Domain Controller Help

[AlaDes]

I have set up several domain controllers on a LAN but have absolutely no experience with them when it comes to a WAN. What I am trying to do is set up two domain controllers on one LAN and two more on another LAN. I want to be able to connect them across a WAN, which I have been unable to do. If anyone here has any experience with this, I would appreciate all the help I can get, as I can't find much information on this particular problem. I have looked everywhere on the web and have even been willing to pay for classes pertaining to this, however, the only information I can get on this is concerning a VPN. I understand connecting a client to a domain using a VPN but is this how I would connect a third and fourth domain controller at another physical location using a totally different ISP?

 

[Markverhyden]

Point to point tunneling from one router to the other. Make and model of both the routers?

 

[YeOldeStonecat]

Yup, "Site to Site VPN Tunnel"...performed by the router at each location.
When I do when setting up clients with multiple locations....I create a WAN, Wide Area Network, which creates a start topology with the satellite/branch offices connecting to "mothership"...the main office...utilizing site to site VPN tunnels.
It's preferred to have the same make/model router at each location, that does the VPN tunnel. This way you can more easily manage it, and it's more reliable. Versus if you mix-match a bunch of different brand routers. Also the central office (mothership)...you want the faster internet connection....notably the upload speed, since you're dividing that up into a few VPN tunnels plus the bandwidth consumption of the central office. Also tent to make the router at mothership a higher more powerful model from the firewall vendor. Since it has to muscle multiple VPN connections plus process local traffic.

Examples...
Location A..."Mothership". IP 192.168.10.0/24, 192.168.10.1 as the gateway, and a DC at 192.168.10.11 called DC-A
Location B, first satellite, IP of 192.168.20.0/24, 192.168.20.1 as the gateway, and a DC at 192.168.20.11 called DC-B
Location C, second satellite, IP of 192.168.30.0/24, 192.168.30.1 as the gateway, and a DC at 192.168.30.11 called DC-C

When you're setting up DC-B, you'll want to initially have its primary DNS set as the IP of DC-A..so it can talk to DC-A allowing it to join the domain when first building it. Then once you've done DCPROMO to DC-B, you of course change its primary DNS to itself...192.18.20.11 (or loopback 127.0.0.1 which is the same thing). You "can" put the IP of DC-A as secondary DNS, but if you build out "AD Sites and Services" properly ..defining each site, secondary DNS is not needed, they'll talk to each other (replicate) from the info put into AD Sites and Services.

DHCP at each satellite should just hand out the DNS of the local DC at that satellite.

 

[timeshifter]

Isn’t this the kind of thing where you all would recommend Azure AD and move away from on premise hardware?

 

[YeOldeStonecat]

Isn’t this the kind of thing where you all would recommend Azure AD and move away from on premise hardware?

Heh..."yup". I'm ditching on prem servers as fast as I can.

 

[Sky-Knight]

Screw VPNs, get yourself an overlay.

Also, screw on premise DCs, get yourself AzureAD.

 

[AlaDes]

Great information guys! Actually, I'm using this as an educational lab. I know how to do the VPN tunneling with identical routers, but was just curious if this could be done if two DCs were at different locations facing the net (no routers) could be joined to one another. If so, would you use the built in VPN that Windows Server offers? Not that I would ever do this in a live environment, just curious or my lab.

 

[YeOldeStonecat]

I would not use the built in VPN that Windows has, because you have to forward (open/expose) ports to the internet...and I would never want a Windows computer to have those ports exposed to the internet. I'd have the strong urge to format/reinstall the server on a daily basis due to it being hacked all the time.

The firewalls/routers create the VPN tunnels...thus creating a WAN.
Computers ...located ANY where on that WAN, are connected to each other due to...how the WAN is created. They're all essentially on the same network. Granted..different subnets...but...the router takes care of routing that through the VPN tunnels. Properly configured DNS brings along the name resolution so they see each other.

 

[Sky-Knight]

If I were to do this again I'd use an overlay network. Because then the DCs would have a vSwitch between them they think is a "LAN" connection, but the overlay just requires each one to have an internet connection. Those servers could more around anywhere on the planet, and as long as they could get online that domain would sync.

VPN is just not that flexible. Overlay networking also removes the VPN terminator hardware from the equation entirely.

 

[nlinecomputers]

If I were to do this again I'd use an overlay network. Because then the DCs would have a vSwitch between them they think is a "LAN" connection, but the overlay just requires each one to have an internet connection. Those servers could more around anywhere on the planet, and as long as they could get online that domain would sync.

VPN is just not that flexible. Overlay networking also removes the VPN terminator hardware from the equation entirely.

Define overlay network. I’ve not used this term before.

 

[Markverhyden]

Great information guys! Actually, I'm using this as an educational lab. I know how to do the VPN tunneling with identical routers, but was just curious if this could be done if two DCs were at different locations facing the net (no routers) could be joined to one another. If so, would you use the built in VPN that Windows Server offers? Not that I would ever do this in a live environment, just curious or my lab.

