Solved

Proper way to allow one subnet to authenticate to a DC on another subnet securely?

Posted on 2011-03-23
13
660 Views
Last Modified: 2012-05-11
We need to stand up a Server 2008 domain controller between two subnets.  We'll call one subnet 10.1 and the other 10.2.  Active Directory is completely configured on the 10.1 already.  But as a school, we have some student services on the 10.2 that need to start authenticating into our main Active Directory environment.  Our preference is to not use a dual homed DC, as everything we've read indicates this is a bad idea.  I read one place that the best solution is to use subnetting and routing to accomplish this.  if that is the case, how should the subnetting and routing be configured in order to allow authentication traffic to a few DC's on the 10.1, while at the same time maintaining security between these segments?  Also, should we consider an RODC or perhaps a sever core DC for added security?  What are best practices for this sort of configuration?
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202211
In Active Directory Sites and Services you need to add under subnets the 10.1 and 10.2 subnets
0
 

Author Comment

by:patriots
ID: 35202243
The 10.1 subnet is already configured as a site.  What would setting up the 10.2 do unless there were accompanying firewall rules permitting authentication traffic?

One thought that occurred to me was allowing one DC to simply live single homed on 10.2, and then creating a firewall conduit to allow it to replicate with it's partners on 10.1, however, I'm not sure if this is best practice.

Also, I'm not sure if this is the most secure...the idea is to be secure since the 10.2 faces students, who may at times fantasy themselves as hackers.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202251
There would need to be accompanying routing rules between subnets either using ACL's on your switches/routers or the firewall.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 9

Accepted Solution

by:
binary_1001010 earned 500 total points
ID: 35202365
RODC needs quite a amount of administrative. you need add the students to password caching grp, then you need to generate the password.

RODC DNS is not writable, hence you need to edit record manually from the writable DNS.  

also, you must have at least 1 writable DC that can talk to the RODC, your firewall must not block everything out.

finally how familiar are you with sub netting? if you want to separate 10.1 and 10.2, you need to have a subnet of 16 bits ( 255.255.0.) and above. you cannot have 255.0.0.0(6 bits).

0
 

Author Comment

by:patriots
ID: 35202396
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.  So RODC might be too much work...how about just a server core DC...or would there be any benefit to that?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202416
I would just put another DC on the 10.2 subnet and create a seperate site in AD and assign the 10.2 subnet to that site.
0
 
LVL 9

Assisted Solution

by:binary_1001010
binary_1001010 earned 500 total points
ID: 35202487
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.

that's good. core DC does not gui, everything must be done by using command line. all you need to do now is 1 DC at 10.1 and the other at 10.2 but like i said, you must not block the traffic totally, you need replication from DC1 and DC2. and not to forget your file servers. does 10.2 users need to access file servers on 10.1 ?

technically yes, you can separate them but you have to discuss this with your firewall team and your manager. adding another DC cost money.  
0
 

Author Comment

by:patriots
ID: 35202522
There will be a file server on the 10.2 with the DC.  Maybe the same server, but prefer to keep it separate.  Perhaps the file server could be server core...might make more sense.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202527
If you are not familiar with Server Core I would stay well away from it.

0
 

Author Comment

by:patriots
ID: 35202533
So then, to sum up, perhaps the best thing to do is forget a dual homed server, and instead just build a separate on the 10.2, create a 10.2 site, enable replication between the sites (unless it's automatically configured which usually happens), and then allow traffic on the firewall between these two segments so that the dc on 10.2 can replicate to dc's on 10.1.  Then were done?  Anything else to keep in mind?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202537
sounds good to me :)
0
 

Author Comment

by:patriots
ID: 35218618
We're trying this scenario now, and get "the RPC server is unavailable" whenever we try to run DCPROMO on the server that lives on 10.2.  We have a firewall rule allowing all traffic between the servers IP address and the remote domain controller on 10.1.

On the 10.2 segment, we have a 10.2 to 10.1 IP address mapping for the DC that's on the 10.1.  My theory is that this is what's breaking it...when the dc promotion is attempted, it contacts the remote server with a 10.2 number, when the server actually has a 10.1 number.  Confusing, I know...

Seems like this could be more easily resolved with a static route of some sort.  The server on the 10.2 should be able to in my mind directly access the 10.1 IP of the DC that lives over there, and not use some weird IP mapping.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 35219312
how many network interfaces do dc1 and dc2 have?if only 1, then the routing must be done on the switches or router. if 2 interfaces on each server,  you add permanent static route on the server itself.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question