cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10712
Views
9
Helpful
5
Replies

Deploying an RODC in a Perimeter Network

jamesfick
Level 1
Level 1

We need to deploy a RODC in a perimeter network and allow replication via IPsec through our ASA from the DC.  Was wondering if anyone here has done this and if so could you share with me what worked and didn't work.  We are using several Microsoft documents to do this deployment but none of the documents can agree on what ports are needed to be opened on the ASA to allow this traffic through, and from which direction.

Any help or advice would be greatly appreciated.  Thank you.

Jim

1 Accepted Solution

Accepted Solutions

Pavel Pokorny
Level 1
Level 1

Hi,

I have been doing this exercise during this week.

I have used this document:

http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports

And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.

Everything seems to be working with this setup ok.

It all has been done on one ASA (from DMZ to trusted server network).

But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.

Please rate if help.

Pavel

View solution in original post

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

RODC as in Read-Only Domain Controller?

I see so many deployment guides on google as well.  Best thing to do is watch the logs on the ASA and look for denied packets due to access-list message and selectively open ports for those that are blocked.

http://forums.techarena.in/active-directory/1303925.htm

Enable logging on the ASA:

conf t

loggin on

logging buffered 7

exit

sh logg | i x.x.x.x (where x.x.x.x is the iP address of RODC)

-Kureli

Good work Kureli....Deserves a high 5!!   James, please rate the query and mark it as answered.   Regards,  Ankur thukral  Community Manager: Security and VPN

Will do thank u.

Pavel Pokorny
Level 1
Level 1

Hi,

I have been doing this exercise during this week.

I have used this document:

http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports

And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.

Everything seems to be working with this setup ok.

It all has been done on one ASA (from DMZ to trusted server network).

But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.

Please rate if help.

Pavel

Thank you for the info, I will look over the document.

James Fick

Security Engineer

2501 Jolly Road, Suite 180

Okemos, MI 48917

Tel: 517-324-8304

Fax: 517-324-7364

www.mphi.org<>

Working with You to Promote Health

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: