Professional Documents
Culture Documents
Active Directory Replication Over Firewalls
Active Directory Replication Over Firewalls
This white paper explains how to get replication to function properly in environments where an Active
Directory directory forest is distributed among internal perimeter networks (also known as DMZ,
demilitarized zones, and screened subnets) and external (Internet-facing) networks.
On This Page
Introduction
Full Dynamic RPC
How RPC Works
Limited RPC
Encapsulating Inside IPSec
Domain Controller Promotion with PPTP Tunnels
Domain Controller Promotion with IPSec and Machine Certificates
Comparison of the Two Methods of Promotion
Configuring IPSec Transport Mode for DC-to-DC Communication
Further Lockdown of DCs in a Perimeter Network
Is This a Legitimate Use of IPSec?
Introduction
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service
architecture:
Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple
Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog
replication, but not domain naming context—limiting its usefulness.) Getting replication to function
properly in environments where a directory forest is distributed among internal, perimeter networks and
external (that is, Internet-facing) networks can be challenging. There are three possible approaches:
● Limit RPC's use of TCP ports and open the firewall just a little bit.
● Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the
firewall for that.
Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and
more pros than cons at the bottom. So although this document describes how to do all three, most of its
focus is on the IPSec approach because of its benefits over the other two.
Top of page
Pros Cons
Although configuring your environment to work this way is certainly possible, there are plenty of reasons
not to do it—most importantly—it results in an insecure network. It does, however, require the least
amount of configuration work.
To enable replication over dynamic RPC, configure your firewall to permit the following.
Service Port/protocol
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
1 TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.
It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as
"TCP high ports," the rule needs to permit inbound traffic on any port above 1023. If your firewall permits
this, there is very little reason even to have a firewall.
If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files
for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the
files for information on how to use them.
Top of page
An RPC service configures itself in the registry with a universally unique identifier (UUID) (similar to a
globally unique identifier [GUID]). UUIDs are well-known identifiers, unique for each service and common
across all platforms. When an RPC service starts, it obtains a free high port and registers that port with
the UUID. Some services use random high ports; others try to use the same high ports all the time (if
they are available). The port assignment is static for the lifetime of the service.
When a client wants to communicate with a particular RPC service, it cannot determine in advance which
port the service is running on. It establishes a connection to the server's portmapper service (on 135) and
requests the service it wants by using the service's UUID. The portmapper returns the corresponding port
number to the client and closes the connection. Finally, the client makes a new connection to the server
by using the port number it received from the portmapper.
Because it is impossible to know in advance which port an RPC service will use, the firewall must permit
all high ports through.
Top of page
Limited RPC
Pros Cons
More secure than dynamic RPC—only one open high port Registry modification to all servers
This scenario gives you more security, but it does require making registry modifications to all your domain
controllers. Registry modifications can be scripted with tools in the Microsoft Windows 2000 Resource Kit,
which helps eliminate configuration errors.
You must decide upon fixed port numbers for AD replication for the file replication service (FRS). The
Internet Assigned Numbers Authority (IANA) has set aside the range 49152 through 65535 for use by
private and dynamic assignments.
HKEY_LOCAL_MACHINE
SYSTEM\
CurrentControlSet\
Services\
NTDS\
Parameters\
Add a new DWORD value called TCP/IP Port (include the space). Set the value's data to the port number
that you want to use (remember to change the displayed base to decimal before you enter the data).
HKEY_LOCAL_MACHINE
SYSTEM\
CurrentControlSet\
Services\
NTFRS\
Parameters\
Add a new DWORD value called RPC TCP/IP Port Assignment (include the spaces). Set the value's
data to the port number that you want to use (remember to change the displayed base to decimal before
you enter the data).
Do this on all your Active Directory servers. You must restart them for the change to take effect.
Service Port/protocol
LDAP 389/tcp
Replace <AD-fixed-port> and <FRS-fixed-port> with the port numbers that you used in the registry
values.
As before, if you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for
WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc.
Look inside the files for information on how to use them.
You still need the endpoint mapper because clients will not know that you fixed the ports. The endpoint
mapper always returns your fixed ports when clients request the port numbers associated with AD's and
FRS's RPC UUIDs.
