2

The situation that i'm faced with is this: We plan on using a number of server applications hosted on Amazon EC2 machines, mainly Microsoft Team Foundation Server. These services rely heavily on Active Directory. Since our servers are in the Amazon cloud it should go without saying (but I will) that all our users are remote.

It seems that we can't setup VPN on our EC2 instance -- so the users will have to join the domain, directly over the internet then they'll be able to authenticate and once authenticated, use that token for accessing resources such as TFS.

on the DC instance, I can shut down all ports, except those needed for joining/authenicating to the domain. I can also filter the IP on that machine to just those address that we are expecting our users to be at (it's a small group)

On the web based application servers, I imagine all we need to open is port 80 (or 8080 in the case of TFS)

One of the problems that I'm faced with is what domain name to use for this Active directory. Should I go with "ourDomainName.com" or "OurDomainName.local" If I choose the latter, does that not mean that I'll have to get all our users to change their DNS address to point to our server, so it can resolve the domain name (I guess I could also distribute a host file)

Perhaps there is another alternative that I'm completely missing.

Ralph Shillington
  • 272
  • 1
  • 2
  • 10

1 Answers1

5

You've got two orthagonal concerns.

re: naming - I'd never name an Active Directory domain name after your second-level domain (i.e. "OurDomainName.com"). This has been the subject of religious argument here, which you can ready about at:

I wouldn't use ".local" (even though Microsoft does-- ".local" has "baggage" associated with it because of the ZeroConf protocol).

Personally, I use the convention "ad.domain.com". Assuming you delegate the DNS for the "ad" subdomain to a DNS server running on your DCs you can coexist your AD namespace with your public-facing DNS namespace without issue.

re: security - You might want to consider using an IPSEC policy on your DCs, if not all your domain member computers, to authenticate and encrypt communications between your client computers and your DCs. Getting joined to the domain, initially, will be somewhat difficult, but certainly not impossible. If your clients are Windows 7-based, you could probably leverage the new Offline Domain Join functionaltiy to make this even easier.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328