Personally I'd never put any MS product, especially server, directly exposed to the Internet. Meaning it has a public IP and there is no dedicated firewall between it a what's in the wild.

 

[AlaDes]

If I were to do this again I'd use an overlay network. Because then the DCs would have a vSwitch between them they think is a "LAN" connection, but the overlay just requires each one to have an internet connection. Those servers could more around anywhere on the planet, and as long as they could get online that domain would sync.

VPN is just not that flexible. Overlay networking also removes the VPN terminator hardware from the equation entirely.

This is very interesting to me and may be what I am looking for. Although I have heard of the term "overlay network", I never knew what it really entailed. Based on a little bit of research, are you referring to say...running the DC server on a VM and creating virtual switches? As I said before, I would never run a server open to the internet but was just curious as to if it could be done when setting up a domain and DCs.

 

[YeOldeStonecat]

Overlay network is a...software based mesh VPN...like TailScale, or ZeroTier.

I've started playing with them. I'd probably still prefer a hardware based WAN via firewalls doing the site to site VPN tunnels. Versus..a software based VPN that is....also flowing through a cloud service. To me, direct...more hardware based, wins over...all software with many more hops. Thinking about latency, throughput, etc.

Anyone remember "winmodems"? Or....39 dollar network cards versus a good hardware controller based 3COM 905 or better the 3COM 990 NIC?

Either way though, be it older school VPN tunnels, or...mesh VPN (overlay)...you're still creating a wide area network, where each location is securely connected to each other, and can communicate with each other.

But...if I had to set up a WAN again with a server at each location, yeah I'll still take the hardware based approach. But..thankfully those types of jobs are in the old days...behind me.

Diagram below. Each blue object is a router/firewall that establishes a secure VPN tunnel across the internet to the other networks it's set up with. So...computers in each LAN...can securely communicate with each other just like they were all set up in the same room together on the same flat network.

 

[Sky-Knight]

This is very interesting to me and may be what I am looking for. Although I have heard of the term "overlay network", I never knew what it really entailed. Based on a little bit of research, are you referring to say...running the DC server on a VM and creating virtual switches? As I said before, I would never run a server open to the internet but was just curious as to if it could be done when setting up a domain and DCs.

Toss ZeroTier on the DCs and they're now on the same LAN as each other regardless of where they go. Connectivity issues are resolved with a ZeroTier One service restart via the RMM tool, which can be automated and tested.

I do not share Stonecat's concerns about hardware being magically more reliable, and I've seen VASTLY improved performance with ZeroTier since it's based on Wireguard VPN technology, which is several orders of magnitude better than IPSec, and at least one order of magnitude better than OpenVPN.

And if you want to Zero Trust it, apply a policy to ZT that only allows the two servers to communicate with specific protocols and ports. That is a bit more hard mode, but it works well once you get your head around the rule structure. Tailscale is "better" on this front, but it's also much more expensive.

@nlinecomputers That's the new buzz word around what I jokingly refer to as super VPNs. There's a cloud match maker out there that the clients connect to, and there's an authorization process for them to get into the network. But once the magic is all done, each machine gets a NIC on itself that allows it to communicate with the rest of the overlay network as if it's just another local LAN. I use ZeroTier myself, and it means that I can put servers and workstations on the same "LAN" even if they're on the other side of the planet from each other. I can define how they can communicate too, so firewall rules basically.

You need to play with them... because once you do I promise even with the ease of Arista Edge NGFW's OpenVPN module, you'll never use it again. IPSec? SCREW THAT!

@YeOldeStonecat If you REALLY want a hardware devices to do the routing, that's what an rPI is for, tutorials are everywhere.

 

[YeOldeStonecat]

The tools you choose is sorta irrelevant here. It's the picture being drawn, not whether you choose an Intel CPU or an AMD CPU, or an nVidia GPU or AMD GPU.

The OP is trying to envision a concept. Draw a picture in his mind. On how a WAN works. And on how the servers will communicate with each other across this WAN. The picture of how the different subnets at each location are layed out, and how the VPN tunnels connect each site securely. The education of how site to site tunnels of various LANs spread out geographically....allows the computers to communicate securely across public highways of the internet. Creating a WAN via ZeroTier, or router to router VPN tunnels......or....or....isn't the point of the thread. Once the concept is understood, fanbois can continue the debate of which connectivity tool to use. I have used ZeroTier already, has its pluses, and has is minuses. If for some reason I had to step back in time and set up a WAN again I'd wager a pint of Guinness that I'd probably still do it via the routers. (no, no raspberry pi devices for me). Might use ZeroTier instead. But...it's such an unrealistic project for me since I'm all 365 now for clients, I'm not going to think about it anymore.