How to properly organize the work of the enterprise network?

A

Anatoly2022-03-17 14:15:06

Domain Name System

Anatoly, 2022-03-17 14:15:06

Good afternoon. I ask you not to throw slippers and not send them to advanced training courses (and I know that this is necessary). I urgently became an administrator against my will, let's say so.)) What is available:
1. MIKROTIK -CRS 326 -24G, it has DHCP in one local grid with a pool of 192.168. х.х.
2. 35 users who are NOT IN THE DOMAIN, but simply in the working group (this even makes me a little crazy).
3. WINMDOWS sever 2016 with virtaulks up - various enterprise services + a small file dump.
All this slows down, crashes, works poorly, etc. It is understandable, there is no routing and Wi-Fi in the same network.

What tasks are urgently set:
1. Raise AD, bring all existing users there. What would be the order and everything is beautiful.
2. Raise VPN for new, remote users. (+10 pcs).

And now my actual questions.
1. When I set up DHCP and DNS on the AD server, will MIKROTIK see/understand "foreign" IP addresses in this case?
2. Is it possible to distribute several subnets by one DHCP server? I want to segment the VLAN network. but I don't know how.
3.1
When creating an L2TP + Ipsec server on MIKROTIK, how to prescribe routing between the VPN network (let 's say
172,16,10, x) and the network that is distributed by Windows DHCP (let's say 172,16,20, x)?
3.2
What NAT rules need to be written for this version of the VPN server to work? I read about masquerading but did not
understand.
3.3.
How can I restrict traffic from a VPN user in the "nothing but RDP" format?

P / s A small request to those who answer, based on the availability of free time and good mood, please write detailed answers, especially with chains on MIKROTIK, if any. Because I'm still very lost in terms and other magic. Thanks in advance for your help. All the best!

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

C

CityCat4, 2022-03-17
@CityCat4

1. No. You need to decide who will be in DHCP - a domain controller or Mikrotik. A domain controller is better, and on Mikrotik - dhcp relay
2. Yes, you can. dhcp relay again in all subnets to the network where the dhcp server is
3.1 I don’t know, it was easier for me to raise pure IPSec
3.3 Yes, all on the same microtic, allow port 3389 to prohibit the rest on the subnet from which VPN addresses are issued
The question is very voluminous, multi-bukaf I don't want to write. You can write to me on soap (in the profile), though sometimes I don’t answer right away.

A

AntHTML, 2022-03-17
@anthtml

1. CRS326 - switch, with the ability to filter and light NATa, from what you wrote it will be bent.
2. It is quite normal, in practice, if there are <50-70 users in the domain, then the harm from the domain is more than good, because. you can’t deploy most of the domain’s goodies normally - there simply aren’t enough users to build a sane directory hierarchy and write crowded GPOs
3. figure out what exactly slows down, it’s far from a fact that the network and routing
4. WI-FI yes, take it to a separate network
By tasks:
1. AD only if you plan to grow strongly
2. VPN with a separate piece of iron or a virtual machine

A

AlexVWill, 2022-03-17
@AlexVWill

3.1
When creating an L2TP + Ipsec server on MIKROTIK, how to prescribe routing between the VPN network (let 's say
172,16,10, x) and the network that is distributed by Windows DHCP (let's say 172,16,20, x)?

It's better not to do that. It is possible, but not necessary. It is much more expedient to raise a separate VPN server. Highly desirable on a separate IP. And so that he directs VPN client traffic to the network. It's much safer.

