Documente Academic
Documente Profesional
Documente Cultură
By Steve Riley
This white paper explains how to get replication to function properly in environments where an Active Directory directory forest is distributed among internal perimeter networks (also known as DMZ, demilitarized zones, and screened subnets) and external (Internet-facing) networks.
Introduction
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture: Initially promoting a server to a domain controller. Replicating traffic between domain controllers.
Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situationsschema, configuration, and global catalog replication, but not domain naming contextlimiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches: Open the firewall wide to permit RPC's native dynamic behavior. Limit RPC's use of TCP ports and open the firewall just a little bit. Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that. Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two. Full Dynamic RPC
Cons Turns the firewall into "Swiss cheese" Random incoming high-port connections Insecure firewall configuration
Page 1 of 22
Service RPC endpoint mapper Network basic input/output system (NetBIOS) name service NetBIOS datagram service NetBIOS session service RPC dynamic assignment Server message block (SMB) over IP (Microsoft-DS) Lightweight Directory Access Protocol (LDAP) LDAP ping LDAP over SSL Global catalog LDAP Global catalog LDAP over SSL Kerberos Domain Name Service (DNS) Windows Internet Naming Service (WINS) resolution (if required) WINS replication (if required)
Port/protocol 135/tcp, 135/udp 137/tcp, 137/udp 138/udp 139/tcp 1024-65535/tcp 445/tcp, 445/udp 389/tcp 389/udp 636/tcp 3268/tcp 3269/tcp 88/tcp, 88/udp 53/tcp1, 53/udp 1512/tcp, 1512/udp 42/tcp, 42/udp
TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.
It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as "TCP high ports," the rule needs to permit inbound traffic on any port above 1023. If your firewall permits this, there is very little reason even to have a firewall. If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.
Revised January 31, 2006 Page 2 of 22
Limited RPC
Pros More secure than dynamic RPConly one open high port Cons Registry modification to all servers
This scenario gives you more security, but it does require making registry modifications to all your domain controllers. Registry modifications can be scripted with tools in the Microsoft Windows 2000 Resource Kit, which helps eliminate configuration errors. You must decide upon fixed port numbers for AD replication for the file replication service (FRS). The Internet Assigned Numbers Authority (IANA) has set aside the range 49152 through 65535 for use by private and dynamic assignments. Using the registry editor, navigate to this registry key: HKEY_LOCAL_MACHINE SYSTEM\ CurrentControlSet\ Services\ NTDS\ Parameters\
Page 3 of 22
Service RPC endpoint mapper NetBIOS name service NetBIOS datagram service NetBIOS session service RPC static port for AD replication RPC static port for FRS SMB over IP (Microsoft-DS) LDAP LDAP ping LDAP over SSL Global catalog LDAP Global catalog LDAP over SSL
Port/protocol 135/tcp, 135/udp 137/tcp, 137/udp 138/udp 139/tcp <AD-fixed-port>/TCP <FRS-fixed-port>/TCP 445/tcp, 445/udp 389/tcp 389/udp 636/tcp 3268/tcp 3269/tcp
Page 4 of 22
Replace <AD-fixed-port> and <FRS-fixed-port> with the port numbers that you used in the registry values. As before, if you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them. You still need the endpoint mapper because clients will not know that you fixed the ports. The endpoint mapper always returns your fixed ports when clients request the port numbers associated with AD's and FRS's RPC UUIDs. Here is some text that you can import into the registry. It sets the AD port to 49152 and the FRS port to 49153. Copy it to the clipboard, paste it into a blank Notepad screen, save the file with a .REG extension, and then double-click that file in Windows Explorer. If you want to use a different port, use the Windows Calculator (in scientific mode) to convert the number from decimal to hexadecimal. Remember to pad the value with four leading zeros, as you see in the following example. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] "TCP/IP Port"=dword:0000c000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters] "RPC TCP/IP Port Assignment"=dword:0000c001
Page 5 of 22
IPSec provides a way to easily encapsulate and carry RPC traffic over a firewall. Besides simplifying the transport of RPC, IPSec also increases security between the DCs because of IPSec's mutual authentication feature: by using either Kerberos or machine certificates, the DCs will "know" whom they are communicating with before any actual information exchange occurs. This document shows you how to create an appropriate IPSec policy by using the Microsoft Management Console (MMC) interface. You can script policy creation with IPSECPOL.EXE, a tool available in the Windows 2000 Resource Kit. Be sure to thoroughly read and understand the IPSECPOL.EXE documentation before you try to use itunlike the GUI, the command-line tool has very little consistency checking built in. There is one decision that you must make before you beginwhether to use certificates for IPSec authentication or built-in Kerberos for Windows 2000. Kerberos authentication requires that both computers already be in the same domain, so if you prefer Kerberos, then you must use something other than IPSec for the domain controller promotion (DCPROMO) phase (because the target server is not yet a member of the domain). Point-to-Point Tunneling Protocol (PPTP) tunnels work well for this and are documented here. If instead you want to use certificates for authentication, you must obtain a certificate for each DC that will participate in IPSec replication. Please see http://www.microsoft.com/windows2000/library/ for documents that describe how to build a Windows 2000 certificate authority and how to configure your domain for automatic enrollment of machine certificates. For IPSec replication and IPSec or PPTP promotion, configure your firewall to permit the following.
Service DNS PPTP establishment (if using PPTP) GRE, generic routing encapsulation (if using PPTP) Kerberos IKE, Internet Key Exchange IPSec ESP, encapsulated security payload
Page 6 of 22
If you decide to use certificates for IPSec authentication instead of Kerberos, you can configure the servers to carry Kerberos traffic inside IPSec. This will be covered in more detail later. Regardless of authentication mode, Kerberos between domain controllers is still required.
