Educause Security Discussion mailing list archives
Re: AD across multiple campuses
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Sun, 22 Feb 2009 15:01:06 -0500
Thanks for pointing this out. I should have clarified. I viewed the link (tunnels, or direct link) between any given two sites as a *routed* private segment, probably as small as a /30 subnet, but that depends on the relationship you need between the schools to some degree. In either case all, you do is you take a given set of domain controllers and do an outbound NAT on their individual ip addresses to whatever new public ip you want. Tell them the route to the other schoo's server is through the tunnel and when they send their traffic that way- your NAT device wraps the traffic to a public ip based on the source address. The only requirement is that the other firewall at the other end, trust that ip you've NATed your internal domain controller to. It must allow traffic from that ip to pass through to their domain controllers and then NAT their own traffic back to a public ip you trust and forward to your internal DCs. The main things you'd have to do is 1) select a group of public ips that can be routed a different way from internal domain controllers so that you can do the NAT (usually with firewalls) and 2) select a group of new public IPs for the replication traffic that does not overlap between all the schools. You could have one big network or a series of /30's between each school. This way no one has to change their internal ip architecture. (Recall you can NAT public or private IPs). I should also clarify that the gwy addresses in the tunnels need not be public- only the domain controllers. So each school would need at least one new ip for each domain controller to pull it off unless you started doing port-based NAT translation (NAT-overload) or something like that- which I would not recommend in this scenario. To be honest, the more I think about it, if you use private links, there's really no reason you have to use real public ip's for the domain controllers. You'd just have to select an addressing model that are not currently used in the other organizations. With respect to figuring out what A/D needs in terms of ports, etc, there's the Microsoft published list, plus all the other stuff they actually require. Some of it you'll have to probably find by logging with a deny policy right below your allow policy of everything you knew about up front and see what it the deny policy is failing on unless you want to start with a fully trusted model. D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
On 02/20/09 14:11, Dexter Caldwell wrote:I recommend they use site-site vpn tunnels, mpls or some other private links as you specified for securied entry points for the A/D replicatoin and communication. I see no reason off the top of my head that the addressing scheme must change to accomodate this.If the RFC1918 addresses really do overlap in some areas, as the original post indicated, then those overlapping addresses will need to be renumbered. Otherwise, two different hosts in two different sites will appear to have the same address to your DCs. What you really need is something along the lines of ULAs, but I don't want to get into *that* debate. michael
Current thread:
- AD across multiple campuses Jeff Kell (Feb 20)
- <Possible follow-ups>
- Re: AD across multiple campuses John Ladwig (Feb 20)
- Re: AD across multiple campuses Dexter Caldwell (Feb 20)
- Re: AD across multiple campuses Michael Sinatra (Feb 20)
- Re: AD across multiple campuses Scott Weyandt (Feb 20)
- Re: AD across multiple campuses Dexter Caldwell (Feb 22)
- Re: AD across multiple campuses John Ladwig (Feb 23)