Solved

Proper way to allow one subnet to authenticate to a DC on another subnet securely?

Posted on 2011-03-23
13
654 Views
Last Modified: 2012-05-11
We need to stand up a Server 2008 domain controller between two subnets.  We'll call one subnet 10.1 and the other 10.2.  Active Directory is completely configured on the 10.1 already.  But as a school, we have some student services on the 10.2 that need to start authenticating into our main Active Directory environment.  Our preference is to not use a dual homed DC, as everything we've read indicates this is a bad idea.  I read one place that the best solution is to use subnetting and routing to accomplish this.  if that is the case, how should the subnetting and routing be configured in order to allow authentication traffic to a few DC's on the 10.1, while at the same time maintaining security between these segments?  Also, should we consider an RODC or perhaps a sever core DC for added security?  What are best practices for this sort of configuration?
0
Comment
Question by:patriots
  • 5
  • 5
  • 3
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202211
In Active Directory Sites and Services you need to add under subnets the 10.1 and 10.2 subnets
0
 

Author Comment

by:patriots
ID: 35202243
The 10.1 subnet is already configured as a site.  What would setting up the 10.2 do unless there were accompanying firewall rules permitting authentication traffic?

One thought that occurred to me was allowing one DC to simply live single homed on 10.2, and then creating a firewall conduit to allow it to replicate with it's partners on 10.1, however, I'm not sure if this is best practice.

Also, I'm not sure if this is the most secure...the idea is to be secure since the 10.2 faces students, who may at times fantasy themselves as hackers.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202251
There would need to be accompanying routing rules between subnets either using ACL's on your switches/routers or the firewall.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 9

Accepted Solution

by:
binary_1001010 earned 500 total points
ID: 35202365
RODC needs quite a amount of administrative. you need add the students to password caching grp, then you need to generate the password.

RODC DNS is not writable, hence you need to edit record manually from the writable DNS.  

also, you must have at least 1 writable DC that can talk to the RODC, your firewall must not block everything out.

finally how familiar are you with sub netting? if you want to separate 10.1 and 10.2, you need to have a subnet of 16 bits ( 255.255.0.) and above. you cannot have 255.0.0.0(6 bits).

0
 

Author Comment

by:patriots
ID: 35202396
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.  So RODC might be too much work...how about just a server core DC...or would there be any benefit to that?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202416
I would just put another DC on the 10.2 subnet and create a seperate site in AD and assign the 10.2 subnet to that site.
0
 
LVL 9

Assisted Solution

by:binary_1001010
binary_1001010 earned 500 total points
ID: 35202487
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.

that's good. core DC does not gui, everything must be done by using command line. all you need to do now is 1 DC at 10.1 and the other at 10.2 but like i said, you must not block the traffic totally, you need replication from DC1 and DC2. and not to forget your file servers. does 10.2 users need to access file servers on 10.1 ?

technically yes, you can separate them but you have to discuss this with your firewall team and your manager. adding another DC cost money.  
0
 

Author Comment

by:patriots
ID: 35202522
There will be a file server on the 10.2 with the DC.  Maybe the same server, but prefer to keep it separate.  Perhaps the file server could be server core...might make more sense.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202527
If you are not familiar with Server Core I would stay well away from it.

0
 

Author Comment

by:patriots
ID: 35202533
So then, to sum up, perhaps the best thing to do is forget a dual homed server, and instead just build a separate on the 10.2, create a 10.2 site, enable replication between the sites (unless it's automatically configured which usually happens), and then allow traffic on the firewall between these two segments so that the dc on 10.2 can replicate to dc's on 10.1.  Then were done?  Anything else to keep in mind?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35202537
sounds good to me :)
0
 

Author Comment

by:patriots
ID: 35218618
We're trying this scenario now, and get "the RPC server is unavailable" whenever we try to run DCPROMO on the server that lives on 10.2.  We have a firewall rule allowing all traffic between the servers IP address and the remote domain controller on 10.1.

On the 10.2 segment, we have a 10.2 to 10.1 IP address mapping for the DC that's on the 10.1.  My theory is that this is what's breaking it...when the dc promotion is attempted, it contacts the remote server with a 10.2 number, when the server actually has a 10.1 number.  Confusing, I know...

Seems like this could be more easily resolved with a static route of some sort.  The server on the 10.2 should be able to in my mind directly access the 10.1 IP of the DC that lives over there, and not use some weird IP mapping.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 35219312
how many network interfaces do dc1 and dc2 have?if only 1, then the routing must be done on the switches or router. if 2 interfaces on each server,  you add permanent static route on the server itself.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question