Note that IPSec will not work through network address translation (NAT) devices. Because IPSec uses IP addresses when computing packet checksums, IPSec packets whose source addresses were altered by NAT are discarded when they arrive at the destination.
Page 7 of 22
The MMC should now look like this, after clicking on the + next to the server name.
Page 8 of 22
Page 9 of 22
Page 10 of 22
The connectoid then opens. Before connecting, click the Properties button. Click the Options tab, and then click Include Windows logon domain. Close the dialog box. Now log onto the RRAS server by using enterprise administrator credentials (the administrator of the root domain). After the server completes the connection, you may start DCPROMO. DCPROMO requires a reboot at the end of the process; this will also disconnect the PPTP tunnel. Because you no longer need the tunnel, you may delete the connectoid.
You must install certificates on your domain controllers so that they can perform IPSec authentication. All the certificates require signatures from the same certificate authority. Windows 2000 includes a Request for Comments (RFC-compatible) certificate authority (CA) that works very well in this case. With group policies, you can configure your domain to automatically enroll member computers with machine certificates. While IPSec will work with certificates from any CA, auto-enrollment requires a Windows 2000 CA. If you already have a PKI, the Windows 2000 CA can be configured as a subordinate by issuing CA. Please see the documentation, including the walkthroughs mentioned earlier, for more details. If you decide to go this route, then you also have the option of including Kerberos traffic inside IPSec. Normally, certain kinds of traffic are exempt from IPSec transport mode processing: Broadcastcannot be classified by IPSec filters because the sender does not know all the receivers. Multicastsame as broadcast. Resource reservation protocol (RSVP), IP protocol 46must be exempt so that quality of service marking occurs; however, IPSec packets can be carried inside RSVP packets.
Page 12 of 22
Page 13 of 22
Although neither method is preferred over the other, using IPSec with machine certificates is probably the more "forward looking" approach, especially because most organizations plan to deploy PKIs of some kind.
Page 14 of 22
Next, click IP Security Policies on Local Machine (in the left-hand pane of the MMC). This displays the default policies, where you will add a new one for replication. First, however, you must create the filter list and action. The filter list indicates which IP addresses, ports, and protocols trigger the application of IPSec. You want to secure all the traffic between the domain controllers only, not any traffic between a domain controller and some other machine. Right-click in the MMC's right-hand pane and click Manage IP filter lists and filter actions. You will be on the Manage IP Filter Lists tab. A filter list is simply a list of filters; you will create a filter for each server that this one replicates with. That is, only one filter list is required and the list contains filters for all domain controllers.
Page 15 of 22
Click the Add button to create a new filter list. Name the filter list DC replication. Click the Add button to create a new filter; follow these steps to complete the wizard:
Select My IP address as the source address. Select A specific IP address as the destination address, and then type the IP address of the other server.
Select Any as the protocol type. This configures the filter so that all traffic between the two computers will be carried inside IPSec2.
Page 16 of 22
Name the action DC replication. Click Negotiate security. Click Do not communicate with computers that do not support IPSec. Click High (Encapsulated Secure Payload). Select the Edit properties check box (you will need to make changes later). Click the Finish button.
In the Properties dialog box, clear the check box next to Accept unsecured communication, but always respond using IPSec. You do not want the server to respond at all to unsecured communication. Of course, this applies only to those machines that are part of the corresponding IP filter list; you will link the filter list and the filter action with a policy in just a moment. Close all dialog boxes.
Page 17 of 22
Figure 8: Domain Controller Replication Filter Action Now you are ready to create the IPSec policy. Right-click in the MMC's right-hand pane and click Create IP security policy. In the wizard: Name the policy Domain controller replication. Clear Activate the default response rule. Ensure that the Edit properties check box is selected and close the wizard.
Page 18 of 22
You create a rule by associating the filter list and filter action that you created earlier. Click the Add button to define a new rule. In the wizard: Select This rule does not specify a tunnel. Select Local area network (LAN) for the network type. Choose an authentication method o Select Windows 2000 default (Kerberos V5 protocol) if you used PPTP tunnels for DCPROMO, or
Page 19 of 22
Your policy will now look like this (the authentication column will indicate "Certificate" if you selected that method).
Figure 11: Domain Controller Policy Is Assigned IPSec processing happens immediately. There is no need to reboot the server. Every domain controller requires a similar IPSec policy. Regardless of whether the controller is in the internal network, the perimeter network, or the external network, you must configure its IPSec policy so that all communications with all other domain controllers are through IPSec. Not only does this allow the knowledge consistency checker to build a replication topology that ignores the firewall, it also secures all IPSec replication between every server. Testing the IPSec policy. Be sure to test the policies that you have created. After you have created and assigned a policy on at least two machines, you can use the IPSECMON.EXE utility to observe when the machines establish the IPSec security association: Open a command window. Issue the command ipsecmon. A graphical utility starts, listing current security associations and how much authenticated and/or encrypted traffic has passed through the server. (Unless the DCs have started to exchange information, there probably will not be any system administrators right now.) Click the Options button and change the refresh rate to one second. Go back to the command prompt and ping another domain controller that also has an IPSec policy. Use the -t flag to ping continuously until stopped (ping -t ip-address ).
Revised January 31, 2006 Page 21 of 22
This document doesn't discuss using preshared keys. Preshared key authentication is included in Windows 2000 only for compatibility with other IPSec implementations and to conform to the IPSec RFCs. In no cases do we encourage the use of preshared keys in a production environment because of the inherent security risks associated with shared-secret style authentication. That is, all traffic except that which is exempted from IPSec processing, as discussed earlier.
Page 22 of 22