How do RMAD FE or DRE perform DC isolation in forest recovery?
DC isolation with RMAD is performed via IPSec rules configuration, a type of firewall. Most of the connections are forbidden for the DCs, and they are isolated from each other.
∙ Internet Protocol security (IPsec) is a framework of open standards for protecting communications over IP (http://technet.microsoft.com/en-us/network/bb531150)
∙ DCs are isolated from each other during recovery using IPsec policies
∙ NETSH command line utility (http://technet.microsoft.com/en-us/library/cc732279(WS.10).aspx) used for configuration
∙ The only allowed network traffic to/from DC is
– Ping requests ICMP
– DNS (Port 53 TCP/UDP)
– File share access (Port 445 TCP/UDP)
– Terminal Services (RDP) Port 3389 TCP
– All communication with the Forest Recovery Console
∙ If user has his own IPSec policies, they are saved (written to file) and then restored after the recovery completes
