Announcement

Collapse
No announcement yet.

Encrypting AD Traffic Between Domain Controllers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encrypting AD Traffic Between Domain Controllers

    Hello,

    We are looking at how we can encrypt AD traffic between our domain controllers. Our PDC is using Network Address Translation behind a firewall and we have a couple other DC's off site setup this way also. We also have a couple DC's not behind firewalls on public IP and we want to encrypt all AD traffic since it will be broadcasting accross a public network. Any suggestions would be greatly appreciated. Thank you.

  • #2
    Re: Encrypting AD Traffic Between Domain Controllers

    Errr place firewalls and configure site to site VPN?
    Although the traffic might be encrypted, the servers are still exposed to the Internet.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Encrypting AD Traffic Between Domain Controllers

      Thank you for the reply. We have firewalls in place and we are using NAT but the kicker is they want to have some type of encryption when the DC's RPC to each other. So they wanted to use IPSEC but that will not work with a NAT IP address from what I was told. We have looked at a vpn setup but the trouble is if for some reason the vpn goes down it will take the whole domain down the way the network is setup. My thoughts are since these are 2008 R2 DC's they use Kerbros for RPC and that is encrypted from the research I have done does anyone know if this is true or not?

      Comment


      • #4
        Re: Encrypting AD Traffic Between Domain Controllers

        VPN's are encrypted and shouldn't bring the domain down. If that would the case I think many of my customers would have huge issues when for what reason the VPNs are disconnected. But yes, you need a good design. Replicating AD over the internet would for me a no go in any way.

        Anyhow, if you really really want to do this then I would suggest you start reading about ipsec.
        Some examples:
        http://support.microsoft.com/kb/254949
        http://support.microsoft.com/kb/240262
        http://technet.microsoft.com/en-us/l.../bb727063.aspx
        http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Encrypting AD Traffic Between Domain Controllers

          For any RPC replication traffic, Kerberos is used for Encryption as well as authentication.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment

          Working...
          X