Re: AD across multiple campuses

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

Thanks for pointing this out.  I should have clarified.  I viewed the link
(tunnels, or direct link) between any given two sites as a *routed*
private segment, probably as small as a /30 subnet, but that depends on
the relationship you need between the schools to some degree.  In either
case all, you do is you take a given set of domain controllers and do an
outbound NAT on their individual ip addresses to whatever new public ip
you want.  Tell them the route to the other schoo's server is through the
tunnel and when they send their traffic that way- your NAT device wraps
the traffic to a public ip based on the source address.  The only
requirement is that the other firewall at the other end, trust that ip
you've NATed  your internal domain controller to.  It must allow traffic
from that ip to pass through to their domain controllers and then NAT
their own traffic back to a public ip you trust and forward to your
internal DCs.  The main things you'd have to do is 1) select a group of
public ips that can be routed a different way from internal domain
controllers so that you can do the NAT (usually with firewalls)  and 2)
select a group of new public IPs for the replication traffic that does not
overlap between all the schools.   

You could have one big network or a series of /30's between each school. 
This way no one has to change their internal ip architecture.  (Recall you
can NAT public or private IPs).  I should also clarify that the gwy
addresses in the tunnels need not be public- only the domain controllers. 
So each school would need at least one new ip for each domain controller
to pull it off unless you started doing port-based NAT translation
(NAT-overload) or something like that- which I would not recommend in this
scenario.  To be honest, the more I think about it, if you use private
links, there's really no reason you have to use real public ip's for the
domain controllers.  You'd just have to select an addressing model that
are not currently used in the other organizations.

With respect to figuring out what A/D needs in terms of ports, etc,
there's the Microsoft published list, plus all the other stuff they
actually require.  Some of it you'll have to probably find by logging with
a deny policy right below your allow policy of everything you knew about
up front and see what it the deny policy is failing on unless you want to
start with a fully trusted model.

D/C


The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> On 02/20/09 14:11, Dexter Caldwell wrote:
> > I recommend they use site-site vpn tunnels, mpls or some other private
> > links as you specified for securied entry points for the A/D replicatoin
> > and communication.  I see no reason off the top of my head that the
> > addressing scheme must change to accomodate this.
>
> If the RFC1918 addresses really do overlap in some areas, as the
> original post indicated, then those overlapping addresses will need to
> be renumbered.  Otherwise, two different hosts in two different sites
> will appear to have the same address to your DCs.  What you really need
> is something along the lines of ULAs, but I don't want to get into
> *that* debate.
>
> michael