Solved

Subdomain in an isolaged network?

Posted on 2013-06-19
4
310 Views
Last Modified: 2013-07-02
Greetings Experts,

I have a design question regarding Active Directory and I have not had much luck with Google searches.

My organization currently has all domain controllers on our company wide network.  Environment is 2008 R2.

We have a single, isolated network (facilities network) that contains all of our facilities type door access servers and equipment.  This facilities network does have a DMZ that talks to the general network - typical ASA firewall in-between.

A new door access application we want to implement is AD integrated.  We can integrate with AD and employees who maintain the application can log in with AD credentials.  Problem is setting up a subdomain on the isolated network and finding a way for it to replicate with domain controllers on the general network.

Has anyone had any experience with a configuration like this?  Perhaps a dual-NIC domain controller with encrypted communication through the DMZ?

If anyone can assist and or point me to a good document resource let me know.

Thanks!
0
Comment
Question by:yccdadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39260922
Have you thought about an RODC in the DMZ, in your same domain (not a child or sub-domain scenario)

Good white paper with lots of info below:

http://www.microsoft.com/en-us/download/details.aspx?id=3957

Thanks

Mike
0
 
LVL 7

Expert Comment

by:Ned Ramsay
ID: 39261078
You shouldnt run two NICs on a DC as best practice, although I know plenty that do.
Wouldnt it make more sense to have the security system multi-homed with tight restrictions on the firewall so only the DC can talk to it through the firewall?

Just thinking of an "ease of use" setup.
0
 
LVL 8

Expert Comment

by:vinsvin
ID: 39261606
A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller

An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.
0
 

Author Comment

by:yccdadmins
ID: 39266027
Completely forgot about the Read Only DC - thanks guys!  I'm investigating now.  What I need to find out is:

1.  This network segment needs its own domain controller.  I'm looking for what ports I will have to allow through the firewall so the RODC can talk to the DC.

2. Can all communication between this RODC and the DC it communicates with on the outside of the firewall be encrypted?  I'm sure it can but haven't looked for how yet.

3.  In accordance with standards - this private segment of the network should really be a subdomain - to kind of match DNS zones.  The domain is something like network.edu and we would be creating private.network.edu.  Would I have to create the subdomain on the outside of the private network and then have the read only on the inside?

I'm hoping that someone has done this and has some good info on any gotchas etc.....
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question