Solved

Domain Structure Design

Posted on 2012-03-28
6
304 Views
Last Modified: 2012-04-02
Good day everyone. I have a very general question that I have been contemplating in the company I work for.

We currently have an online application (constructed of ASP.NET and C Sharp) which runs on IIS 6 and links to a MS SQL 2005 server database for querying purposes only. No input is made through the online application. Only used for reporting purposes. This application is on a Windows 2008 R2 Server.

We also currently use SQL database to manage all of the accounts that log in to the application.

We currently also have Windows 2008 R2 server that acts as our fileserver. Finally have a Windows 2003 Server as our DC.

We are looking at bringing all of this up to standards as we carry sensitive data that must meet HIPPA and FERPA requirements.

We are looking at hosting all of this to Rackspace and setting all of this in one server with three VM environments. One for DC (AD), another for SQL, and third for IIS. We would like to use AD in our new environment to handle all logon credentials.

Questions are as follows:

1) Would AD be adequate to manage accounts for something like this when most of our users are external, and we have about 1500 accounts but only about 350 active users (bad user management) that login to the online application only?

2) Would we need a failover server with all three VMs mirrored as disaster recovery since Rackspace offers 2 hour turnaround on disaster recovery?

3) Could we place our DC and AD on Rackspace and be able to authenticate our computers to it from our office (for the employees only)?

4) Finally, would it be smart to have a secondary DC in a hosted environment such as this?

Please let me know any thoughts or opinions aside from these questions as this is a venture I would like to proceed with, if viable.

Thank you
0
Comment
Question by:mig1980
  • 3
  • 3
6 Comments
 
LVL 5

Accepted Solution

by:
Michael W. Krout earned 500 total points
Comment Utility
1) Would AD be adequate to manage accounts for something like this when most of our users are external, and we have about 1500 accounts but only about 350 active users (bad user management) that login to the online application only?

Active Directory could be an overkill but you could us Active Directory Lightweight Directory Services.   This is an LDAP server giving you the ability to track users a so forth.   Active Directory would be used more of an in-house environment.   Not saying that you cannot run it in the cloud.   Another solution would be to run this in an Office 365 environment.   You need to make sure you have a very secure environment for HIPPA and FERPA.   The requirements are pretty stringent.   Is there a reason to put it in the cloud?   You might want to consider using Hyper-V because it is free on Windows Server 2008 R2.   I am not sure what you are considering.

2) Would we need a failover server with all three VMs mirrored as disaster recovery since Rackspace offers 2 hour turnaround on disaster recovery?  

That is a given.   You always want to have a failover scenario.   This can be accomplished easily in Office 365 because they house all of the servers.   It provides you with a 99.9% SLA agreement.   If you are doing it in Rackspace make sure you look at the SLA and what they have to offer with failover.  

3) Could we place our DC and AD on Rackspace and be able to authenticate our computers to it from our office (for the employees only)?

The only way you will be able to do this is to make sure you have a strong pipe and persistent connection.   Anything is possible but the cost is a factor.   I would recommend housing AD in house and not on Rackspace.   You are looking at a scurity disaster.   You could do this:

2 DC's inhouse
1 AD LDS (Active Directory Lightweight Directory Services) in a DMZ with AdamSync enabled to update accounts on the outside and the inside (authentication for web application)

2 DC's inhouse will provide the authentication for the internal users.   The AD LDS server is the authentication for web application.  

4) Finally, would it be smart to have a secondary DC in a hosted environment such as this?

Always have at least 2 DC's to provide redundancy.   Remember that AD uses Multi-master replication and you can update any DC.   Not having an additional DC will give way to providing an environment that is not fault tolerant.   Make sure that you look at the placement of your FSMO roles.   Schema Master, Domain Naming are Forest wide.   PDC, RID and Infrastructure are Domain Wide.   If you lose these then your environment will be hindered.   When you have two or more DC's you can recover from a DC failure.  

Let me know if you need more clarification.  

Idea Dudes
25-Steps-to-Recover-a-Downed-Dom.pdf
0
 

Author Comment

by:mig1980
Comment Utility
Thank you so much for the in-depth response. I have a little clarification to make on question number 3. I stated authenticating to AD at rackspace but now were are thinking of completely isolating the Rackspace environment and having that AD only to authenticate external users accessing the web application.

We are thinking of creating another domain in-house and having AD configured to authenticate employees to that.

We are not looking at placing our web application environment in a shared "Cloud" environment. Rackspace offers managed hosting which is different from their cloud hosting in that it would be a private cloud solution with server configuration, and fully managed.

Would it make sense to completely isolate our web app from our internal domain and manage two separate domains in such a small environment?

We are essentially looking for the most secure and practical environment for our needs. Any suggestions on how this should be designed/configured would be greatly appreciated.
0
 
LVL 5

Expert Comment

by:Michael W. Krout
Comment Utility
Again, you can do an inhouse AD setup and then use AD LDS to provide the authentication for the web environment.   You can then keep syngery for both the web application and the internal AD.   You can then add users into AD and have them available from within AD LDS.   See using AD LDS provides an LDAP service just like AD without the domain controller.   You can then sync up the two directories using ADAMSync.   This is the bridge between AD and AD LDS.   AD LDS does not have to be on a domain controller and you can provide Secure communications through port 50636 or another port of your choice.  

Does this make sense or do you need more clarification?

Idea Dudes
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:mig1980
Comment Utility
With AD LDS could we manage permissions for external users in a way that would allow us to show or hide certain areas of the web application or allow us to grant access to certain areas for some and other areas for others?

Also, all good ideas above and suggestions. Would it be possible for a detailed breakdown of what we would need to make the above happen and where I could find install/configuration information for each of the steps (hardware, software, etc)

I will be raising the point award for this question to 500 since it has become a larger question.

Thank you
0
 

Author Comment

by:mig1980
Comment Utility
Points increased to 500
0
 
LVL 5

Assisted Solution

by:Michael W. Krout
Michael W. Krout earned 500 total points
Comment Utility
Yes, you can manage permission just like AD.  The AD LDS server is installed using Server Manager on Windows Server 2008 or R2.   The configuration for your website will take a little bit of time to design.   I would talk to your development folks.   That includes getting ADAMSync configured.   This should give you a start.  

Does this help?

Idea Dudes
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Transparency shows that a company is the kind of business that it wants people to think it is.
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now