-1

I know EC2 pretty well, but I'm totally new to Active Directory.

I'm trying to set up a computer hosting Active Directory on EC2. I want to be able to join the domain from computers running on EC2, as well as computers in my own office.

I have it working OK for computers on the same local network (VPC) as the server, but I can't join the domain from computers in our office. I'm pretty sure that the reason is because when I do a DNS query to the Active Directory Server, it's returning its own internal IP address, instead of its publicly accessible IP address.

How can I make Active Directory return the public external IP address for DNS lookups, rather than the internal IP address?

1 Answers1

3

In general, I would never make a domain controller internet-accessible.

If it was me, I would create a site-to-AWS VPN. AWS supports VPN connectivity to most industry standard stuff (Juniper, Cisco, many others).

In the VPC dashboard:

  • Create an AWS virtual private gateway
  • Define your customer (on-site) gateway
  • Create a VPN connection to associate the two

At that point, you'd need to create routes in the related networking gear and AWS VPC subnets so traffic is being directed appropriately.

That way, you can have nice/easy connectivity to your DC but it's across a secure channel.

jlehtinen
  • 1,958
  • 2
  • 13
  • 15
  • Why is it bad for the domain controller to be internet-accessible? I needed to install a SSL certificate during the setup process; I'm assuming that everything is encrypted right? – Jesse Barnum Apr 01 '15 at 20:40
  • 2
    100% agreed that this should be behind a VPN. – EEAA Apr 01 '15 at 20:42
  • 1
    "I'm assuming that everything is encrypted right?" Wow. That assumption has never led to any problems. – mfinni Apr 01 '15 at 20:47
  • @mfinni Sorry for my assumption. I have done 15 seconds of research on the topic and have concluded that yes, traffic is encrypted, so I still do not understand why AD is insecure unless it's routed over a VPN. – Jesse Barnum Apr 01 '15 at 20:48
  • 1
    http://serverfault.com/questions/573681/should-i-expose-my-active-directory-to-the-public-internet-for-remote-users/ See especially TheCleaner's answer. – Katherine Villyard Apr 01 '15 at 20:50
  • What traffic, exactly, is encrypted? NTLMv1? A website published via HTTP? Some other component of the OS that has an unpatched exploit allowing an attacker to compromise your domain controller? – mfinni Apr 01 '15 at 20:50
  • 1
    "I have done 15 seconds of research on the topic" Well then, by all means, please build your company's AD infrastructure. – mfinni Apr 01 '15 at 20:51
  • @JesseBarnum You don't build critical infrastructure in ways that let hackers try to break it at their leisure. And they will. Any/every internet-accessible server is hammered 24/7 by script kiddies, bots, and APTs. – jlehtinen Apr 01 '15 at 20:55
  • If AD is only secure in the context of a VPN, are there any recommendations for better alternatives? I need a way that allows Mac, Windows, and Linux clients to have a network password allowing them to access various resources. Some of these resources are inside our office, some of them are not, so a VPN is not an option. – Jesse Barnum Apr 01 '15 at 20:57
  • This: https://msdn.microsoft.com/en-us/library/bb897402.aspx or this: https://technet.microsoft.com/en-us/library/jj679342.aspx might be what you're looking for. – Katherine Villyard Apr 01 '15 at 21:07
  • @KatherineVillyard Thank you for your answer, but neither of these articles address the problem that I'm having regarding internal vs external IP addresses. – Jesse Barnum Apr 01 '15 at 21:11
  • It was actually intended as an answer to your comment, "If AD is only secure in the context of a VPN, are there any recommendations for better alternatives?" – Katherine Villyard Apr 01 '15 at 22:04
  • AD is very secure, **in the context in which it is supposed to be deployed**, which is behind a firewall. This is like building a prison out of the same materials one would use to build a house and calling it "secure". AD was never meant to be deployed in a circumstance where it is open to the Internet. Period. Set up a VPN. Clients that are outside your office can *still* access AD with a proper mobile VPN solution. – EEAA Apr 01 '15 at 23:16
  • @EEAA, I'm not arguing with you. It sounds like AD is designed only for use within a firewall (which doesn't make sense to me, because you can have malicious employees behind the firewall just as much as malicious attackers outside of it). However, forcing all of our employees to use a VPN to access company resources is unacceptable. I will try to find some other authentication solution that is designed for internet deployment. – Jesse Barnum Apr 02 '15 at 02:33
  • 1
    @JesseBarnum "However, forcing all of our employees to use a VPN to access company resources is unacceptable." That is how it is done at 99.99% of companies out there. Really. Running a VPN client is *not* a big deal. If done right, it can be configured in such a way that the users don't even know it's there. – EEAA Apr 02 '15 at 02:36
  • 2
    @JesseBarnum True about malicious internal employees. The difference is that 1) you can easily detect the attack and 2) you can easily know exactly who is launching the attack so you can fire them. Neither of those are the case with internet-facing devices. – EEAA Apr 02 '15 at 02:37