Solved

Proper way to allow one subnet to authenticate to a DC on another subnet securely?

Posted on 2011-03-23
13
650 Views
Last Modified: 2012-05-11
We need to stand up a Server 2008 domain controller between two subnets.  We'll call one subnet 10.1 and the other 10.2.  Active Directory is completely configured on the 10.1 already.  But as a school, we have some student services on the 10.2 that need to start authenticating into our main Active Directory environment.  Our preference is to not use a dual homed DC, as everything we've read indicates this is a bad idea.  I read one place that the best solution is to use subnetting and routing to accomplish this.  if that is the case, how should the subnetting and routing be configured in order to allow authentication traffic to a few DC's on the 10.1, while at the same time maintaining security between these segments?  Also, should we consider an RODC or perhaps a sever core DC for added security?  What are best practices for this sort of configuration?
0
Comment
Question by:patriots
  • 5
  • 5
  • 3
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202211
In Active Directory Sites and Services you need to add under subnets the 10.1 and 10.2 subnets
0
 

Author Comment

by:patriots
ID: 35202243
The 10.1 subnet is already configured as a site.  What would setting up the 10.2 do unless there were accompanying firewall rules permitting authentication traffic?

One thought that occurred to me was allowing one DC to simply live single homed on 10.2, and then creating a firewall conduit to allow it to replicate with it's partners on 10.1, however, I'm not sure if this is best practice.

Also, I'm not sure if this is the most secure...the idea is to be secure since the 10.2 faces students, who may at times fantasy themselves as hackers.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202251
There would need to be accompanying routing rules between subnets either using ACL's on your switches/routers or the firewall.
0
 
LVL 9

Accepted Solution

by:
binary_1001010 earned 500 total points
ID: 35202365
RODC needs quite a amount of administrative. you need add the students to password caching grp, then you need to generate the password.

RODC DNS is not writable, hence you need to edit record manually from the writable DNS.  

also, you must have at least 1 writable DC that can talk to the RODC, your firewall must not block everything out.

finally how familiar are you with sub netting? if you want to separate 10.1 and 10.2, you need to have a subnet of 16 bits ( 255.255.0.) and above. you cannot have 255.0.0.0(6 bits).

0
 

Author Comment

by:patriots
ID: 35202396
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.  So RODC might be too much work...how about just a server core DC...or would there be any benefit to that?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202416
I would just put another DC on the 10.2 subnet and create a seperate site in AD and assign the 10.2 subnet to that site.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Assisted Solution

by:binary_1001010
binary_1001010 earned 500 total points
ID: 35202487
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.

that's good. core DC does not gui, everything must be done by using command line. all you need to do now is 1 DC at 10.1 and the other at 10.2 but like i said, you must not block the traffic totally, you need replication from DC1 and DC2. and not to forget your file servers. does 10.2 users need to access file servers on 10.1 ?

technically yes, you can separate them but you have to discuss this with your firewall team and your manager. adding another DC cost money.  
0
 

Author Comment

by:patriots
ID: 35202522
There will be a file server on the 10.2 with the DC.  Maybe the same server, but prefer to keep it separate.  Perhaps the file server could be server core...might make more sense.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202527
If you are not familiar with Server Core I would stay well away from it.

0
 

Author Comment

by:patriots
ID: 35202533
So then, to sum up, perhaps the best thing to do is forget a dual homed server, and instead just build a separate on the 10.2, create a 10.2 site, enable replication between the sites (unless it's automatically configured which usually happens), and then allow traffic on the firewall between these two segments so that the dc on 10.2 can replicate to dc's on 10.1.  Then were done?  Anything else to keep in mind?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202537
sounds good to me :)
0
 

Author Comment

by:patriots
ID: 35218618
We're trying this scenario now, and get "the RPC server is unavailable" whenever we try to run DCPROMO on the server that lives on 10.2.  We have a firewall rule allowing all traffic between the servers IP address and the remote domain controller on 10.1.

On the 10.2 segment, we have a 10.2 to 10.1 IP address mapping for the DC that's on the 10.1.  My theory is that this is what's breaking it...when the dc promotion is attempted, it contacts the remote server with a 10.2 number, when the server actually has a 10.1 number.  Confusing, I know...

Seems like this could be more easily resolved with a static route of some sort.  The server on the 10.2 should be able to in my mind directly access the 10.1 IP of the DC that lives over there, and not use some weird IP mapping.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 35219312
how many network interfaces do dc1 and dc2 have?if only 1, then the routing must be done on the switches or router. if 2 interfaces on each server,  you add permanent static route on the server itself.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now