Here is some text that you can import into the registry. It sets the AD port to 49152 and the FRS port to
49153. Copy it to the clipboard, paste it into a blank Notepad screen, save the file with a .REG extension,
and then double-click that file in Windows Explorer. If you want to use a different port, use the Windows
Calculator (in scientific mode) to convert the number from decimal to hexadecimal. Remember to pad the
value with four leading zeros, as you see in the following example.
Top of page
Pros Cons
Provides the best firewall security IPSec policy configuration on all servers
IPSec provides a way to easily encapsulate and carry RPC traffic over a firewall. Besides simplifying the
transport of RPC, IPSec also increases security between the DCs because of IPSec's mutual authentication
feature: by using either Kerberos or machine certificates, the DCs will "know" whom they are
communicating with before any actual information exchange occurs.
This document shows you how to create an appropriate IPSec policy by using the Microsoft Management
Console (MMC) interface. You can script policy creation with IPSECPOL.EXE, a tool available in the
Windows 2000 Resource Kit. Be sure to thoroughly read and understand the IPSECPOL.EXE
documentation before you try to use it—unlike the GUI, the command-line tool has very little consistency
checking built in.
There is one decision that you must make before you begin—whether to use certificates for IPSec
authentication or built-in Kerberos for Windows 2000. Kerberos authentication requires that both
computers already be in the same domain, so if you prefer Kerberos, then you must use something other
than IPSec for the domain controller promotion (DCPROMO) phase (because the target server is not yet a
member of the domain). Point-to-Point Tunneling Protocol (PPTP) tunnels work well for this and are
documented here. If instead you want to use certificates for authentication, you must obtain a certificate
for each DC that will participate in IPSec replication. Please see http://www.microsoft.com/windows2000/
library/ [ http://www.microsoft.com/windows2000/library/ ] for documents that describe how to build a
Windows 2000 certificate authority and how to configure your domain for automatic enrollment of
machine certificates.
For IPSec replication and IPSec or PPTP promotion, configure your firewall to permit the following.
Service Port/protocol
1 If you decide to use certificates for IPSec authentication instead of Kerberos, you can configure the servers to
carry Kerberos traffic inside IPSec. This will be covered in more detail later. Regardless of authentication
mode, Kerberos between domain controllers is still required.
Note that IPSec will not work through network address translation (NAT) devices. Because IPSec uses IP
addresses when computing packet checksums, IPSec packets whose source addresses were altered by
NAT are discarded when they arrive at the destination.
Top of page
If you choose to use PPTP tunnels for the promotion phase, you must configure Routing and Remote
Access (RRAS) in the internal network. RRAS can run either on an internal domain controller or on a
separate server. For simplicity, it is best that the RRAS server exist in the same subnet as the root domain
controller—then no static route maintenance is necessary.
To configure RRAS:
● Right-click your server in the left-hand pane, and then click Configure and Enable Routing and
Remote Access. The RRAS setup wizard starts.
● Finish the wizard and start the service when it prompts you.
The MMC should now look like this, after clicking on the + next to the server name.
● Right-click the server, and then click Properties. Click the IP tab. Click Static address pool. Type
an IP address range in the same subnet as your internal domain controller. Only a few—perhaps 9—
addresses are necessary. Close all dialog boxes.
● Right-click Ports (in the left pane of the MMC), and then click Properties. Configure Direct
parallel so that neither remote access nor demand dial connections are permitted; if you have any
modems on the server (as in the example below), configure them likewise. Configure Demand dial
(L2TP) so that there are zero ports and neither remote access nor demand dial connections are
permitted. You do not need to make any changes to Demand dial (PPTP) unless you need more
than five ports. Close all dialog boxes.
RRAS is now ready to accept inbound PPTP connections for domain controller promotion.
Before promoting a perimeter network or external server to a domain controller, establish a PPTP tunnel
to the internal RRAS server. Open the Properties page of My Network Places and click Make New
Connection. In the wizard:
The connectoid then opens. Before connecting, click the Properties button. Click the Options tab, and
then click Include Windows logon domain. Close the dialog box.
Now log onto the RRAS server by using enterprise administrator credentials (the administrator of the root
domain). After the server completes the connection, you may start DCPROMO. DCPROMO requires a
reboot at the end of the process; this will also disconnect the PPTP tunnel. Because you no longer need
the tunnel, you may delete the connectoid.
