Randal Balduff
asked on
DC, AD and DNS....
I am a controls engineer with a server ready to setup for our production floor machines. It is already setup as a esxi 6.5 based machine. Mostly it is being used as a license server and interface for the controls team for outside access. We have access to all of the server enterprise installations.
We have a wide range of window flavors, ce, xp, win 7, win10. Our Maintenance network (Running as a vlan) is accessible to EVERYONE in our company from Georgia to Spain to China and all plants in between. We have plans to run a physically separate network but need a solution that will work in both scenarios (VLAN and physical) and will bridge the 2 while the network is being implemented, seamlessly (Within reason).
My question is this:
Is it possible to have a DC to setup a group policy for JUST our portion of the network so WE are in control of the access to our devices. and which version of windows server or multiple instances, would be best to accomplish what I need. We have a folder structure on our PC based machine that need to be accessible to our server and .bat file operations (backup processes). ALL IPs are static so we will NOT need dhcp on the vlan, we DO have dhcp on the local portions of our machines (NATed out to vlan)
We just went through a month of hell with wannacry attacking our vulnerable computers that were, up until we ended up with it, thought to be isolated from the network.
We have a wide range of window flavors, ce, xp, win 7, win10. Our Maintenance network (Running as a vlan) is accessible to EVERYONE in our company from Georgia to Spain to China and all plants in between. We have plans to run a physically separate network but need a solution that will work in both scenarios (VLAN and physical) and will bridge the 2 while the network is being implemented, seamlessly (Within reason).
My question is this:
Is it possible to have a DC to setup a group policy for JUST our portion of the network so WE are in control of the access to our devices. and which version of windows server or multiple instances, would be best to accomplish what I need. We have a folder structure on our PC based machine that need to be accessible to our server and .bat file operations (backup processes). ALL IPs are static so we will NOT need dhcp on the vlan, we DO have dhcp on the local portions of our machines (NATed out to vlan)
We just went through a month of hell with wannacry attacking our vulnerable computers that were, up until we ended up with it, thought to be isolated from the network.
Yes, you can either group the computers together by a OUs or security groups and apply different policies
ASKER
I understand we can do that, and as long as I do not allow the group to hit the main AD I should not have a problem? Which version of server would best fit all of the windows versions we have (From CE, XP to win10)?
None, you should upgrade any computers that aren't running at least windows 7. XP hasn't had support in years, I would consider all those machine compromised at this point. I would segment those machines immediately until you can replace/upgrade them so they can't interact with your other machines.
ASKER
I would normally agree that these machines should be upgraded, and we have a plan to do this in about 5 years....There are 8 of these machines running together on a press system that uses twincat with a siemens version of HMI, which when we tried to do a upgrade to a newer version of just the HMI portion, gave us well over 500 errors. It is a all or nothing upgrade and unfortunately, to spend the millions required is out of budget in the short term. I am looking into a win7 based machine that I can use but have not been able to get it to work correctly and nicely with any of other XP devices ...yet. It is more complicated then just replacing a xp machine with win7. It is used in an industrial setting, which has not been keeping up with the IT world until recently with IIOT. This was the main reason for my original post, to be able to setup some sort of gatekeeper, using NAT and whitelisting to prevent access to "local" networks through a NAT or gatekeeper PC to keep our local networks (Factory manufacturing systems) from being hit or accessed by any outside of our plant, including the global VLAN we are forced to be a part of.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.