Security Basics mailing list archives
unable to join domain from dmz
From: "Hayden Searle" <hayden.searle () safecom co nz>
Date: Fri, 10 Sep 2004 00:57:57 +1200
The last couple of guys have hit it on the head. You should only have your domain controllers inside you perimeter, not sitting in the DMZ. The point in having a DMZ is that if a box gets compromised the hacker cannot gain entry to your internal network, or gain any information about your internal network. If you have a BDC out there then technically there is really no point in having a DMZ. One question that I cant see as being asked is why is the BDC required in the DMZ? If its for authentication for something in the DMZ then why not leave it in the internal network, and use the VPN function on the PIX, and have access lists based on that? And is there any access to the BDC from the internet...I mean you do know that support for NT4 is going very shortly and all the vulnerabilities that people currently finding, are probably being held until this time, as no new patches will be created for the NT OS. I think if we had some more info on this issue then we could probably help devise a better way of doing whatever it is that you are trying to do Regards Hayden -----Original Message----- From: Dan Tesch [mailto:dan.tesch () comcast net] Sent: Wednesday, 25 August 2004 8:50 a.m. To: Security Basics Subject: Re: unable to join domain from dmz You can do this by adding an entry in LMHOSTS also, you can google for instructions - simpler than setting up WINS.
You need to setup a WINS server. Otherwise you cannot cross subnets. On Mon, 23 Aug 2004 12:12:52 +0300, Bilal Dar <bdar () pbad sbg com sa>
wrote:
I am having a problem, i couldn't figure out the reason till now. We
are
having our NT 4 Primary Domain Controller on the inside network, now
i am
installing another server in the DMZ as a Backup Domain Controller.
When i
try to join the domain during installation i get an error stating
"The
domain controller for the domain cannot be located" Dmz = 172.17.0.0/16 Inside = 172.16.0.0/16 PDC = 172.16.4.2 NewServer = 172.17.0.10/16 conduit permit icmp any any conduit permit ip host 172.17.0.10 172.16.0.0 255.255.0.0 conduit permit ip host 172.17.0.10 172.17.0.0 255.255.0.0 conduit permit tcp host 172.17.0.10 eq smtp any conduit permit tcp host 172.17.0.10 eq pop3 any conduit permit tcp host 172.17.0.10 eq domain any conduit permit udp host 172.17.0.10 eq domain any conduit permit ip host 172.17.4.2 host 172.17.0.10 I can ping NewServer from Inside network. Am i missing something? Thanks-- END OF LINE -MCP
------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- ##################################################################################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. ##################################################################################### --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: unable to join domain from dmz Phillip McCollum (Sep 07)
- RE: unable to join domain from dmz Cherian Palayoor (Sep 09)
- <Possible follow-ups>
- RE: unable to join domain from dmz James P. Saveker (Sep 08)
- Message not available
- RE: unable to join domain from dmz Gautam R. Singh (Sep 09)
- Message not available
- unable to join domain from dmz Hayden Searle (Sep 10)