Top of page
You must install certificates on your domain controllers so that they can perform IPSec authentication. All
the certificates require signatures from the same certificate authority. Windows 2000 includes a Request
for Comments (RFC-compatible) certificate authority (CA) that works very well in this case. With group
policies, you can configure your domain to automatically enroll member computers with machine
certificates. While IPSec will work with certificates from any CA, auto-enrollment requires a Windows 2000
CA. If you already have a PKI, the Windows 2000 CA can be configured as a subordinate by issuing CA.
Please see the documentation, including the walkthroughs mentioned earlier, for more details.
If you decide to go this route, then you also have the option of including Kerberos traffic inside IPSec.
Normally, certain kinds of traffic are exempt from IPSec transport mode processing:
● Broadcast—cannot be classified by IPSec filters because the sender does not know all the receivers.
● Multicast—same as broadcast.
● Resource reservation protocol (RSVP), IP protocol 46—must be exempt so that quality of service
marking occurs; however, IPSec packets can be carried inside RSVP packets.
● Internet key exchange (IKE)—IPSec uses IKE to establish security parameters and perform key
exchange. IKE negotiations are already encrypted as necessary.
● Kerberos—the native Windows 2000 authentication protocol and also used by IPSec for machine
authentication. Kerberos itself is already secure.
Even though an IPSec filter may specify that all traffic from one computer to another should be
encapsulated, the previous kinds of traffic are exempt from IPSec processing.
Windows 2000 Service Pack 1 introduced a registry key that alters this behavior somewhat. Using the
registry editor, navigate to:
HKEY_LOCAL_MACHINE
SYSTEM\
CurrentControlSet\
Services\
IPSEC\
Add a new double-word (DWORD) value called NoDefaultExempt and set the value to 1. The following
Including Kerberos inside IPSec is fine after a machine is promoted to a domain controller (and thus is a
member of the domain). But for a machine not yet a member of a domainthe one that you want to
promote to a domain controlleryou cannot establish IPSec by using Kerberos. You must use some other
form of authentication, which is the reason for using machine certificates.
Here is some text that you can import into the registry. It will set the NoDefaultExempt value to 1. Copy
it to the clipboard, paste it into a blank Notepad screen, save the file with a .REG extension, and then
double-click that file in Windows Explorer.
Understand this before you proceed. If you decide to follow this approach, you also must follow all the
steps in the next section, "Configuring IPSec transport mode for DC-to-DC communication," before you
run DCPROMO. Here is the order:
1. If you want to include Kerberos in IPSec processing, add the previous registry key.
3. Obtain machine certificates for all existing domain controllers and for all candidate domain
controllers.
4. Perform the steps in the section "Configuring IPSec transport mode for DC-to-DC communication."
6. All done—leave everything in place; ongoing replication occurs over the existing IPSec
configuration.
Top of page
Here are the differences between the two methods presented earlier.
PPTP tunnels
● Separates the promotion and replication functions—configure PPTP for promotion, and then
configure IPSec for ongoing replication.
Although neither method is preferred over the other, using IPSec with machine certificates is probably the
more "forward looking" approach, especially because most organizations plan to deploy PKIs of some kind.
Top of page
Now it is time to configure policies on all domain controllers to use IPSec transport mode to communicate
with each other. With this configuration, you must permit only IPSec and related protocols over the
firewall, which is much simpler and more supportable. Note that you are not creating IPSec tunnels.
Instead, you are using IPSec transport mode—end-to-end IPSec—to secure the communications sessions
between the servers.
On every domain controller, you must create an IPSec policy for replication, along with a corresponding IP
filter list and filter action. Select Start | Programs | Administrative Tools | Local Security Policy.
Next, click IP Security Policies on Local Machine (in the left-hand pane of the MMC). This displays the
default policies, where you will add a new one for replication. First, however, you must create the filter list
and action.
The filter list indicates which IP addresses, ports, and protocols trigger the application of IPSec. You want
to secure all the traffic between the domain controllers only, not any traffic between a domain controller
and some other machine. Right-click in the MMC's right-hand pane and click Manage IP filter lists and
filter actions. You will be on the Manage IP Filter Lists tab. A filter list is simply a list of filters; you will
create a filter for each server that this one replicates with. That is, only one filter list is required and the
list contains filters for all domain controllers.
Click the Add button to create a new filter list. Name the filter list DC replication. Click the Add button
to create a new filter; follow these steps to complete the wizard:
● Select A specific IP address as the destination address, and then type the IP address of the other
server.
