[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How to secure AD replication between two Windows 2003 Server Sites

Posted on 2004-08-23
5
Medium Priority
?
302 Views
Last Modified: 2010-05-18
Hello,

We are getting ready to bring online a second Windows 2003 Server site.  Both sites have broadband connections, and are using SonicWall firewalls.  We need to ensure the replication between the two sites, over the Internet, is secured.  The two options we are looking at are: (1) setup a VPN between the two SonicWall firewalls (and replication AD via the VPN tunnel), or (2) setup Windows 2003 Server certificates (SSL) to encrypt the communications between the two sites.

I'm leaning towards the later (SSL), but am wondering about the pros and cons of each?  Has anyone used the Windows 2003 Server certificate services to accomplish this, and if so, how hard is this to setup?

Thanks,
Harry
0
Comment
Question by:ClendeningHL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11877494
Hello,
I have setup tons of network and windows servers and I dont agree. I would create an Ipsec tunnel between the 2 subnets because it is more seure, easier and less expensive.
-Define the 2 sites in AD. Add the subnets for each site. Designate a master for replication. Set rep to use rcp. Drop the server into the other site, change its address, ship to site 2.
-Test replication when it arrives at site 2.
0
 

Author Comment

by:ClendeningHL
ID: 11877796
Housenet,

Thank you for your comments.  Are you recommending the use of Windows 2003 Server for IPSec?  If so, how do I go about setting this up (once the two sites are up and running)?  I hope so, since IPSec is free, and part of Windows 2003 Server, correct?

The process you outlined (for replicating between the two sites), I already have a good grasp of, and have done many times prior.  I'm just having a hard grapling with the best way to secure the site-to-site replication.

Harry
0
 
LVL 12

Accepted Solution

by:
Housenet earned 2000 total points
ID: 11881148
Hello Harry,
I often do not explain myself very well, sorry.

Create a dynamic or static tunnel between the 2 sonic walls. Use 56bit or 3des to encrypt & tunnel between the Sonicwalls. At that point the 2 lans will be joined in a routed fashion. Typically this type of tunnel is very reliable and will work as long as the internet(ISP) is up and working properly.

Result= Very highly secured tunnel.

Controlling replication with topology and sites & Services.  Define the Sites & associate the subnets to the Sites.. Drop the remote server in Site2. Change its Addressing and ship it to Site2...

Advantages of this methodolgy:
-First off, I generally have a problem with sticking any MS-NOS server NIC directly on the internet. Securiing such a server for such use can be VERY difficult even for an expert. Why? Windows is the major target for anyone looking to make a name for themselves in security.

1-Ipsec tunnel provided by a "real firewall", meaning a hardware appliance. Typically far less vunerable than a NOS.
2-Replication errors or problems are far less complicated to troublehoot & repair. Imagine if replication is failing... Where do you start, the certificates, the L2TP tunnel, active directory, sites setup... All the while things are not getting done at your company..

IT Rule No #1 =KISS
Keep it Simple Stupid. (not a personal attack)



0
 

Author Comment

by:ClendeningHL
ID: 11882712
Housenet,

Thank you.  That was an excellent breakdown of your proposed solution.  You have sold me on going with the more secure SonicWall VPN.

We will be using dynamic DSL at one site (since static IP's are not available).  When I setup the site-to-site VPN, can I use a fully qualified domain name (FQDN), say for example (vpn1.company.com) on the SonicWall, verses using the IP Address to setup the VPN tunnel (since the IP address is dynamic and will change)?  I use a company called No-IP (http://www.no-ip.com), for such situations where the client has dynamic IP, but needs to host Internet services.

Thanks,
Harry
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11885033
Hello Harry,
-Because it is very common for one side of a Ipsec tunnel to have a static IP and the other have a dynamic IP, the firewall can deal with this by allowing you to identify the initiating firewall with other static information.

The only down side is: The firewall with the dynamic IP must always initiate the connection & bring up the tunnel. (not a problem, just a fact).

I thought of using TZO and No-IP in the past to connect via host names dynamically mapped to real internet addresses. This did not work on netscreen firewalls & I cant say I know 100% for sure why...  It may work just fine on the Sonicwalls.

-But again.. One side being static & one side being dynamic is common enough that almost any appliances take these factors into consideration without dynamic-dns host records.   Thanks Harry!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question