No announcement yet.

AD DC setup in perimeter network

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD DC setup in perimeter network

    Iím trying to determine the best method to setup two Active directory domain controllers in our production environment. Our main concerns is having redundancy and scalability.

    We have the standard perimeter network setup, a DMZ with web servers and a private network with database servers. Each network uses a different subnets separated by a Ciscio firewall.

    We have a server connecting to a SAN in the DMZ which we need to cluster to provide redundancy. We also eventually want to cluster our Database servers. This requires that both networks to have access to the DC. In order to provide redundancy we want to install two DC.

    Option 1:
    Our original intent was to put both DCís on the private side and have the DMZ servers connect through the firewall, similar to how web servers connect to the database servers.

    Option 2:
    I recently read that Microsoft recommends putting a DC in both networks and build a trust over the firewall to reduce cross network AD traffic.

    Which options would be best or is there a better option I'm missing? Option 1 requires more AD traffic to go through the firewall and I'm not sure if there a DNS issues as both subnets use diferent IP ranges. However to keep redundancy in Option 2 wouldn't this require two dC in each network requiring four DC in total? Also wouldnít this present security issues?

    Any insight into this setup wold be appreciated. Thanks.

  • #2
    Re: AD DC setup in perimeter network

    DC setup in perimeter network <---

    i would advise against that... but thats your call.

    i would think that you could utilize two network cards,...

    or just set up the NATs and policies correctly.

    i dont have a quick answer, i just dont htink its a great idea to pout your DCs in a DMZ.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...


    • #3
      Re: AD DC setup in perimeter network

      Thanks for your response; we have decided not to put the AD server into the DMZ. Weíre trying to find the right NAT and policy settings, so far no luck.

      I assume by utilize two network cards youíre referring to connecting AD server directly with the cluster server. Doesnít this present a security issue as the DMZ server would have complete access to the AD server?


      • #4
        Re: AD DC setup in perimeter network

        Just wondering whether you can get away without authenticating directly against AD, but using some sort of proxy mechanism similar to a one described here:

        As of DMZ-ed DCs, those can not be behind DNAT (SNAT is ok) and have to be fully routable from the internal network point of view.
        For port requirements see:
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"