Announcement

Collapse
No announcement yet.

What access to FSMO Roles do Member Servers need

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • What access to FSMO Roles do Member Servers need

    Bit of an unusual request here. I'm designing an unusual AD Deployment for a web hosting company. Due to the nature of the type of business we are, all our Windows Servers are directly exposed to the internet (N.b: This is only customer hosted servers, not DC's, etc).

    As such while im working on the design to bring AD into this environment, im taking an unusual direction of making the client facing domain controllers RODC's with no accounts replicated. Then stuck behind a nice secure firewall will be a normal 2008 Domain Controller that can only be accessed by the RODC's.

    However while going through the planning exercise I came across a stumbling point that im seeking clarification on. The 5 FSMO Roles, obviously cannot live on a RODC as they must be on a normal DC. However these DC's will not be accessible by the member servers.

    Am i likley to run into any problems here with the Member Servers and FSMO roles being seperated and uncontactable from each other? Obviously all DC's & RODC's will have access to each other which im hoping will be enough.

    Hopefully this is more than a 1 second answer and someone actually needs to think about it for a minute, this way i'll feel better about asking

    Thanks in advance

  • #2
    Re: What access to FSMO Roles do Member Servers need

    Yeah you're definitely going to have issues if the RODC's can't contact the normal DC's.

    I don't understand why you're having these RODC's with public IP's. Could you clarify?

    I suppose it's possible to set your authentication protocols to a certain port and allow that port only through the firewall for only those dc ip addresses. It's a reg hack I think to set a different port, which you may want to do.

    Here's some information for you (however it's for 2003, but it should still apply for authentication)
    http://technet.microsoft.com/en-us/l.../bb727063.aspx

    You may also want to VPN them through too...

    Just a yucky thing to have to work out Ryzz.
    GoogleFu is strong with this one ^

    Comment


    • #3
      Re: What access to FSMO Roles do Member Servers need

      Originally posted by stamandster View Post
      Yeah you're definitely going to have issues if the RODC's can't contact the normal DC's.

      I don't understand why you're having these RODC's with public IP's. Could you clarify?
      Sorry Stamandster, I guess i should of been more specific, i think we have our wires crossed.

      Lets put it this way, lets say all the customer servers are in Zone "Customer", lets say the RODC are in a Zone "RODC" and the normal DC/FSMO Servers are in zone "DC"

      • Zone Customer & Zone RODC can communicate with each other
      • Zone RODC & Zone DC can communicate with each other
      • Zone Customer & Zone DC CANNOT communicate with each other



      The reason for the Public IP's is because all the customer servers and all the remaining infrastructure is all internet facing, so there is no "internal private ip" network.

      Hopefully this makes sense, if it doesnt let me know and ill try brush up on my stick figure skills

      Comment


      • #4
        Re: What access to FSMO Roles do Member Servers need

        I don't think you'll have an issue since the Customer zone can contact the RODC zone and the RODC zone can contact the DC zone. But I'm not hugely up on 2008 myself.

        I believe that the RODC is used as a "passthrough" for authentication, just has cached credentials.

        You'll probably want to test this
        GoogleFu is strong with this one ^

        Comment


        • #5
          Re: What access to FSMO Roles do Member Servers need

          Your right. I reckon that in your case you don't need to allow the caching, so logon may be slower if anything as credentials are passed everytime to the DC but allows the security you mention.

          Comment


          • #6
            Re: What access to FSMO Roles do Member Servers need

            Originally posted by Virtual View Post
            Your right. I reckon that in your case you don't need to allow the caching, so logon may be slower if anything as credentials are passed everytime to the DC but allows the security you mention.
            Im not all that concerned about login times, however I had considered disabling Caching for the security reasons. That being said, every thing is on Gig networks so the slight delay on the pass through should not pose a massive delay.

            My question more surrounds the fact that the DC zone contains the FSMO Roles, and the Customer zone not being able to talk to the DC Zone/FSMO. Is that going to cause any issues? Or is FSMO communication soley between DC's?

            Comment


            • #7
              Re: What access to FSMO Roles do Member Servers need

              The DCs use the FSMO roles.

              Comment


              • #8
                Re: What access to FSMO Roles do Member Servers need

                Originally posted by Virtual View Post
                The DCs use the FSMO roles.
                Awesome, that the exact information I needed. Thanks a million Virtual, i thought i was going to have to go back to the drawing board on this one *phew*

                Comment


                • #9
                  Re: What access to FSMO Roles do Member Servers need

                  As ever though, test in a virtualised environment first of all to double check. It sounds viable in theory but putting theory in to practice is another ball game.

                  Post back and let us know how you get on.

                  Comment

                  Working...
                  X