Announcement

Collapse
No announcement yet.

Active Directory on Public IP, possible?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory on Public IP, possible?

    Hi All,

    I'm very new to Active Directory. Please pardon me if this question is really dump.

    The following is what i had setup.

    1. There are 2 servers.

    2. Both connected to the Internet with Public IP address.

    3. Server 1 - Active Directory

    4. Server 2 - Exchange Server

    The following is what i want to do.

    1. Connecting Server 2 to Server 1's AD/DC

    May i know is that possible?

    David Loke

  • #2
    Re: Active Directory on Public IP, possible?

    I think you should review your setup.

    Add a router to the equation and take your AD infrastructure OFF a public IP.

    To answer your question yes you can add server 2 to server 1's AD.

    Do you want to add it as a member or a domain controller?

    Comment


    • #3
      Re: Active Directory on Public IP, possible?

      Hi!

      Really appreciate your fast response. I'm actually trying to setup the following..

      http://www.psoft.net/HSdocumentation...hange_3_5.html

      With regards to your question, I dont know whether i should setup as a member or DC, but by the look of it, it should be just a member.

      There are some more questions to which hope to verify.

      1. Router will setup to map 2 Public IPs to 2 Internal IPs or only required to map 1 Public IP to Internal IP for Exchange server only? AD remains with Internal IP only?

      eg.
      Server 1 - AD/DC
      Public IP - 202.x.x.2
      Mapped to - 192.168.x.2

      Server 2 - Exchange Server
      Public IP - 202.x.x.3
      Mapped to - 192.168.x.3

      2. If AD/DC is also installed with Windows DNS, will it still work if AD/DC (Server 1) is with Internal IP?

      Any response is really appreciated!

      Thanks!

      Comment


      • #4
        Re: Active Directory on Public IP, possible?

        Hi,

        I've solved my problem. Its all because of firewall. I've off them and it works now. But this leads me to another question...

        May i know which are the ports Active Directory uses? How do i protect my server in this case? AD is actually on the public Internet.

        Please advice
        David Loke

        Comment


        • #5
          Re: Active Directory on Public IP, possible?

          Not good leaving your AD infrastructure on an External IP address.

          DNS will still work using an internal address. I have all my DNS servers pointing to my ISP's DNS for forwarders.

          I really must recommend getting your AD off the external interface and onto the internal.

          Comment


          • #6
            Re: Active Directory on Public IP, possible?

            please give me you're Public IP adress
            just kidding.


            1. For start, Enable asap you're firewall back again!.
            2. Make a drawing of you're situation and post it here.
            3. Make a drawing for you're wishes.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Active Directory on Public IP, possible?

              Hi!

              Thanks for your advice =) I also fully agree with what you had said. That is to bring AD into internal network. However, may i know how do i do that? Connecting to internal IP and yet able to get DNS to work? My AD is actually a PDC. May i know if there are any documentations to which i can follow to do this?

              Thanks for any advice!
              David Loke

              Comment


              • #8
                Re: Active Directory on Public IP, possible?

                Originally posted by dihuei
                Thanks for your advice =) I also fully agree with what you had said. That is to bring AD into internal network. However, may i know how do i do that? Connecting to internal IP and yet able to get DNS to work? My AD is actually a PDC. May i know if there are any documentations to which i can follow to do this?
                DNS will work behind NAT and a firewall without opening any ports (as long as you didn't delete the Root Hints ). But I too forward all queries to the ISP that are outside my domain. The only port you would need to open is 25 and forward it to your Exchange server... unless of course you have other services besides SMTP i.e. OWA, website, pop, etc.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Active Directory on Public IP, possible?

                  Originally posted by JeremyW
                  DNS will work behind NAT and a firewall without opening any ports (as long as you didn't delete the Root Hints )
                  Depending on you're firewall, it's possible you need opening udp port 53.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Active Directory on Public IP, possible?

                    Originally posted by Dumber
                    Depending on you're firewall, it's possible you need opening udp port 53.
                    Whoops, you're right. I'm used to having a rule that lets everything from the trusted network through.
                    Thanks
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Active Directory on Public IP, possible?

                      granted you wont need all these porst, but this is a list of the common ports used in an AD enviro:

                      RPC endpoint mapper
                      135/tcp, 135/udp
                      Network basic input/output system (NetBIOS) name service
                      137/tcp, 137/udp
                      NetBIOS datagram service
                      138/udp
                      NetBIOS session service
                      139/tcp
                      RPC dynamic assignment
                      1024-65535/tcp
                      Server message block (SMB) over IP (Microsoft-DS)
                      445/tcp, 445/udp
                      Lightweight Directory Access Protocol (LDAP)
                      389/tcp
                      LDAP ping
                      389/udp
                      LDAP over SSL
                      636/tcp
                      Global catalog LDAP
                      3268/tcp
                      Global catalog LDAP over SSL
                      3269/tcp
                      Kerberos
                      88/tcp, 88/udp
                      Domain Name Service (DNS)
                      53/tcp1, 53/udp
                      Windows Internet Naming Service you might not need this
                      1512/tcp, 1512/udp
                      WINS replication (if required)
                      42/tcp, 42/udp
                      (sorry, i dont have the KB article, just have notepages of stuff i use for reference...)

                      you might also require others depending on the services requred, like SQL connections and what-not...

                      what capabilities do your firewall have? what model? i (unfortunatly) have a fortinet 500-A/200/60 and can create secure PPTP tunnels. you can maintain AD control at remote sites adn still push policies with the tunnel... and since its firewall its low resources on the servers...

                      how close together are your servers?

                      one problem i encountered with a remote domain member without a tunnel is the minute i edited the default server policy... well, it took two weeks, but the gpupdate finally ran (i have no clue why, low latency that morning) and it took down the web server. had i had an active tunnel for AD, that wouldnt have happened. instead it was just what you described.. i domain server with a public IP. never got hacked, but still was a pain to figure out in 10 minutes...
                      its easier to beg forgiveness than ask permission.
                      Give karma where karma is due...

                      Comment

                      Working...
                      X