Solved

How to secure AD replication between two Windows 2003 Server Sites

Posted on 2004-08-23
5
300 Views
Last Modified: 2010-05-18
Hello,

We are getting ready to bring online a second Windows 2003 Server site.  Both sites have broadband connections, and are using SonicWall firewalls.  We need to ensure the replication between the two sites, over the Internet, is secured.  The two options we are looking at are: (1) setup a VPN between the two SonicWall firewalls (and replication AD via the VPN tunnel), or (2) setup Windows 2003 Server certificates (SSL) to encrypt the communications between the two sites.

I'm leaning towards the later (SSL), but am wondering about the pros and cons of each?  Has anyone used the Windows 2003 Server certificate services to accomplish this, and if so, how hard is this to setup?

Thanks,
Harry
0
Comment
Question by:ClendeningHL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11877494
Hello,
I have setup tons of network and windows servers and I dont agree. I would create an Ipsec tunnel between the 2 subnets because it is more seure, easier and less expensive.
-Define the 2 sites in AD. Add the subnets for each site. Designate a master for replication. Set rep to use rcp. Drop the server into the other site, change its address, ship to site 2.
-Test replication when it arrives at site 2.
0
 

Author Comment

by:ClendeningHL
ID: 11877796
Housenet,

Thank you for your comments.  Are you recommending the use of Windows 2003 Server for IPSec?  If so, how do I go about setting this up (once the two sites are up and running)?  I hope so, since IPSec is free, and part of Windows 2003 Server, correct?

The process you outlined (for replicating between the two sites), I already have a good grasp of, and have done many times prior.  I'm just having a hard grapling with the best way to secure the site-to-site replication.

Harry
0
 
LVL 12

Accepted Solution

by:
Housenet earned 500 total points
ID: 11881148
Hello Harry,
I often do not explain myself very well, sorry.

Create a dynamic or static tunnel between the 2 sonic walls. Use 56bit or 3des to encrypt & tunnel between the Sonicwalls. At that point the 2 lans will be joined in a routed fashion. Typically this type of tunnel is very reliable and will work as long as the internet(ISP) is up and working properly.

Result= Very highly secured tunnel.

Controlling replication with topology and sites & Services.  Define the Sites & associate the subnets to the Sites.. Drop the remote server in Site2. Change its Addressing and ship it to Site2...

Advantages of this methodolgy:
-First off, I generally have a problem with sticking any MS-NOS server NIC directly on the internet. Securiing such a server for such use can be VERY difficult even for an expert. Why? Windows is the major target for anyone looking to make a name for themselves in security.

1-Ipsec tunnel provided by a "real firewall", meaning a hardware appliance. Typically far less vunerable than a NOS.
2-Replication errors or problems are far less complicated to troublehoot & repair. Imagine if replication is failing... Where do you start, the certificates, the L2TP tunnel, active directory, sites setup... All the while things are not getting done at your company..

IT Rule No #1 =KISS
Keep it Simple Stupid. (not a personal attack)



0
 

Author Comment

by:ClendeningHL
ID: 11882712
Housenet,

Thank you.  That was an excellent breakdown of your proposed solution.  You have sold me on going with the more secure SonicWall VPN.

We will be using dynamic DSL at one site (since static IP's are not available).  When I setup the site-to-site VPN, can I use a fully qualified domain name (FQDN), say for example (vpn1.company.com) on the SonicWall, verses using the IP Address to setup the VPN tunnel (since the IP address is dynamic and will change)?  I use a company called No-IP (http://www.no-ip.com), for such situations where the client has dynamic IP, but needs to host Internet services.

Thanks,
Harry
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11885033
Hello Harry,
-Because it is very common for one side of a Ipsec tunnel to have a static IP and the other have a dynamic IP, the firewall can deal with this by allowing you to identify the initiating firewall with other static information.

The only down side is: The firewall with the dynamic IP must always initiate the connection & bring up the tunnel. (not a problem, just a fact).

I thought of using TZO and No-IP in the past to connect via host names dynamically mapped to real internet addresses. This did not work on netscreen firewalls & I cant say I know 100% for sure why...  It may work just fine on the Sonicwalls.

-But again.. One side being static & one side being dynamic is common enough that almost any appliances take these factors into consideration without dynamic-dns host records.   Thanks Harry!
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question