Understanding LDAP in Windows Active Directory Forest

Son 311 Reputation points
2022-03-01T08:30:13+00:00

Hi,

I need some help understanding LDAP in a Forest with multiple child domains.

We are reviewing our firewall logs with a goal to restrict communications between company A and company B, which both have a child domain within the same forest. They used to be on a flat MPLS network but now we have segregated them into their own networks behind some next gen firewalls only allowing required communications between the two.

When reviewing the network traffic we are seeing clients/servers in child domain A making LDAP connections to the domain controller in child domain B and vice versa. I am trying to understand if this is expected behaviour in a forest where we have transitive two-way trusts in place by default. This traffic is currently permitted on the firewall but we want to look at restricting it so that clients in child domain A only use DCs in child domain A for LDAP and authentication.

Sites and Services is setup with multiple sites but they are not company specific, so for example we might have a site called India with a DC added from both child domain A and B, there is no India-CompanyA and India-CompanyB sites.

So my questions are:

  1. Is what we are seeing normal and expected behaviour?
  2. Would it be safe to deny LDAP and Kerberos from clients/servers to DCs in the other child domain? (DC to DC traffic has its own FW rule on the required ports and would not be amended)
  3. Can we manipulate the destination LDAP servers on a per child domain basis?
  4. How are SRV records used in this process?

Let me know if you need any more information but hopefully making myself clear!

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,154 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,034 questions
0 comments
Accepted answer
  1. Gary Reynolds 9,406 Reputation points
    2022-03-01T11:54:46.69+00:00

    Hi @Son

    Is what we are seeing normal and expected behaviour?

    Yes this is normal but it also depends on a number of factors, i.e. how resources in the domains are shared, how access permissions are assigned, Exchange etc.

    Would it be safe to deny LDAP and Kerberos from clients/servers to DCs in the other child domain? (DC to DC traffic has its own FW rule on the required ports and would not be amended)

    As with the previous question it depends, if the clients are talking to both the root and other domains, then it likely blocking this traffic will cause issues with authentication and resource access.

    Can we manipulate the destination LDAP servers on a per child domain basis?

    Site and service is best option for this, as you can define which DCs the clients talk to, but it does mean that you may need to move a child domain controllers into the same subnet. Here is an article on sites and services design

    How are SRV records used in this process?

    Yes the SRV records are key to this, here is an article on how DC are located, and this article explains how to prevent a DC from registering specific SRV records

    Here is an article on the ports that will be used by DC to DC, and an article covering the common ports used by AD based services. The RPC ports can also cause issues as it normally requires a large number of ports to be opened, however it is possible to change which RPC ports are used, so the port range and number of ports can be controlled, more details in this article.

    I hope this helps.

    Gary,

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest