?
Solved

DNS active directory problem.

Posted on 2006-04-20
24
Medium Priority
?
608 Views
Last Modified: 2009-02-06
Hello Exports,

A week ago we have created a DMZ within our network.
From that time when we create users account the user record is been created on the Internal DNS server (private address) but not on the external DNS.
How can I synchronize the DNS in the private network with the DNS of the DMZ?
Please include step by step if possible.

When I access the users on active directory in the DNS of the Private network I see the users and when I access the DMZ DNS I do  not see the users
Thank you,
0
Comment
Question by:rfinaly
  • 6
  • 5
  • 3
  • +3
21 Comments
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16503446
You need to add a DNS forwarder to the internal DNS server -->>>>external DNS server

Provide the SERVER OS information
0
 

Author Comment

by:rfinaly
ID: 16503458
Thank you for the respond the server OS is Windown 2000 server.
Roy
0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16503493
Go to DNS manager

Right click on your SERVER (host), choose properties, then click on the FORWARDERS tab.. enter in the IP address of the machine that you need to feed your DNS information.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:rfinaly
ID: 16503533
Thanks again, quick question, that will move the accounts I created over the last week to the DNS for the DMZ? or I need to create the acocunt s again?
Thank you very much for your help.
Roy
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16503605
I appologize for my question but probably you mean DC (Domain Controller) not DNS?

Dean
0
 

Author Comment

by:rfinaly
ID: 16503620
Yes I do mean Domain Controller, sorry about that.
I created the fowarding that you told me, the users will move the the second DC?

Roy.
0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16503667
Oh wow... ok.. mis-direction....thinking...
0
 
LVL 8

Expert Comment

by:saw830
ID: 16503797
Hi,

Are both DNS server active directory integrated?

If so, make sure the external DNS server can talk to active directory.

If not, then I'd suggest making the external DNS server a secondary and point it to the primary (internal) DNS server.

Hope this helps,
Alan
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16504198
I appologize again but I have another simple question - what is the reason to move a Domain Controller in DMZ?

The DMZ is considered as a less secure zone and I would like to understand the reason for such configuration.

Dean
0
 
LVL 8

Expert Comment

by:saw830
ID: 16504712
NetoMeter is correct to question this.  Even if we are talking about a DNS server instead of a Domain Controller, what is the point in setting up an external facing DNS server with internal user and machine info on it?  If the internal network has private addresses then external users are not going to be able to legitimately access the internal machines anyway, and someone attempting to break in is going to have information of what to try to get to.  Understanding where you are going will help offering advice.

Alan
0
 

Author Comment

by:rfinaly
ID: 16504757
Let me try to explain the problem in more details.
When we create a user account the user is been create on the domain controller of the private network (not the DMZ) now in the DMZ I have servers that host secure web sites. Our users can login to those web sites using their network login information.
Just a reminder that we configure the DMZ last week.
All users that were created this week can not access a web site, but old users can.
So I checked and I see that the new users are on the domain controller of the internal network, but they are not on the domain controller of the DMZ network.

Now, why we have two domain controllers one for the internal and one for the DMZ? Before I added the DMZ configuration I had two domain controllers, I converted one to be the DNS server for the DMZ network. And the second one is for the internal network as always.

Maybe now it is clearer what the issue is and maybe you guys can help solve my problem.

Thank you in advance,
Roy
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 672 total points
ID: 16506119
Your DC's aren't communicating, have you checked the event logs?  You are going to need to open up some holes in the firewall between DMZ and private network which is not really a good idea.

Steve
0
 
LVL 13

Assisted Solution

by:Yancey Landrum
Yancey Landrum earned 664 total points
ID: 16508423
This is an extraordinarily bad idea. The whole reason for a DMZ is to insulate your network from your public facing servers (and since most attacks are application layer attacks nowadays rather than port-based attacks, even a DMZ is not a secure as it used to be). By putting a DC for your domain in the DMZ you are basically opening up your network to the bad guys. You are also giving them potential access to all your user accounts, as well as your private IP information, server names, confidential data, etc.

If you must have your own DNS server, then it needs to NOT be a domain controller! Run dcpromo to demote it to a member server, then set up a separate DNS zone that is NOT AD-integrated. Your "secure" web sites are anything but. They should have their own authentication, not windows-integrated.

Are these web sites accessible from the internet by non-employees? If not, there is no reason for them to be in a DMZ. Bring them back inside and cut off access at the firewall. If they do need to be accessed by non-employees via the internet, how are they authenticating? Are you giving non-employees login accounts on your domain? Another extraordinarily bad idea. If these sites are only accessed by employees, but they need to access them via the internet, you'd be MUCH better off security-wise to set up a VPN solution and get them out of the DMZ.

Would you mind posting the public IP address of your DC, as well as your admin login name and password? If you don't want to do that (and you shouldn't), GET THAT DC OUT OF THE DMZ!!!

I hope you can blame this setup on a consultant because if you did it, you should be fired immediately. Get your company to sign you up for some IT security courses ASAP (CompTIA Security+ is a good place to start).

Sorry if this seems harsh, but you must understand how serious it is.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16508493
makes my "not really a good idea" comment seem soft now, 100% agree, don't expose anything related to internal stuff to the internet in any way...

Steve
0
 

Author Comment

by:rfinaly
ID: 16508525
well it is a consultant that start the job and now I need to fix all the problems that doe snot work.
I will remove the DC right now, hopefully other things will not get brake on the way. I do have to give my clients network logins, this is the type of business we are in, and we have to allow them to access applications from the internet, so I guess my question how can I allow an application that a DMZ server hosts to authintecate of the DC?

