Agree, isolating by site is often confused with requiring a
separate subnet and thus extra efforts on the networking infrastructure. That’s
actually not the case. You can create your AD site and just assign it a
32bit masked IP address as the subnet – if the other sites are properly
configured, this will ensure that no client will try to leverage the DC in this
special site.
Realize that a separate site doesn’t take care of the generic
DC lookups performed by clients (e.g. when they join the domain or when all DCs
in their site fail) – however, adjusting the priorities in DNS and
configuring the DNS mnemonics appropriately for the DC in the special site will
also take care of this extra challenge (should be described in the Exchange
Server Site doc for which Brian previously provided the link).
/Guido
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 8:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Isolating a DC
Yeah, I didn't mean to sound so
negative.... it just seems like isolating by site (which is a logical, not
physical barrier) is a more holistic solution which provides the isolation
required, while allowing the DCs to continue to potentially (in an emergency
situation) perform the duties of user authentication without having to change
anything.
The IPSec solution just seems like serious overkill that's unnecessary.
On 9/13/06, Akomolafe, Deji
< [EMAIL PROTECTED]> wrote:
I thought his original request was to make sure that no other
client talks to the isolated server except those permitted.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Matt Hargraves
Sent: Wed 9/13/2006 7:26 AM
Isolating via site will still
leave the DC available in case of emergencies (your authentication DCs go
down), whereas IPSec makes them completely unavailable for any purposes for
clients. I've actually never heard of anyone doing this and would
consider it a very bad idea unless you have significant redundancy in your
'normal' environment.
BTW, from a Microsoft presentation a little over a year ago, they have 4
Exchange server sites, only 1 of them (Redmond) isolates their DCs from
authentication and reserves it for Exchange, the other 3 use their Exchange (a
*very* DC/GC intensive app) servers for authentication also.
Site is only a logical separation. IPSec might as well be a physical
barrier. Unless there is a serious reason why you would rather have none
of your clients to be able to authenticate instead of authenticating against
these DCs (as I said, in case of an emergency), then you should probably avoid
putting a IP filter on these boxes. If you isolate via site, then the
only way that clients are going to authenticate against them is if all DCs are
down in their site, which since you're a single physical site org, means that
all of the authentication DCs are down, which is probably a more serious
problem than "OMG, a (gasp) *user* authenticated against my application
DC".
On 9/13/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:
Thanks to all for the responses.
This (isolating via ipsec) is probably the right direction for me.
We're a single site, single domain at a single physical location, but
the idea of building another site isn't appealing from a "keep it
simple" perspective.
Are there any technical reasons why a separate site would be better than
isolation through IPSec? Will I cause clients/apps, who initially
don't
know they are denied, delays when they try to access the ipsec isolated
DC?
Bryan Lucas
Server Administrator
Texas Christian University
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of James Eaton-Lee
Sent: Wednesday, September 13, 2006 5:39 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Isolating a DC
Akomolafe, Deji wrote:
> I highly recommend that you read
http://www.windowsitpro.com/articles/print.cfm?articleid=37935
>
> Then, as a fall-back option, look for the isolation using IPSec
> whitepapers on Microsoft site. I can't find them now, but I know that
> they exist. They show you how to restrict communication with a
specific
> server or network using IPSec.
>
I think what you're referring to is the excellent "Server and Domain
Isolation using IPSec" content, at:
http://www.microsoft.com/technet/security/topics/architectureanddesign/i
psec/default.mspx
If all you're looking for is host-based firewalling, however,
there's other content online that'll explain this a little more
concisely, such as this presentation from the Virginia Tech Windows
Users Group:
http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips
ec%20as%20a%20firewall%22
And also "Using IPSec to Lock Down a Server" from technet..
http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms
px
Hope that helps!
- James.
--
James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/
Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)
sites: https://www.bsrf.org.uk/
~ http://www.security-forums.com/
ca: https://www.cacert.org/index.php?id=3
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
|