Restrict NT4 Domains

[fatboy69]

Hi,

I need to restrict certain NT domains within my global network from having access to certain networks.

Is this possible? or would I have to restrict PDC/BDC traffic specific to IP address and traffic type.

RUnning IP350's with R54.

Cheers,
FB

 

[rn4it]

If these NT domain have to pass through the FW (physically) to communicate it's easy just set up the necessary rules. If however, all NT domains and networks are behind the FW. You would need to see if their traffic passes through the FW to get to the networks you wish to restrict. There is too much assumption I'd have to make, since I don't know your network. I can only be vague in my answer. Hope this helps a little

 

[fatboy69]

Yes the domains are between firewalls. We have a global domain that we are all migrating prior to AD implementation but each country has there own legacy domain that route through these firewalls.

Maybe the answer is slipping me by but how can it be done as the global domain resides on the same subnets as thier corresponding regional legacy domains?

cheers.
FB

 

[rn4it]

So what you're saying is you have devices that are on ie 172.16.20.0/24 network on the country side of the FW. They also need to talk to the Global side of the FW which is also 172.16.20.0/24? Is this correct, if so you will run into anti-spoofing errors unless you turn it off. However if the Global Domain has the DC's and is on the 172.18.20.0/24, and all country's are on the 172.16.X.0/24 network, then all you should need to do is open ports between the 172.16.X.0 net and 172.18.20.0 net allowing whatever ports you want to pass through. If your only going to have the PDC in the global and the BDC's in the country domain, then you'll need to open ports for the synch of the SID DB's between the BDC's and PDC, as well you may want tracert for diagnostics. I hope this makes it a little clearer for you. good luck