Multiple Tombstoned DC's
-
@Fredtx I would just remove that site from being in Active Directory sites and services entirely.
-
@dbeato said in Multiple Tombstoned DC's:
I would just remove that site from being in Active Directory sites and services entirely.
What would be the effects if I remove that site from ADSS? Would it still be able to have an inbound rep parter?
-
My colleague is saying we should have all the sites connected via a Mesh topology. That's 11 sites, and I feel like that would be too much overhead just for AD. Also, that would also decrease the network security by connected branch office LANS together via site vpn.
I was thinking of having a Hub And Spoke topology to our main site, especially with the fact that our main site handles radius authentication for all the branch offices.
-
@Fredtx If you are going to do VPN, then do hub and spoke for sure. Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
I mean your risk is already high by using insecure LAN methods, but yeah, why multiply it?
-
@Fredtx said in Multiple Tombstoned DC's:
My colleague is saying we should have all the sites connected via a Mesh topology. That's 11 sites, and I feel like that would be too much overhead just for AD. Also, that would also decrease the network security by connected branch office LANS together via site vpn.
Yeah, that's huge risk, and huge complication, all just for AD (if it is really just for AD.)
-
@Fredtx said in Multiple Tombstoned DC's:
I was thinking of having a Hub And Spoke topology to our main site, especially with the fact that our main site handles radius authentication for all the branch offices.
Definitely helps, but the fundamentally flawed network design is still the core issue.
-
@JaredBusch said in Multiple Tombstoned DC's:
Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
Exactly what I've been telling them.
-
@Fredtx said in Multiple Tombstoned DC's:
@JaredBusch said in Multiple Tombstoned DC's:
Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
Exactly what I've been telling them.
VPNs and AD the same. The mesh "should" not pose any threat because there should be nothing exposed over the mesh. But given the rest of the design, we can safely assume there are security holes everywhere and they are just trying to open more.
These are the flags that hackers look for for finding easy targets.
