-4

For my small company i want to setup a domain controller

  • I want users to be able to access the domain controller from their laptops via the internet.
  • I need the DC for policies & management of users.
  • I'm aware of the consequences of exposing the DC to the Internet.
  • Yes at some point there might be a VPN on the Computers / DC.
  • Would like the machine to be hosted on AWS EC2 instance.

My problem is that i tried already doing it my self ,but i might be missing something.

  • Say my company is called mycompany.com.
  • I have already created a machine with the DC. (Windows 2008 rc2 DataCenter edition)
  • I assign a static IP using EC2 Elastic IP Address
  • I created a subdomain DNS record to direct dc.mycompany.com to the static IP (Using GoDaddy).
  • When i ping the address (Or remotly connect) to dc.myxompany.com the server responds. for the sake of it my company is www.company.com

But when i try to add computers to the DC , it constantly fails.

what i get is:

The following error occurred when DNS was queried for the service location (SRV)
esource record used to locate an Active Directory Domain Controller (AD DC) for domain 
"dc.mycompany.com":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.dc.mycompany.com

EDIT: Following the comments below. i'm doing it for research purposes to understand what will work for my company and what will be the end solution that will be suggested. i have managed many AD before, but i have never tried to do it with some of my users being able to access it from the internet. I'm also using this method to test VPN providers like F5 & CheckPoint to go along with this solution. As for EC2 & AWS As it easier to experiment with that environment rather than using actual servers inside my company.

Any help will be much appreciated.

{Please don't leave comment like don't do it.}

koby meir
  • 151
  • 7
  • 8
    Don't don't don't don't don't. Use VPN. Do not expose your AD to the internet under any circumstances. – MDMarra Nov 07 '13 at 23:04
  • 2
    If you think this is in *any* way a good idea when you don't understand why it's currently failing then please drop me email - I've got a business proposal for you involving some real estate, shares and releasing the bank account of a deceased nigerian general. – symcbean Nov 07 '13 at 23:20
  • 1
    @kobymeir I've closed this question because you are not articulating a good reason for grossly violating best practices. Server Fault is a site [for professionals](http://serverfault.com/about), which means we expect questions and answers to be asked [in a professional capacity](http://meta.serverfault.com/questions/4111/what-is-a-professional-capacity), which then means if you don't want us to tell you ***NO*** you need to tell us ***WHY***. If you update your question with sound, well-thought-out reasons for what you want to do it may be reopened, but we are against foot-shooting as a rule. – voretaq7 Nov 07 '13 at 23:49
  • @MDMarra as i knew you will be answering my q, i asked not to write **don't do it** – koby meir Nov 08 '13 at 06:08
  • As for @voretaq7 i wrote that **i now the consequences of exposing the DC to the Internet.** and i wrote that there will be a VPN. so why not help someone that did his research on the internet and is having some difficulties is solving a problem? and let me finish my research so i will see what works for me? – koby meir Nov 08 '13 at 06:11
  • 1
    @kobymeir I didn't answer your question, I left it as a comment. If you went to a gun shop and told them you were planning on buying a gun to shoot yourself in the foot, they would try and talk you out of it. Same thing here. – MDMarra Nov 08 '13 at 12:16
  • @kobymeir First, in regard to your edit: The right solution here is virtualization and internal lab. VMWare and Hyper-V are both free (as in beer) and neither is difficult to set up. Your question suffers from [The XY Problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) -- you've latched on to a solution rather than asking about your *problem*. – voretaq7 Nov 08 '13 at 16:56
  • @kobymeir Second, in regard to your edit: Just as a doctor has no obligation to help a patient kill themselves Server Fault (as a site for *professionals*) has no obligation to help people do unprofessional/bad things like ignoring best practices - especially if there's no well-articulated reason *why*. If you disagree with that premise please [open a discussion on Meta](http://meta.serverfault.com/questions/ask) - I'm open to convincing arguments for a "just tell them how to use the foot-gun" policy, but to date none have been made. – voretaq7 Nov 08 '13 at 17:01

1 Answers1

3

Ignoring how unbelievably insecure this idea is going to be...

I created a subdomain DNS record to direct dc.mycompany.com to the static IP (Using GoDaddy).

OK, but what about the rest of the zone? As the error states, it's looking for a SRV record. This likely doesn't exist in your public zone hosted with GoDaddy.

Obligatory: Why on earth are you trying to do this? What's wrong with implementing something like a DirectAccess VPN?

voretaq7
  • 79,879
  • 17
  • 130
  • 214
Chris McKeown
  • 7,168
  • 1
  • 18
  • 26
  • could you direct me to a how to on DirectAccess VPN? – koby meir Nov 08 '13 at 06:25
  • If your DC is currently exposed to the Internet, unfirewalled then the first thing you need to do is **start again**. You can no longer be certain that your systems haven't already been compromised. – Chris McKeown Nov 08 '13 at 10:25
  • Ok i will restart the server from scratch, that is easy in AWS EC2, but how does that answer my question? – koby meir Nov 08 '13 at 10:58
  • Have you perchance tried Googling for 'setting up DirectAccess server 2008 r2'? If so you would find [this](http://technet.microsoft.com/en-us/library/dd758757%28v=ws.10%29.aspx) – Chris McKeown Nov 08 '13 at 13:44