How to secure AD replication between two Windows 2003 Server Sites

Posted on 2004-08-23
Last Modified: 2010-05-18

We are getting ready to bring online a second Windows 2003 Server site.  Both sites have broadband connections, and are using SonicWall firewalls.  We need to ensure the replication between the two sites, over the Internet, is secured.  The two options we are looking at are: (1) setup a VPN between the two SonicWall firewalls (and replication AD via the VPN tunnel), or (2) setup Windows 2003 Server certificates (SSL) to encrypt the communications between the two sites.

I'm leaning towards the later (SSL), but am wondering about the pros and cons of each?  Has anyone used the Windows 2003 Server certificate services to accomplish this, and if so, how hard is this to setup?

Question by:ClendeningHL
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 12

Expert Comment

ID: 11877494
I have setup tons of network and windows servers and I dont agree. I would create an Ipsec tunnel between the 2 subnets because it is more seure, easier and less expensive.
-Define the 2 sites in AD. Add the subnets for each site. Designate a master for replication. Set rep to use rcp. Drop the server into the other site, change its address, ship to site 2.
-Test replication when it arrives at site 2.

Author Comment

ID: 11877796

Thank you for your comments.  Are you recommending the use of Windows 2003 Server for IPSec?  If so, how do I go about setting this up (once the two sites are up and running)?  I hope so, since IPSec is free, and part of Windows 2003 Server, correct?

The process you outlined (for replicating between the two sites), I already have a good grasp of, and have done many times prior.  I'm just having a hard grapling with the best way to secure the site-to-site replication.

LVL 12

Accepted Solution

Housenet earned 500 total points
ID: 11881148
Hello Harry,
I often do not explain myself very well, sorry.

Create a dynamic or static tunnel between the 2 sonic walls. Use 56bit or 3des to encrypt & tunnel between the Sonicwalls. At that point the 2 lans will be joined in a routed fashion. Typically this type of tunnel is very reliable and will work as long as the internet(ISP) is up and working properly.

Result= Very highly secured tunnel.

Controlling replication with topology and sites & Services.  Define the Sites & associate the subnets to the Sites.. Drop the remote server in Site2. Change its Addressing and ship it to Site2...

Advantages of this methodolgy:
-First off, I generally have a problem with sticking any MS-NOS server NIC directly on the internet. Securiing such a server for such use can be VERY difficult even for an expert. Why? Windows is the major target for anyone looking to make a name for themselves in security.

1-Ipsec tunnel provided by a "real firewall", meaning a hardware appliance. Typically far less vunerable than a NOS.
2-Replication errors or problems are far less complicated to troublehoot & repair. Imagine if replication is failing... Where do you start, the certificates, the L2TP tunnel, active directory, sites setup... All the while things are not getting done at your company..

IT Rule No #1 =KISS
Keep it Simple Stupid. (not a personal attack)


Author Comment

ID: 11882712

Thank you.  That was an excellent breakdown of your proposed solution.  You have sold me on going with the more secure SonicWall VPN.

We will be using dynamic DSL at one site (since static IP's are not available).  When I setup the site-to-site VPN, can I use a fully qualified domain name (FQDN), say for example ( on the SonicWall, verses using the IP Address to setup the VPN tunnel (since the IP address is dynamic and will change)?  I use a company called No-IP (, for such situations where the client has dynamic IP, but needs to host Internet services.

LVL 12

Expert Comment

ID: 11885033
Hello Harry,
-Because it is very common for one side of a Ipsec tunnel to have a static IP and the other have a dynamic IP, the firewall can deal with this by allowing you to identify the initiating firewall with other static information.

The only down side is: The firewall with the dynamic IP must always initiate the connection & bring up the tunnel. (not a problem, just a fact).

I thought of using TZO and No-IP in the past to connect via host names dynamically mapped to real internet addresses. This did not work on netscreen firewalls & I cant say I know 100% for sure why...  It may work just fine on the Sonicwalls.

-But again.. One side being static & one side being dynamic is common enough that almost any appliances take these factors into consideration without dynamic-dns host records.   Thanks Harry!

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Not a Schema Admin?  Schema Role on Non-AD Controller? 7 60
AD user acount change history 4 75
Windows server 2003 bootable iso 9 278
Drive mapping problem 7 45
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question