Ask the Expert

Synching to an AD bridgehead in a DMZ

The scenario is two agencies that need to synch to an AD bridgehead that is living in a DMZ. Agency A (internal to the FW) connects through the FW's DMZ interface to NIC A (199.200.10.10), which has an IP from the same subnet as the FW's DMZ interface. NIC B (10.34.1.5) will have an IP address of Agency B's subnet and NIC B will be connected to Agency B's FW. Can this scenario be accomplished by giving NIC A a default gateway to FW A and NIC B no default gateway? Or would a default route (add route) need to be added to the server for NIC B to be able to talk to the 10.34.1.x network? Can this scenario of dual homing NIC's between two agencies be accomplished at all?

    Requires Free Membership to View

This can be achieved… but there are complications.

The server is using NIC A as the default route (199.200.10.10) and should send its traffic in this direction. NIC B is connected to the other network (10.34.1.5) and will send traffic for that subnet through that network. If there are other subnets in the Agency B's network, you will need to configure permanent routes (route --p ADD [network x.x.x.x] MASK [ mask x.x.x.x] [interface x.x.x.x] ) on the domain controller to make sure that it communicates through the proper NIC. This, however, is not the end of your problems.

The other issue is how do the machines in Agency A's network locate the server as compared to the machines in Agency B. A normal configuration would be to have the domain controller dynamically register the A and SRV (service) records with DNS. However, if you all this to happen the server would register both of the IP address. Thus, you would find that about half the time the servers in Agency A's network would be trying to connect to the Agency B address (NIC B) -- which of course fails. So, there must be a DNS server for Agency A and a separate DNS server for Agency B. First, you will need to disable the dynamic registration of the DNS entries on one of the interfaces. This is done via the network properties for the NIC. If you are dealing with Windows 2000/2003, you will find that this operation although correct, doesn't work. Because you will need a hotfix:

http://support.microsoft.com/default.aspx?scid=kb;en-us;246804

Now that your hotfix is applied, you will find that the DNS is dynamically registered for Agency A's DNS server. Agency B's DNS is blank. You will need to manually create the entries that exist in the Agency A's DNS, replacing the IP addresses with the IP addresses of the NIC B. You can reduce the pain by exporting the Agency A's entries from DNS and importing them into the Agency B DNS. After you have imported them, alter them to have the right IP address and not to expire.

Of course, if you are replicating the zones between agency's or relying on the Domain Controller itself to act as DNS server for both Agency's you have little hope of this working.

Another way to solve the problem is to put a DC in the Agency B location, create a site for Agency B and associated subnet. Then configure to firewalls to allow point-to-point communication between the Agency A DC in the DMZ and the Agency B DC that sites on their subnet.

Paul

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in December 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: