On Fri, 13 Dec 2024 10:14:27 +0100
Ilias Chasapakis forumZFD via samba <samba at lists.samba.org> wrote:
> Dear all,
>
> We (me and colleagues) were considering setting an RODC in our DMZ
> for some authentication related questions.
>
> We were curious about any suggested best practices for those cases.
>
> We also notice that there are quite a lot of ports to open vs. the
> ADs.
>
> * TCP 88 (Kerberos Key Distribution Center)
> * TCP 135 (Remote Procedure Call)
> * TCP 139 (NetBIOS Session Service)
> * TCP 389 (LDAP)
> * TCP 445 (SMB,Net Logon)
> * UDP 53 (DNS)
> * UDP 389 (LDAP, DC Locator, Net Logon)
> * TCP 49152-65535 (Randomly allocated high TCP ports)
>
> Are there other suggestions from your side to approach the RODC in a
> DMZ, keeping the securtity at a decent level?
>
> Many thanks in advance for your suggestions
>
> Best
> Ilias
>
Well, personally, I wouldn't put anything to do with AD into a DMZ, but
that is probably just me. Any AD client in a DMZ (and that includes an
RODC) must 'talk' to an internal DC.
If you must do this, Microsoft has documentation here:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN
Rowland