RE: AD replication over WAN

From: Tom Sutherland (tsuther@silver-lake.com)
Date: 01/16/03

  • Next message: Sergey V. Gordeychik: "RE: Understaing Event Details in Windows NT"
    From: Tom Sutherland <tsuther@silver-lake.com>
    To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
    Date: Thu, 16 Jan 2003 10:55:29 -0500
    
    

    Or you can wait till Windows Server 2003 which purportedly can create VPN's
    using IPSEC/L2TP that can traverse NAT. Or did I not read the MS sales
    literature closely enough.

    Tom Sutherland
    silver-lake resources

    -----Original Message-----
    From: Chris Weiscopf [mailto:chris@bamcom.net]
    Sent: Monday, January 13, 2003 12:06 PM
    To: 'Valentine M. Smith'; focus-ms@securityfocus.com
    Subject: RE: AD replication over WAN

    At the very least you can deploy a site to site VPN using Windows 2000
    Routing and Remote Access Service. Open you LAN routers to pass the VPN
    traffic, set up the site-to-site VPN in RRAS and set a static route in your
    router pointing back to the server to reach the remote network. VPN
    benefits with no additional hardware costs.

    Chris Weiscopf
    MCSE 2000, CCNA, Network+, A+
    Uni-Point, LLC

    -----Original Message-----
    From: Valentine M. Smith [mailto:vmsmith@grokking.org]
    Sent: Thursday, January 09, 2003 6:21 AM
    To: focus-ms@securityfocus.com
    Subject: AD replication over WAN

    Hi,

    I'm looking for some feedback from the community regarding the transfer of
    AD
    traffic over a public WAN.

    The basic plan is this:

    Single Win 2000 domain spread over two sites in different cities. Each site
    has perimeter NAT device and are obscuring internal subnets with IP
    addresses
    provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
    at both sites. Both DCs are patched to SP3.

    The MS documentation I've consulted indicates that AD replication, and by
    extension, DNS zone information that is AD-integrated is automatically
    encrypted.

    My question: if the data is already encrypted and is passing only across a
    single ISP's network, should one be bothering with a router-router VPN
    tunnel
    for this traffic? IOW, would setting up such a tunnel for this data be
    redundant/unnecessary or am I missing something important here? Would anyone

    care to comment on the relative safety of AD encryption out-of-the-box?

    Thanks in advance for any feedback,

    VS



    Relevant Pages

    • Re: Advice needed on secure remote datacenter and secure communication
      ... fair bit of time working with windows server, ... as for VPN, ... Addressing your issue with PGP encryption on sensitive files, ...
      (alt.computer.security)
    • Re: Encrypted VPN software?
      ... >>establish the original connection; thereafter the two ends of the VPN ... faraway LAN as if it was just another local computer on that LAN. ... does offer is once-and-for-all encryption and authentication with no need ...
      (alt.privacy)
    • FW: AD replication over WAN
      ... From Microsoft Exchange 2000 Server Hosting Series ... OL2002, clients don't need to employ a VPN across the internet, as the RPC ... care to comment on the relative safety of AD encryption out-of-the-box? ...
      (Focus-Microsoft)
    • Re: Sued anywhere your website can be viewed
      ... That can be defeated with encryption. ... There are for-pay VPN ... local authorities cannot listen in. ... unable to monitor my communications. ...
      (uk.legal)
    • Re: Use of SSL as a VPN
      ... > private circuit as you describe above, ... > good claim to the term, but using VPN to refer to a PN sounds dubious ... authentication and encryption. ... router committee caused some amount of consternation in the ipsec ...
      (sci.crypt)