Domain Controllers on p172

Brute force password attacks from the Internet afflict all Windows domains at the University of Washington. Domains without a firewall have a higher risk profile, and users with simple passwords are rapidly exploited. Depending on the policy implemented, failed brute force attempts can also lockout users and rapidly fill security logs.

However, implementing a firewall for domain controllers (DCs) is problematic. Any domain controller in a forest must be able to freely communicate with other domain controllers in the forest. In some forests, like the UW forest, the list of domain controllers in the forest isn't static--it changes daily. This makes firewall configuration difficult at best.

UW Technology recommends an alternate option to UW domain administrators: move your domain controllers to the private 172 address space (p172). This prevents malicious hackers beyond the UW border routers from reaching your DCs. The DCs enjoy the full range of operational functionality. Campus DNS services will resolve the p172 DNS records associated with Active Directory services that DCs require for functionality. However, only clients that are within the UW border can resolve the p172 DNS records. Clients outside the border will not resolve those p172 based DNS records.

There is an obvious implication to moving all your domain controllers to p172. Off-campus clients can't resolve or connect to those domain controllers. Additionally, no single domain name can have both public and private resource records. For example: Windows Domain Controllers SRV records.

If you have off-campus clients, one solutions are to implement a VPN.

How to move a DC to p172

• Identify the p172 IP network matching your public IP network the existing domain controller is on.

           128.95.x    - 172.25.x 
           128.208.y    - 172.28.y 
           140.142.z    - 172.22.z  
  

• Send an email to netops@u, or call 543-5128, asking to coordinate DNS changes. The NOC should respond within one business day and issue you a new IP on p172. Coordinate with the NOC on timing to move all DNS records to utilize the new IP.

Example:

From:  Jane Smith <jsmith@u.washington.edu> 
To: netops@u.washington.edu 
Subject:  migrate domain controller(s) to 172 network 
Hello, 
I'm Jane Smith, the domain contact for xyz.washington.edu. 
I would like to move Domain Controller(s) in my domain to 172 network: 
    host name             =   hostname.domainname.washington.edu 
    current IP address    =   128.xxx.xxx.xxx 
Please check all corresponding DNS records for this host(s) to reflect the IP address change. 
Jane Smith 

• After receiving a response from the NOC please allow up to 30 minutes for propagation to occur. You can use dig (ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.2.3/BIND9.2.3.zip) to verify for yourself that the change has been made.
• Change the IP address on the domain controller to p172.
• Run the support tools dcdiag and netdiag to verify directory and network operations.
• Check the event logs on other DCs in that domain for errors.