T

TheBigBear, 2022-03-17
@TheBigBear

1. CRS 326 -24G is more of a switch than a router
L2TP + IPSEC will not pull (tested on MIKROTIK CRS125-24G-1S-RM)
L2TP without IPSEC pulls at a time. But try to persuade the management to a piece of iron with hardware support for encryption. Or lift VPN the separate server.
KD (Domain controllers) will most likely be raised by virtual machines? (this is the most correct solution)
But in case of any failure (power supply, Hyper-V server), the network will remain without DNS and DHCP
From my purely personal point of view:
DHCP and DNS setup on Mikrotik. (Especially since several DHCP servers are planned) The first DNS - prescribe the domain controller the second - the provider. In this case, even if the CD is unavailable, the network and the Internet will work. Well, or write something like this in STATIC DNS Mikrotik:
/ip dns static
add name=domains._msdcs.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_ldap._tcp.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type=SRV
add name=_ldap._tcp.dc._msdcs .My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CA.My_Domain.localnet srv-weight=100 type=SRV
add name=_ldap._tcp.default-first-site-name._sites.gc._msdcs.My_Domain.localnet srv-port=3268 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type= SRV
add name=_ldap._tcp.default-first-site-name._sites.dc._msdcs.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type =SRV
add name=_ldap._tcp.Default-First-Site-Name._sites.My_CD.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type= SRV
add name=_ldap._tcp.controller._msdcs.MyDomain.localnet srv-port=389 srv-priority=0 srv-target=MyCd.MyDomain.localnet srv-weight=100 type=SRV
add name=_ldap._tcp.default-first-site-name._sites.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type=SRV
add name= _ldap._tcp.My_CD.My_Domain.localnet srv-port=389 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type=SRV
add name=_ldap._tcp.gc._msdcs.My_Domain.localnet srv-port=3268 srv-priority=0 srv-target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_kerberos._tcp.My_Domain.localnet srv-port=88 srv-priority=0 srv-target =My_CA.My_Domain.localnet srv-weight=100 type=SRV
add name=_kerberos._tcp.default-first-site-name._sites.My_Domain.localnet srv-port=88 srv-priority=0 srv-target=My_CA. MyDomain.localnet srv-weight=100 type=SRV
add name=_kerberos._tcp.default-first-site-name._sites.dc._msdcs.MyDomain.localnet srv-port=3268 srv-priority=0 srv-target=MyKD.MyDomain.localnet srv-weight=100 type= SRV
add name=_kerberos._tcp.dc._msdcs.MyDomain.localnet srv-port=88 srv-priority=0 srv-target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_kerberos._udp.MyDomain srv
-port=464 srv-priority=0 srv -target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_kpasswd._udp.My_Domain.localnet srv-port=464 srv-priority=0 srv-target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_tcp.Default-First-Site-Name._sites.dc._msdcs.MyDomain.localnet srv-port=389 srv-priority=0 srv-target=MyCd.MyDomain.localnet srv-weight=100 type=SRV
add name=_tcp.Default-First-Site-Name._sites.MyDomain.localnet srv-port=389 srv-priority=0 srv-target=MyCd.MyDomain.localnet srv-weight=100 type=SRV
add name=_tcp.default -first-site-name._sites.gc._msdcs.MyDomain.localnet srv-port=3268 srv-priority=0 srv-target=MyCd.MyDomain.localnet srv-weight=100 type=SRV
add name=_tcp.gc. _msdcs.My_Domain.localnet srv-port=3268 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type=SRV
add name=default-first-site-name._sites.gc._msdcs.My_Domain .localnet srv-port=3268 srv-priority=0 srv-target=My_CA.My_Domain.localnet srv-weight=100 type=SRV
add name=gc._msdcs.MyDomain.localnet srv-port=3268 srv-priority=0 srv-target=MyCd.MyDomain.localnet srv-weight=100 type=SRV
add name=_gc._tcp.MyDomain.localnet srv-port =3268 srv-priority=0 srv-target=My_Cd.My_Domain.localnet srv-weight=100 type=SRV
add name=_gc._tcp.default-first-site-name._sites.My_Domain.localnet srv-port=3268 srv -priority=0 srv-target=My_KD.My_Domain.localnet srv-weight=100 type=SRV
add name=_sites.gc._msdcs.My_Domain.localnet srv-port=3268 srv-priority=0 srv-target=My_KD.My_Domain .localnet srv-weight=100 type=SRV
add name=_vlmcs._tcp.My_Domain.localnet srv-port=1688 srv-priority=0 srv-target=My_CD.My_Domain.localnet srv-weight=100 type=SRV
This will make friends with a domain with Mikrotik
2. That is why it is better to start a DHCP server on Mikrotik
3.3 Forget about port 3389!!!! Write down any other (22222, 34567....)