C
C
CJSC MetroCraft2019-12-09 14:38:29
Domain Name System
CJSC MetroCraft, 2019-12-09 14:38:29

How to set up a distributed network of Active Directory and the resulting ones?

Hello!
At first it was: A server with a domain controller and other services, a main computer and 8 laptops. Everything worked for the time being. Now there are 14 personal computers in the main office, one main computer, one touch panel and a server with AD. We go further - mini-offices are gradually appearing, where there is only one laptop and a desktop network. How to connect them to AD? But that's not all, peripheral offices appear, where there are 4 laptops and one computer, employees with laptops and tablets appear, who travel to different cities and even countries. Later, there will be PCs with Linux (we think at the expense of the distribution kit) and MacBooks. We plan to add 3 servers in the Data Center. How to unite all this international technical zoo into one AD network and ensure the work of other network services?! All servers have white IPv4 and two white direct IPv6.
Ps If there are errors - write about them in the comments.
Pps Help, please, don't ignore!!!
Pss Phrases like: "Why is this necessary?" and for what?" please do not write!

Answer the question

In order to leave comments, you need to log in

5 answer(s)
J
Juhani Lahtinen, 2019-12-09
@nukler

If you expand and what's next is not clear.
Generally the general meaning. There is a central VPN server and many VPN clients that are depleted into one network.
1. Central office PPTP/IPSEC/OVPN and so on as a central server.
2. Install a router in mini offices and connect to the central office via VPN.
You can build everything on Mikrotiks, there is eoip + IPSec, it will perfectly connect everything into one network, but it has its own pitfalls in the form of unnecessary broadcasters and other things.

C
CityCat4, 2019-12-09
@CityCat4

Here the task is divided into two parts (well, at least I didn’t solve it completely in one go)
Part 1 - one big microtic is installed in the office, which will drag the VPN on itself. It must have a white IP. Take a model with hardware encryption such as RB1100AHx2 (if it is already outdated, then take what is recommended instead)
- connecting constantly working mini-offices to AD. Using Mikrotik to the office and setting up a permanent VPN on IPSec - this will give a permanent connection to the office network as if it were in a neighboring subnet.
- Linux, Android tablets, Apple products - via IPSec in roadwarrior mode. There is a lot of documentation on the strongswan website, Mikrotik is also Linux and there is also either a shwan or an older rakun, so the documentation will do for setting up, well, Mikrotik has its own.
Part 2
- Windows - I still don't know how to hook it up to IPSec, but it can be connected to PPTP by forwarding it to some Windows server.

N
nApoBo3, 2019-12-09
@nApoBo3

Depends on the country and possible regulatory requirements. In general, AD does not trivially fall on mixed infrastructures, there are many pitfalls and difficulties with various services.
If your AD is only for authorization and you are not in the Russian Federation (or the risks of disabling all this stuff are not too great for you), I would look towards azure ad and office 365.
The second option is to build a vpn network. Here you get like a virtual office.
The third option, public AD, is theoretically feasible, but I have not come across this, probably from a security point of view, this is extremely non-trivial.
There is also a hybrid of the second and third options based on ipv6, but here you need a person who is very well versed in this.

T
TheStarOf, 2019-12-10
@TheStarOf

Obvious ovpn as service centered in DC. Or windows direct access (essentially the same)

M
moneyfornothing, 2019-12-10
@moneyfornothing

MS has RRAS on which you can implement DirectAccess or VPN AnyWhere
VPN AnyWhere - supported by MS clients "out of the box" ... this is stupid SSTP or IKEv2 VPN
The client tries to raise the connection if it understands that it is not in the domain network.
It is possible for a remote client to make an off-line join to the domain, send the VPN connection config and it is in your domain.
DirectAccess - Required Windows7,8,10 Enterprise is configured only by group policies. Works over HTTPS. IPv6 over HTTPS
PKI required.
If you like OVPN, then both technologies are absolutely comparable with it in terms of speed, so you won’t notice the difference.
Linux and Mac users don't really fit in here, but you can get them via SSTP. DirectAccess and VPN can co-exist on the server.
Another option is Terminal Server + VPN. Users connect remotely via VPN, and then RDP to TS. There are RDP clients for almost any OS.
In general, everything has its own nuances: requirements for data availability, downtime, security. For example, should a person with a domain computer and an unencrypted disk roam anywhere, or is VPN and RDP still the right solution. Or, if you encrypt, then what to do when he turns it into a "brick". How to distribute settings on Linux and Mac - you can’t pull the screw GP on them. And if they can without a domain, then why should they bring the rest to the domain?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question