willcreate a filter for each server that this one replicates with. That is, only one filter list is required and thelist contains filters for all domain controllers.



13/19


Figure 6: IP Filter Lists and Filter Actions, Filter Lists Tab

Click the Add button to create a new filter list. Name the filter list DC replication. Click the Add button

to create a new filter; follow these steps to complete the wizard:

q Select My IP address as the source address.

q Select A specific IP address as the destination address, and then type the IP address of the other

server.

q Select Any as the protocol type. This configures the filter so that all traffic between the two

computers will be carried inside IPSec2.



14/19


Figure 7: Domain Controller Replication Filter List

Add additional filters for the remaining domain controllers. When finished, close the dialog box.

Next, you want to define a filter action. Click the Manage filter actions tab, and then click the Addbutton to create a new action. In the wizard:

q Name the action DC replication.

q Click Negotiate security.

q Click Do not communicate with computers that do not support IPSec.

q Click High (Encapsulated Secure Payload).

q Select the Edit properties check box (you will need to make changes later).

q Click the Finish button.

In the Properties dialog box, clear the check box next to Accept unsecured communication, butalways respond using IPSec. You do not want the server to respond at all to unsecuredcommunication. Of course, this applies only to those machines that are part of the corresponding IP filterlist; you will link the filter list and the filter action with a policy in just a moment. Close all dialog boxes.



15/19


Figure 8: Domain Controller Replication Filter Action

Now you are ready to create the IPSec policy. Right-click in the MMC's right-hand pane and click Create

IP security policy. In the wizard:

q Name the policy Domain controller replication.

q Clear Activate the default response rule.

q Ensure that the Edit properties check box is selected and close the wizard.

The policy exists, but contains no rules.



16/19


Figure 9: Domain Controller Replication IPSec Policy

You create a rule by associating the filter list and filter action that you created earlier. Click the Add button to define a new rule. In the wizard:

q Select This rule does not specify a tunnel.

q Select Local area network (LAN) for the network type.

Choose an authentication method

r Select Windows 2000 default (Kerberos V5 protocol) if you used PPTP tunnels for

DCPROMO, or

r Select Use a certificate from this Certificate Authority (CA) if you are using certificates.

Then click Browse and select the certificate authority that issued the machine certificate

installed on the computer.

q You will see a list of IP filter lists. Select the filter list that you created earlier, DC replication, from

the list.

q You will see a list of filter actions. Select the filter action that you created earlier, DC replication,

from the list.



17/19


q Do not edit the properties. Finish the wizard.

Your policy will now look like this (the authentication column will indicate "Certificate" if you selected thatmethod).

Figure 10: Completed Domain Controller Replication Policy

Finally, you need to turn onthat is, assignthe policy.

q Right-click the Domain controller replication policy.

q Click Assign.

Figure 11: Domain Controller Policy Is Assigned

http://technet.microsoft.com/en-us/library/Bb727063.adrep11_big(en-us,TechNet.10).gifhttp://technet.microsoft.com/en-us/library/Bb727063.adrep10_big(en-us,TechNet.10).gif


18/19


IPSec processing happens immediately. There is no need to reboot the server.

Every domain controller requires a similar IPSec policy. Regardless of whether the controller is in theinternal network, the perimeter network, or the external network, you must configure its IPSec policy sothat all communications with all other domain controllers are through IPSec. Not only does this allow theknowledge consistency checker to build a replication topology that ignores the firewall, it also secures allIPSec replication between every server.

Testing the IPSec policy. Be sure to test the policies that you have created. After you have created and

assigned a policy on at least two machines, you can use the IPSECMON.EXE utility to observe when themachines establish the IPSec security association:

q Open a command window.

q Issue the command ipsecmon. A graphical utility starts, listing current security associations and

how much authenticated and/or encrypted traffic has passed through the server. (Unless the DCs

have started to exchange information, there probably will not be any system administrators right

now.)

q Click the Options button and change the refresh rate to one second.

q Go back to the command prompt and ping another domain controller that also has an IPSec policy.

Use the -t flag to ping continuously until stopped (ping -t i p -address ).

q Look for several "Negotiating IP security" responsesthe machines are exchanging cryptographic

keys and building their security associations. Finally you will see normal replies. It may take 10 to

12 seconds to establish the security associations in both directions.

q Press CTRL +C to stop.

Top of page

Further Lockdown of DCs in a Perimeter Network

Networks supporting electronic commerce and extranet connections may require a domain controller inthe perimeter network. Although at first this might appear to create security issues, IPSec can help here,too. It is possible to create fine-grained packet filters by using the permit/block features of IPSec rules.Please see the document, "Using IPSec to Lock Down a Server," at http://www.microsoft.com/technet/

itsolutions/network/security/ipsecld.mspx [ http://www.microsoft.com/technet/itsolutions/network/

security/ipsecld.mspx ] . You can combine the approach there with the information here to create anIPSec policy that permits only secure DC-to-DC communication and blocks all other traffic from reaching

the DC in the perimeter network.

Top of page

Is This a Legitimate Use of IPSec?

Although probably not envisioned by IPSec's designers, the protocol has become an excellent method forencapsulating complex traffic so that it can be safely transported between networks. The Windows 2000IPSec policy engine can be used to create very fine-grained rules that specifies traffic that is permitted,blocked, or secured between hosts. In the scenario here, we are using it to secure all traffic between

http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxhttp://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxhttp://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxhttp://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx


19/19


known hostsspecific domain controllerswhile permitting other traffic to and from those hosts.

For More Information

For more information about Windows 2000 IPSec, and other security features of Windows 2000, pleasebegin your adventure at http://www.microsoft.com/technet/security/default.mspx [ http://www.microsoft.

com/technet/security/default.mspx ] .

Top of page

1 This document doesn't discuss using preshared keys. Preshared key authentication is included in Windows2000 only for compatibility with other IPSec implementations and to conform to the IPSec RFCs. In no casesdo we encourage the use of preshared keys in a production environment because of the inherent security risksassociated with shared-secret style authentication.

2 That is, all traffic except that which is exempted from IPSec processing, as discussed earlier.
http://www.microsoft.com/technet/security/default.mspxhttp://www.microsoft.com/technet/security/default.mspx

active directory replication over firewalls

Documents