Thanks for the advice.
0
 
LVL 11

Assisted Solution

by:NetoMeter Screencasts
NetoMeter Screencasts earned 664 total points
ID: 16508738
Well,
After asking these two simple questions:
1.      Whether you mean DC (Domain Controller) instead of DNS server
2.      What is the reason to have a DC in the DMZ
for which I apologize again, I think I have a better understanding of your problem.

Now I am going to ask a couple more specific questions:
1.      Is it correct to assume that your clients need to access a web server and have to be authenticated before they get the corresponding level of access?
2.      Do they need to be Active Directory users?

If the answer to both questions is positive then you have to change a little bit your current configuration.
The suggested changes would be:
1.      Open the necessary ports in the firewall (I will provide you with the list of the ports and if necessary more info about the firewall configuration) in order to restore the normal communication between DC2 (I will name the Domain Controller in the DMZ DC2 and the internal – DC1 ) and DC1.
2.      Force replication between them, check the result and make sure that it is successful.
3.      Demote DC2, make sure that it is removed from the Domain Controllers container in ADUC (Active Directory Users and Computers) and clean the AD integrated zone if it is still listed as DC, GC etc there.
4.       Delete the AD integrated DNS zone in DC2 and create a primary DNS zone containing the records necessary for the external (internet) users. This configuration is called split DNS.

If you have successfully completed the above steps your Internet users will be able to access the web applications and authenticate against AD.

In addition I would recommend to monitor constantly the traffic to that server using an IDS (Intrusion Detection System).
The easiest way to do this is to install Snort in the DMZ. If you want to get serious you can configure Snort in front of your WEB server so it will drop automatically suspicious connections.

I hope that my comment was helpful.

Dean
0
 
LVL 13

Expert Comment

by:Yancey Landrum
ID: 16508843
Yes, I understand you have to take care of your customers. Completely redoing the security of your web servers will be a time-consuming process that will involve lots of downtime. Considering how it is set up, removing the DC will almost certainly break your web sites. The two DCs are not talking right now so that is good; you can leave the DMZ domain controller where it is for now and consider them two different domains but for heaven's sake do not open up anything in the firewall. Here's what you can do to secure your internal network:

On the firewall:
Make sure you are only allowing the minimum traffic, and only to your web servers (port 443 for SSL; port 80 only if there are any unsecure sections of the websites).
For DNS, you'd be better off getting your ISP to host your DNS records for you (usually they will do it for no charge if you have a T1 or better). The DMZ domain controller should not be reachable from the internet (only the web servers need it to authenticate). If you really need your own DNS, allow port 53 (tcp and udp) to the domain controller.

On the DMZ domain controller:
Remove all internal (non-web server) machine accounts from the DMZ domain.
Remove all DNS records that reference any internal machines.
Remove any internal users who do not need to access the websites.
Change the usernames and passwords for the existing users so they are different from your internal domain.

Then, at your earliest opportunity, rename the DMZ domain. Renaming the domain in Windows 2000 is possible if it is in mixed mode but it's pretty involved (Microsoft has instructions but Daniel Petri condensed them into a high-level overview here: http://www.petri.co.il/w2k_domain_rename.htm). You'd have better luck upgrading to Windows server 2003 and using the domain rename tool.

You will have to manage the two domains separately; new users will have to be added to both domains (assuming they need access to both domains) using the separate naming conventions for each. External customers need onloy bee added to the DMZ domain.

Dang consultants. You should get your money back, or at the very least warn all your friends that those guys don't know jack about security.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16508923
One more comment:
Having a Web server in the DMZ which authenticates against Active Directory is a very common configuration.
A good example is the OWA (Outlook Web Access) in the DMZ. Actually that is the way Microsoft recommends configuring OWA – installing a Front-end Exchange server in the DMZ. In that configuration we have exactly a WEB server and an Application server in the DMZ which authenticate against AD.

Dean
0
 

Author Comment

by:rfinaly
ID: 16510365
Thankyou very much for the responds, I am working now to get things a bit more secure. I already removed all Internal machines acocunts form the DMZ. also the DNS records. and I will keep working over the weekend on more confgurations.
I have a quick question for NetoMeter how do you confgure OWA that locate in the DMZ to authenticate against AD that locate now internaly?
Thanks again,
Roy.
0
 
LVL 13

Expert Comment

by:Yancey Landrum
ID: 16512132
Dean:

Just because it is very common doesn't mean it is a good idea. Microsoft may recommend OWA on a front-end server in the DMZ, but I don't, and neither do a lot of security professionals. You have to open WAY too many holes between the DMZ and the inside (since the front-end server must be a domain member, you have to open ports for ldap, ds, is, kerberos, dc, gc, lsa, ipsec if you are using it, etc), as well as statically set certain ports that should be dynamic. The end result is a configuration that is LESS secure; once you open all the holes in the firewall and statically set your ports, your OWA server is basically on the inside.

It is actually more secure to keep the front-end server on the inside and just allow port 443 to it.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 16512270
Well,
I respect your opinion ylandrum and it is true that opening ports in a firewall leads to a less secure configuration.
Using a Front-end server (WEB, Application, etc…) in DMZ is the normal approach. In fact even when you check your bank account you are connecting to a Front-end server which communicates through a firewall to a Back-end server(s) and authenticating your request. May be you should send your concerns to your bank 

Anyway, my personal opinion is that Rfinaly should be fine if he demotes DC2, configures Split DNS and configures the WEB server to authenticate against DC.
I think that configuring and maintaining two separate domains - one inside and a second in DMZ is not a better idea and I would not prefer that approach.
As a matter of fact I’ve never seen such a configuration

Dean

PS: I would rather invest resources and time in implementing an IDS system than maintaining two Domains.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question