Solved

Subdomain in an isolaged network?

Posted on 2013-06-19
4
289 Views
Last Modified: 2013-07-02
Greetings Experts,

I have a design question regarding Active Directory and I have not had much luck with Google searches.

My organization currently has all domain controllers on our company wide network.  Environment is 2008 R2.

We have a single, isolated network (facilities network) that contains all of our facilities type door access servers and equipment.  This facilities network does have a DMZ that talks to the general network - typical ASA firewall in-between.

A new door access application we want to implement is AD integrated.  We can integrate with AD and employees who maintain the application can log in with AD credentials.  Problem is setting up a subdomain on the isolated network and finding a way for it to replicate with domain controllers on the general network.

Has anyone had any experience with a configuration like this?  Perhaps a dual-NIC domain controller with encrypted communication through the DMZ?

If anyone can assist and or point me to a good document resource let me know.

Thanks!
0
Comment
Question by:yccdadmins
4 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
Have you thought about an RODC in the DMZ, in your same domain (not a child or sub-domain scenario)

Good white paper with lots of info below:

http://www.microsoft.com/en-us/download/details.aspx?id=3957

Thanks

Mike
0
 
LVL 7

Expert Comment

by:Ned Ramsay
Comment Utility
You shouldnt run two NICs on a DC as best practice, although I know plenty that do.
Wouldnt it make more sense to have the security system multi-homed with tight restrictions on the firewall so only the DC can talk to it through the firewall?

Just thinking of an "ease of use" setup.
0
 
LVL 8

Expert Comment

by:vinsvin
Comment Utility
A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller

An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.
0
 

Author Comment

by:yccdadmins
Comment Utility
Completely forgot about the Read Only DC - thanks guys!  I'm investigating now.  What I need to find out is:

1.  This network segment needs its own domain controller.  I'm looking for what ports I will have to allow through the firewall so the RODC can talk to the DC.

2. Can all communication between this RODC and the DC it communicates with on the outside of the firewall be encrypted?  I'm sure it can but haven't looked for how yet.

3.  In accordance with standards - this private segment of the network should really be a subdomain - to kind of match DNS zones.  The domain is something like network.edu and we would be creating private.network.edu.  Would I have to create the subdomain on the outside of the private network and then have the read only on the inside?

I'm hoping that someone has done this and has some good info on any gotchas etc.....
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now