• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 667
  • Last Modified:

Proper way to allow one subnet to authenticate to a DC on another subnet securely?

We need to stand up a Server 2008 domain controller between two subnets.  We'll call one subnet 10.1 and the other 10.2.  Active Directory is completely configured on the 10.1 already.  But as a school, we have some student services on the 10.2 that need to start authenticating into our main Active Directory environment.  Our preference is to not use a dual homed DC, as everything we've read indicates this is a bad idea.  I read one place that the best solution is to use subnetting and routing to accomplish this.  if that is the case, how should the subnetting and routing be configured in order to allow authentication traffic to a few DC's on the 10.1, while at the same time maintaining security between these segments?  Also, should we consider an RODC or perhaps a sever core DC for added security?  What are best practices for this sort of configuration?
0
patriots
Asked:
patriots
  • 5
  • 5
  • 3
2 Solutions
 
Glen KnightCommented:
In Active Directory Sites and Services you need to add under subnets the 10.1 and 10.2 subnets
0
 
patriotsAuthor Commented:
The 10.1 subnet is already configured as a site.  What would setting up the 10.2 do unless there were accompanying firewall rules permitting authentication traffic?

One thought that occurred to me was allowing one DC to simply live single homed on 10.2, and then creating a firewall conduit to allow it to replicate with it's partners on 10.1, however, I'm not sure if this is best practice.

Also, I'm not sure if this is the most secure...the idea is to be secure since the 10.2 faces students, who may at times fantasy themselves as hackers.
0
 
Glen KnightCommented:
There would need to be accompanying routing rules between subnets either using ACL's on your switches/routers or the firewall.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
binary_1001010Commented:
RODC needs quite a amount of administrative. you need add the students to password caching grp, then you need to generate the password.

RODC DNS is not writable, hence you need to edit record manually from the writable DNS.  

also, you must have at least 1 writable DC that can talk to the RODC, your firewall must not block everything out.

finally how familiar are you with sub netting? if you want to separate 10.1 and 10.2, you need to have a subnet of 16 bits ( 255.255.0.) and above. you cannot have 255.0.0.0(6 bits).

0
 
patriotsAuthor Commented:
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.  So RODC might be too much work...how about just a server core DC...or would there be any benefit to that?
0
 
Glen KnightCommented:
I would just put another DC on the 10.2 subnet and create a seperate site in AD and assign the 10.2 subnet to that site.
0
 
binary_1001010Commented:
10.1 and 10.2 are already configured and running separately with a firewall between, and it is a 255.255.x.x subnet mask.

that's good. core DC does not gui, everything must be done by using command line. all you need to do now is 1 DC at 10.1 and the other at 10.2 but like i said, you must not block the traffic totally, you need replication from DC1 and DC2. and not to forget your file servers. does 10.2 users need to access file servers on 10.1 ?

technically yes, you can separate them but you have to discuss this with your firewall team and your manager. adding another DC cost money.  
0
 
patriotsAuthor Commented:
There will be a file server on the 10.2 with the DC.  Maybe the same server, but prefer to keep it separate.  Perhaps the file server could be server core...might make more sense.
0
 
Glen KnightCommented:
If you are not familiar with Server Core I would stay well away from it.

0
 
patriotsAuthor Commented:
So then, to sum up, perhaps the best thing to do is forget a dual homed server, and instead just build a separate on the 10.2, create a 10.2 site, enable replication between the sites (unless it's automatically configured which usually happens), and then allow traffic on the firewall between these two segments so that the dc on 10.2 can replicate to dc's on 10.1.  Then were done?  Anything else to keep in mind?
0
 
Glen KnightCommented:
sounds good to me :)
0
 
patriotsAuthor Commented:
We're trying this scenario now, and get "the RPC server is unavailable" whenever we try to run DCPROMO on the server that lives on 10.2.  We have a firewall rule allowing all traffic between the servers IP address and the remote domain controller on 10.1.

On the 10.2 segment, we have a 10.2 to 10.1 IP address mapping for the DC that's on the 10.1.  My theory is that this is what's breaking it...when the dc promotion is attempted, it contacts the remote server with a 10.2 number, when the server actually has a 10.1 number.  Confusing, I know...

Seems like this could be more easily resolved with a static route of some sort.  The server on the 10.2 should be able to in my mind directly access the 10.1 IP of the DC that lives over there, and not use some weird IP mapping.
0
 
binary_1001010Commented:
how many network interfaces do dc1 and dc2 have?if only 1, then the routing must be done on the switches or router. if 2 interfaces on each server,  you add permanent static route on the server itself.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now