Solved

How to secure AD replication between two Windows 2003 Server Sites

Posted on 2004-08-23
5
294 Views
Last Modified: 2010-05-18
Hello,

We are getting ready to bring online a second Windows 2003 Server site.  Both sites have broadband connections, and are using SonicWall firewalls.  We need to ensure the replication between the two sites, over the Internet, is secured.  The two options we are looking at are: (1) setup a VPN between the two SonicWall firewalls (and replication AD via the VPN tunnel), or (2) setup Windows 2003 Server certificates (SSL) to encrypt the communications between the two sites.

I'm leaning towards the later (SSL), but am wondering about the pros and cons of each?  Has anyone used the Windows 2003 Server certificate services to accomplish this, and if so, how hard is this to setup?

Thanks,
Harry
0
Comment
Question by:ClendeningHL
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11877494
Hello,
I have setup tons of network and windows servers and I dont agree. I would create an Ipsec tunnel between the 2 subnets because it is more seure, easier and less expensive.
-Define the 2 sites in AD. Add the subnets for each site. Designate a master for replication. Set rep to use rcp. Drop the server into the other site, change its address, ship to site 2.
-Test replication when it arrives at site 2.
0
 

Author Comment

by:ClendeningHL
ID: 11877796
Housenet,

Thank you for your comments.  Are you recommending the use of Windows 2003 Server for IPSec?  If so, how do I go about setting this up (once the two sites are up and running)?  I hope so, since IPSec is free, and part of Windows 2003 Server, correct?

The process you outlined (for replicating between the two sites), I already have a good grasp of, and have done many times prior.  I'm just having a hard grapling with the best way to secure the site-to-site replication.

Harry
0
 
LVL 12

Accepted Solution

by:
Housenet earned 500 total points
ID: 11881148
Hello Harry,
I often do not explain myself very well, sorry.

Create a dynamic or static tunnel between the 2 sonic walls. Use 56bit or 3des to encrypt & tunnel between the Sonicwalls. At that point the 2 lans will be joined in a routed fashion. Typically this type of tunnel is very reliable and will work as long as the internet(ISP) is up and working properly.

Result= Very highly secured tunnel.

Controlling replication with topology and sites & Services.  Define the Sites & associate the subnets to the Sites.. Drop the remote server in Site2. Change its Addressing and ship it to Site2...

Advantages of this methodolgy:
-First off, I generally have a problem with sticking any MS-NOS server NIC directly on the internet. Securiing such a server for such use can be VERY difficult even for an expert. Why? Windows is the major target for anyone looking to make a name for themselves in security.

1-Ipsec tunnel provided by a "real firewall", meaning a hardware appliance. Typically far less vunerable than a NOS.
2-Replication errors or problems are far less complicated to troublehoot & repair. Imagine if replication is failing... Where do you start, the certificates, the L2TP tunnel, active directory, sites setup... All the while things are not getting done at your company..

IT Rule No #1 =KISS
Keep it Simple Stupid. (not a personal attack)



0
 

Author Comment

by:ClendeningHL
ID: 11882712
Housenet,

Thank you.  That was an excellent breakdown of your proposed solution.  You have sold me on going with the more secure SonicWall VPN.

We will be using dynamic DSL at one site (since static IP's are not available).  When I setup the site-to-site VPN, can I use a fully qualified domain name (FQDN), say for example (vpn1.company.com) on the SonicWall, verses using the IP Address to setup the VPN tunnel (since the IP address is dynamic and will change)?  I use a company called No-IP (http://www.no-ip.com), for such situations where the client has dynamic IP, but needs to host Internet services.

Thanks,
Harry
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11885033
Hello Harry,
-Because it is very common for one side of a Ipsec tunnel to have a static IP and the other have a dynamic IP, the firewall can deal with this by allowing you to identify the initiating firewall with other static information.

The only down side is: The firewall with the dynamic IP must always initiate the connection & bring up the tunnel. (not a problem, just a fact).

I thought of using TZO and No-IP in the past to connect via host names dynamically mapped to real internet addresses. This did not work on netscreen firewalls & I cant say I know 100% for sure why...  It may work just fine on the Sonicwalls.

-But again.. One side being static & one side being dynamic is common enough that almost any appliances take these factors into consideration without dynamic-dns host records.   Thanks Harry!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now