2

I'm doing a class which involves security\malware testing and therefore want to isolate my labs to their own network with no routing to the main site. I want to be able to set policies, create users, etc. from my main DC which exists on the main network. The firewall has routing such that the main network can access both lab networks but the lab network can not talk to the main network unless related-established. I'm not a big windows guy so I need a little bit of guidance. The topology is as follows

I don't have enough rep to post images so please see the topology

Topology

I foresee the following problems:

  • The lab DCs can not use the main DC as a DNS server or LDAP server since the lab DCs can not talk to the main one for the most part. The PCs in the respective labs can use their respective DCs as DNS servers.
  • The main DC can "push" policies to the other DCs but as to the point above the other DCs can not pull anything from the main DC.
  • I assume all FSMO roles will need to be held on the Main DC.
  • How can I even DCPromo the lab DCs if they can not use the main DC as a DNS server.

Is what I'm trying to achieve even possible?

John K. N.
  • 2,055
  • 1
  • 17
  • 28
NetworkErr0r
  • 37
  • 1

1 Answers1

5

  • The main DC can "push" policies to the other DCs but as to the point above the other DCs can not pull anything from the main DC.

  • I assume all FSMO roles will need to be held on the Main DC.

The purpose of a lab environment is that it is autarkical and not connected to any non-lab environments. To have your main DC pushing policies to the lab environment, would only be possible if you'd connect your lab environment to the main Active Directory. But then you couldn't call that a lab environment anymore. I can't tell you for sure if what you want is possible, but only because (in my opinion) it doesn't follow reasonable business information technology management practices (which is also a close reason) and so I never implemented something like that.

But since you ask if that is possible, not how to actually do that, instead of close-voting I will tell you that your plans sound like worse-practice. So please don't do that.

My suggestions is to create an autarkical lab environment and create a new lab-forest. If you need policies from your main DC, then your best option is to export the policies from the GPMC and re-import them in your lab environment.

Edit:

[From your comment below] This isn't a main DC as in the org one. It's a DC everyone in the class can access.

I didn't understand that from your question. In that case the only thing you can do to not break AD replication, is to implement Read-Only Domain Controllers in your labs. But that would only work to an extend because:

What operations fail if the WAN is offline, but the RODC is online in the branch office? [Which would reflect your planned setup; RODC cannot contact the writable DC.]

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:

  • Password changes

  • Attempts to join a computer to a domain

  • Computer rename

  • Authentication attempts for accounts whose credentials are not cached on the RODC

  • Group Policy updates that an administrator might attempt by running the gpupdate /force command

Source: https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Community
  • 1
Daniel
  • 6,940
  • 6
  • 33
  • 64
  • This applicable to remote sites as well. My point is, is it possible for a main DC to "push" policies to subordinates without them being able to directly communicate back inbound. How can you join the domain in an environment with this case. Let's say a company has a remote site and they don't want to VPN. Same concept. This isn't a main DC as in the org one. It's a DC everyone in the class can access. It's a single point to create policies for me while still keeping the labs isolated. If I have 10 labs I dont want to go to 10 DCs to create a user. The labs cant talk. I dont want 2 – NetworkErr0r Dec 21 '16 at 12:09
  • 1
    Agree with @Daniel. Embrace the lab concept and keep it separate, otherwise its not a lab. Learn how to script easily repeatable operations like user creation. http://serverfault.com/questions/415929/using-powershell-to-create-user-accounts-from-a-csv – Clayton Dec 21 '16 at 16:01
  • I would agree. Especially saying that OP is dealing with malware. It's possible that information from the parent domain could be stolen and leaked. I would not want anything to communicate to these machines from a production network. One slip up could compromise production data. – AtomicFireball Dec 21 '16 at 18:31
  • @NetworkErr0r If a company has a remote site and they don't want to VPN, than there is no connection *at all*. Anyway, the **only** thing you can do is to implement RODCs in your test labs, but then they won't be able to change anything. There is no other solution that doesn't break Active Directory Replication. – Daniel Dec 22 '16 at 07:14