unable to join domain from dmz

["Hayden Searle" <hayden.searle () safecom co nz>]

The last couple of guys have hit it on the head. You should only have
your domain controllers inside you perimeter, not sitting in the DMZ.

The point in having a DMZ is that if a box gets compromised the hacker
cannot gain entry to your internal network, or gain any information
about your internal network. If you have a BDC out there then
technically there is really no point in having a DMZ.

One question that I cant see as being asked is why is the BDC required
in the DMZ? If its for authentication for something in the DMZ then why
not leave it in the internal network, and use the VPN function on the
PIX, and have access lists based on that? And is there any access to the
BDC from the internet...I mean you do know that support for NT4 is going
very shortly and all the vulnerabilities that people currently finding,
are probably being held until this time, as no new patches will be
created for the NT OS.

I think if we had some more info on this issue then we could probably
help devise a better way of doing whatever it is that you are trying to
do

Regards

Hayden

-----Original Message-----
From: Dan Tesch [mailto:dan.tesch () comcast net] 
Sent: Wednesday, 25 August 2004 8:50 a.m.
To: Security Basics
Subject: Re: unable to join domain from dmz

You can do this by adding an entry in LMHOSTS also, you can google
for instructions - simpler than setting up WINS.

> You need to setup a WINS server.  Otherwise you cannot cross subnets.
>
> On Mon, 23 Aug 2004 12:12:52 +0300, Bilal Dar <bdar () pbad sbg com sa>
wrote:
> > I am having a problem, i couldn't figure out the reason till now. We
are
> > having our NT 4 Primary Domain Controller on the inside network, now
i
am
> > installing another server in the DMZ as a Backup Domain Controller.
When
i
> > try to join the domain during installation i get an error stating
"The
> > domain controller for the domain cannot be located"
> >
> > Dmz = 172.17.0.0/16
> > Inside = 172.16.0.0/16
> >
> > PDC = 172.16.4.2
> > NewServer = 172.17.0.10/16
> >
> > conduit permit icmp any any
> > conduit permit ip host 172.17.0.10 172.16.0.0 255.255.0.0
> > conduit permit ip host 172.17.0.10 172.17.0.0 255.255.0.0
> > conduit permit tcp host 172.17.0.10 eq smtp any
> > conduit permit tcp host 172.17.0.10 eq pop3 any
> > conduit permit tcp host 172.17.0.10 eq domain any
> > conduit permit udp host 172.17.0.10 eq domain any
> > conduit permit ip host 172.17.4.2 host 172.17.0.10
> >
> > I can ping NewServer from Inside network. Am i missing something?
> >
> > Thanks
>
>
> -- 
> END OF LINE
>        -MCP


------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------