Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to secure AD replication between two Windows 2003 Server Sites

Posted on 2004-08-23
5
298 Views
Last Modified: 2010-05-18
Hello,

We are getting ready to bring online a second Windows 2003 Server site.  Both sites have broadband connections, and are using SonicWall firewalls.  We need to ensure the replication between the two sites, over the Internet, is secured.  The two options we are looking at are: (1) setup a VPN between the two SonicWall firewalls (and replication AD via the VPN tunnel), or (2) setup Windows 2003 Server certificates (SSL) to encrypt the communications between the two sites.

I'm leaning towards the later (SSL), but am wondering about the pros and cons of each?  Has anyone used the Windows 2003 Server certificate services to accomplish this, and if so, how hard is this to setup?

Thanks,
Harry
0
Comment
Question by:ClendeningHL
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11877494
Hello,
I have setup tons of network and windows servers and I dont agree. I would create an Ipsec tunnel between the 2 subnets because it is more seure, easier and less expensive.
-Define the 2 sites in AD. Add the subnets for each site. Designate a master for replication. Set rep to use rcp. Drop the server into the other site, change its address, ship to site 2.
-Test replication when it arrives at site 2.
0
 

Author Comment

by:ClendeningHL
ID: 11877796
Housenet,

Thank you for your comments.  Are you recommending the use of Windows 2003 Server for IPSec?  If so, how do I go about setting this up (once the two sites are up and running)?  I hope so, since IPSec is free, and part of Windows 2003 Server, correct?

The process you outlined (for replicating between the two sites), I already have a good grasp of, and have done many times prior.  I'm just having a hard grapling with the best way to secure the site-to-site replication.

Harry
0
 
LVL 12

Accepted Solution

by:
Housenet earned 500 total points
ID: 11881148
Hello Harry,
I often do not explain myself very well, sorry.

Create a dynamic or static tunnel between the 2 sonic walls. Use 56bit or 3des to encrypt & tunnel between the Sonicwalls. At that point the 2 lans will be joined in a routed fashion. Typically this type of tunnel is very reliable and will work as long as the internet(ISP) is up and working properly.

Result= Very highly secured tunnel.

Controlling replication with topology and sites & Services.  Define the Sites & associate the subnets to the Sites.. Drop the remote server in Site2. Change its Addressing and ship it to Site2...

Advantages of this methodolgy:
-First off, I generally have a problem with sticking any MS-NOS server NIC directly on the internet. Securiing such a server for such use can be VERY difficult even for an expert. Why? Windows is the major target for anyone looking to make a name for themselves in security.

1-Ipsec tunnel provided by a "real firewall", meaning a hardware appliance. Typically far less vunerable than a NOS.
2-Replication errors or problems are far less complicated to troublehoot & repair. Imagine if replication is failing... Where do you start, the certificates, the L2TP tunnel, active directory, sites setup... All the while things are not getting done at your company..

IT Rule No #1 =KISS
Keep it Simple Stupid. (not a personal attack)



0
 

Author Comment

by:ClendeningHL
ID: 11882712
Housenet,

Thank you.  That was an excellent breakdown of your proposed solution.  You have sold me on going with the more secure SonicWall VPN.

We will be using dynamic DSL at one site (since static IP's are not available).  When I setup the site-to-site VPN, can I use a fully qualified domain name (FQDN), say for example (vpn1.company.com) on the SonicWall, verses using the IP Address to setup the VPN tunnel (since the IP address is dynamic and will change)?  I use a company called No-IP (http://www.no-ip.com), for such situations where the client has dynamic IP, but needs to host Internet services.

Thanks,
Harry
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11885033
Hello Harry,
-Because it is very common for one side of a Ipsec tunnel to have a static IP and the other have a dynamic IP, the firewall can deal with this by allowing you to identify the initiating firewall with other static information.

The only down side is: The firewall with the dynamic IP must always initiate the connection & bring up the tunnel. (not a problem, just a fact).

I thought of using TZO and No-IP in the past to connect via host names dynamically mapped to real internet addresses. This did not work on netscreen firewalls & I cant say I know 100% for sure why...  It may work just fine on the Sonicwalls.

-But again.. One side being static & one side being dynamic is common enough that almost any appliances take these factors into consideration without dynamic-dns host records.   Thanks Harry!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question