Re: AD across multiple campuses

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

I recommend they use site-site vpn tunnels, mpls or some other private
links as you specified for securied entry points for the A/D replicatoin
and communication.  I see no reason off the top of my head that the
addressing scheme must change to accomodate this.  You can also then focus
your security at the tunnel points and permit only the desired traffic. 
Restricting the traffic is relatively straightforward execept Microsoft
uses a lot of ports and some of the most dangerous ones are the one's
you'll have to allow.  That's why you need Layer7 security and the entry
and exit points where the traffic is decrypted.
In A/D once you have the physical links in place, you can essentially tell
ActiveDirectory how these links connect (A/D Sites and Services) and setup
the replication links to communicate with servers on the other side. 

If the other campuses already have separate domains, you can simply setup
trusts to allow them to comunicate and authenticate between each other. 
(Gotta admit, I wouldn't want that nightmare on my hands because if the
other campuses have their own IT staff you're all dependent upon the
competence of other administrators to some degree not to pollute their
system and replicate that traffic.  If you use a single forest with one
domain, one staff would probably have to take control of the highest level
to avoid lower admins from wiping out major portions or from making
changes where they shouldn't.

I don't wholsale recommend it, but there's nothing stopping you
conceptually from natting your Domain controllers to unique external ip
addresses and only allowing them to communicate outside your firewall in
the clear with specified source addresses (ex, your partner institutions).
 Of course, this leaves some exposure to spoofing and other wire-based
intrusions like sniffing.  

Good luck.

D/C

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> We are again revisiting a "single forest" integration of AD across
> multiple campuses in the system, and the inevitable pros/cons and issues
> are starting to roll in.  I'm interested in any information / pointers /
> feedback / suggestions from other sites that have done or tried this
> approach.  Specifically with regard to routing/addressing and overall
> security (not just the AD components)...
>
> Each campus is essentially a separate network entity now, no private
> links / leased lines / hocus-pocus.  We have our individual internet[2]
> providers.
>
> Most sites are using RFC-1918 addresses internally, to varying degrees,
> some are required to (lack of public IPs).  The RFC-1918 space currently
> overlaps.
>
> Each site will have it's own domain (tree?) but there is a desire for
> cross-site replication and redundancy of domain controllers.
>
> The current "desire" from the design group (I'm certainly no AD guru,
> I'm network/security) states that each user on each campus must have a
> globally unique IP address, such that "any" user at "any" campus can
> authenticate to "any" of the domain controllers.  Some us will have to
> renumber our 1918 space, but it is doable.  Private links (either
> leased, site-to-site VPN, or MPLS-provider private vlans) have been
> proposed to route the AD client/domain traffic within the system. 
>
> Having survived Blaster, Slammer, Nachi, Conficker (so far), and other
> network nightmares exploiting Microsoft infrastructure in the past, I'm
> very concerned about having one big flat system-wide routed domain. 
>
> Restricting the "private" links to "only" AD-related traffic seems
> troublesome as well (firewalls, policy routing, etc), but perhaps not
> insurmountable.  There is a great deal of existing inter-campus traffic
> (operating through traditional NAT/firewalls) for centralized SAP/R3,
> video traffic, distance learning, distributed printing, and other
> cases.  Much of this is freely intermixed on networks that would also
> have AD clients/servers. 
>
> Is all of this really necessary to provide the desired result?  Is
> anyone doing this over "the public internet" ?
>
> Can DC-to-DC replication happen across NAT, without all this other
> infrastructure/exposure?
>
> Can client-to DC authentication happen across NAT?
>
> Is there some way to keep the existing site network/routing autonomy?
>
> Jeff Kell
> University of Tennessee at Chattanooga