● Select Any as the protocol type. This configures the filter so that all traffic between the two
computers will be carried inside IPSec2.
Add additional filters for the remaining domain controllers. When finished, close the dialog box.
Next, you want to define a filter action. Click the Manage filter actions tab, and then click the Add
button to create a new action. In the wizard:
● Select the Edit properties check box (you will need to make changes later).
In the Properties dialog box, clear the check box next to Accept unsecured communication, but
always respond using IPSec. You do not want the server to respond at all to unsecured
communication. Of course, this applies only to those machines that are part of the corresponding IP filter
list; you will link the filter list and the filter action with a policy in just a moment. Close all dialog boxes.
Now you are ready to create the IPSec policy. Right-click in the MMC's right-hand pane and click Create
IP security policy. In the wizard:
● Ensure that the Edit properties check box is selected and close the wizard.
You create a rule by associating the filter list and filter action that you created earlier. Click the Add
button to define a new rule. In the wizard:
❍ Select Windows 2000 default (Kerberos V5 protocol) if you used PPTP tunnels for
DCPROMO, or
❍ Select Use a certificate from this Certificate Authority (CA) if you are using certificates.
Then click Browse and select the certificate authority that issued the machine certificate
installed on the computer.
● You will see a list of IP filter lists. Select the filter list that you created earlier, DC replication, from
the list.
● You will see a list of filter actions. Select the filter action that you created earlier, DC replication,
from the list.
Your policy will now look like this (the authentication column will indicate "Certificate" if you selected that
method).
● Click Assign.
Every domain controller requires a similar IPSec policy. Regardless of whether the controller is in the
internal network, the perimeter network, or the external network, you must configure its IPSec policy so
that all communications with all other domain controllers are through IPSec. Not only does this allow the
knowledge consistency checker to build a replication topology that ignores the firewall, it also secures all
IPSec replication between every server.
Testing the IPSec policy. Be sure to test the policies that you have created. After you have created and
assigned a policy on at least two machines, you can use the IPSECMON.EXE utility to observe when the
machines establish the IPSec security association:
● Issue the command ipsecmon. A graphical utility starts, listing current security associations and
how much authenticated and/or encrypted traffic has passed through the server. (Unless the DCs
have started to exchange information, there probably will not be any system administrators right
now.)
● Click the Options button and change the refresh rate to one second.
● Go back to the command prompt and ping another domain controller that also has an IPSec policy.
Use the -t flag to ping continuously until stopped (ping -t ip-address ).
● Look for several "Negotiating IP security" responses—the machines are exchanging cryptographic
keys and building their security associations. Finally you will see normal replies. It may take 10 to
12 seconds to establish the security associations in both directions.
Top of page
Networks supporting electronic commerce and extranet connections may require a domain controller in
the perimeter network. Although at first this might appear to create security issues, IPSec can help here,
too. It is possible to create fine-grained packet filters by using the permit/block features of IPSec rules.
Please see the document, "Using IPSec to Lock Down a Server," at http://www.microsoft.com/technet/
itsolutions/network/security/ipsecld.mspx [ http://www.microsoft.com/technet/itsolutions/network/
security/ipsecld.mspx ] . You can combine the approach there with the information here to create an
IPSec policy that permits only secure DC-to-DC communication and blocks all other traffic from reaching
the DC in the perimeter network.
Top of page
Although probably not envisioned by IPSec's designers, the protocol has become an excellent method for
encapsulating complex traffic so that it can be safely transported between networks. The Windows 2000
IPSec policy engine can be used to create very fine-grained rules that specifies traffic that is permitted,
blocked, or secured between hosts. In the scenario here, we are using it to secure all traffic between
known hosts—specific domain controllers—while permitting other traffic to and from those hosts.
For more information about Windows 2000 IPSec, and other security features of Windows 2000, please
begin your adventure at http://www.microsoft.com/technet/security/default.mspx [ http://www.microsoft.
com/technet/security/default.mspx ] .
Top of page
1 This document doesn't discuss using preshared keys. Preshared key authentication is included in Windows
2000 only for compatibility with other IPSec implementations and to conform to the IPSec RFCs. In no cases
do we encourage the use of preshared keys in a production environment because of the inherent security risks
associated with shared-secret style authentication.
2 That is, all traffic except that which is exempted from IPSec processing, as discussed earlier.