Possible to access DC in remote site via IPSec VPN?
-
Friday, November 16, 2012 6:37 PM
Hello,
Is it possible to access DC [ Windows 2008 ] in another site via IPSec VPN?
Limitations are:-
Can not add any additional DC in new site.
Can not create child domain.
Can add DNS server.Pls suggest.
- Edited by Amey A Friday, November 16, 2012 6:39 PM
All Replies
-
Friday, November 16, 2012 6:56 PM
Yes it is possible.
Your IPSEC would have to include the client and the DC information, both would need to be part of the same domain and the right ports and protocols would need to be opened on your network.
If you use windows firewall that to will have to be taken into account. Once the IPSEC Tunnel is created between point A and Point B everything you want to accomplish should be good to go. The biggest problem people run into is configuring the IPSEC setup and applying itthe right way.- Edited by seansobey Friday, November 16, 2012 7:54 PM
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Monday, November 19, 2012 2:34 AM
-
Friday, November 16, 2012 7:07 PMModerator
When you say access, are you talking about RDP? You can as well as run replication via point to point via IPSec to really lock things down.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
-
Friday, November 16, 2012 7:57 PM
I would suggest going to the link below. It is microsofts step by step guide to configuring IPSEC. If you are using a third party application like Cisco's ASA then I suggest you consult the Third party application website for official documentation.
http://technet.microsoft.com/en-us/library/bb742429.aspx
-
Friday, November 16, 2012 8:07 PM
See below link too DC promotion with IPsec.
Active Directory Replication Over Firewalls (en-US)
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx
http://support.microsoft.com/kb/816514?wa=wsignin1.0Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Saturday, November 17, 2012 1:33 AM
Yes RDP but not just RDP. NTP sync,domain user authentication,Windows domain level sharing access etc.
In my scenario I would be using Juniper firewalls and site to site IPSec pre shared key based VPN tunnel. -
Saturday, November 17, 2012 1:57 AMOnce you have established the IPSEC tunnel you can have anything and everything travel thru it. As stated earlier the configuring of IPSEC is what normally causes headaches on Admin's.
-
Saturday, November 17, 2012 6:25 AM
Agreed. IPSec is configured & we are able to reach servers in both sites.
I am curious to know the topology :- How the authentication,LDAP,Kerberos,LDAP equests will contact DC in remote site.
I have 2 moresites and I want to make fail over DC connections.
Scenario :-Site C is the pin point where I wont be having any DC's.
Site A & B both having DC's & DNS servers in place.
My goal would be to ensure if connectivity between site C & to A~B fails, authentication should find other DC. OSPF something like that.
-
Saturday, November 17, 2012 4:02 PMOnce your DC's form a complete IPSEC tunnel then the DC's will act just like they would outside the tunnel. ALL AD protocols used travel within the tunnel transparrent to the admin and user. If you tracked the network packets you will only see protocols 500 and 50/51, that is the IPSEC tunnel. As in regards to what you want it is a reality, DC's will need constant connection because of the replication AD/ DNS does. If you do not replicate with the other DC's you will have inconsistances in your AD infrastucture. So with that pointed out if you have your domain setup right the fail over will succeed however once you have the tuneel up and operational you do want to scehedule a fail over test during low man power to verify the success and fix the failures if any happen.
-
Saturday, November 17, 2012 8:19 PM
See below links how Domain Controllers are located
Domain Controller Locator : an overview
http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspxHow is your DNS configured is it AD integrated?I would recommand to configure site C DNS server with AD role and configure the sites and services accordingly.
Refer below link for Active Directory Sites and Services
http://technet.microsoft.com/en-us/library/cc730868.aspx
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtmlIf DNS is not AD integrated then I would recommend to configure the same as AD integrated there are benifits of the same.http://technet.microsoft.com/en-us/library/cc737383(v=ws.10).aspx
How To Convert DNS Primary Server to Active Directory Integrated
http://support.microsoft.com/kb/816101Also if one of the sites SC goes down and there is no network connectivity issue to other site then the DC in the other site will be used.You need to properly configure the dns setting on dns and clients as below and map the client subnet to appropiate AD sites.
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/Also the required port should be open for AD communication
Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspxThere's some info on FSMOs and what would happen if any specific FSMO is down for any length of time, permanently or termporarily.
Active Directory FSMO Roles Explained and What Happens When They Fail and Why you may not be able to keep a DC up once roles were seized.
http://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspxHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Monday, November 19, 2012 2:33 AM
- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Thursday, November 29, 2012 6:13 AM
.png)
