WIN2K3 in a DMZ

S

someonesomewhere

n00b
Joined
May 8, 2007
Messages
13
I've been asked to setup a web services server in a DMZ zone. simple right? i don't know you tell me. the server (we'll call it webserver), is a domain member and should be pulling auto updates from within the domain, such so forth blah blah, so i setup the server joined the domain with it. changed the Ip address, and placed physically into the DMZ. this is where my trouble begins. once in this location the server responds but it takes forever. I'm talking half an hour to log in as a network user with no profile. however the local admin account functions normally until you try and use an authenticated service from the domain. what's wrong and how do i make it work. as a test i put an XP machine in the DMZ and it worked perfectly. I'm thinking security feature within windows 2003 server but I'm not familiar enough to figure it out. Any help is much appreciated.
 
When its in the DMZ, does it still have its DNS servers as the domain DNS servers?

(slow logons are usually a DNS problem)
 
You should not have a domnain member in a DMZ, unless its a domain setup for the DMZ only.

The issue is Dymaic RPC. In order for a system to log into a domain all ports above 1024 have to be open unless you do an RPC static port mapping edit on all the DC's.

So if your firewall is setup right to block traffic you shouldn't be able to authiticate against the internal DC's.
 
oakfan52 said:
You should not have a domnain member in a DMZ, unless its a domain setup for the DMZ only.

The issue is Dymaic RPC. In order for a system to log into a domain all ports above 1024 have to be open unless you do an RPC static port mapping edit on all the DC's.

So if your firewall is setup right to block traffic you shouldn't be able to authiticate against the internal DC's.
Click to expand...

QFT, no domain members in DMZ without it being a seperate child domain or something of that sort
 
yeah that's kind of what i thought too after thinking on it a bit more. is there a way to propagate auto updates from one of our servers into the DMZ for this box or is this usually done via Microsoft auto updates site, and what about anti virus for that matter? I'll kill the domain membership today. Any other words of wisdom?

I should have stuck to network devices, i hate working on servers.
 
you can have a wsus server in the dmz or just do windows updates if there is internet access, for AV if you have a AV server in the normal network open up the right ports from DMZ to said AV server, or again out to the internet.
 
You must log in or register to reply here.
Back
Top