IT Connect

Information technology tools and resources at the UW

Moving Domain Controllers to p172

Brute force password attacks from the Internet are a significant threat to Windows domains at the University of Washington. Domains without a firewall have a higher risk profile, and users with simple passwords are rapidly exploited. Depending on the policy implemented, failed brute force attempts can also lockout users and rapidly fill security logs.

Implementing a firewall for domain controllers (DCs) can be problematic. Any domain controller in a forest must be able to freely communicate with other domain controllers in the forest. And all domain clients should be able to contact the domain controllers on some regular basis. This can make firewall configuration a difficult task.

An alternative or a supplement to a firewall is to locate your domain controllers on the private 172 address space (p172). This keeps the domain controllers from being directly accessible from the internet. The DCs enjoy the full range of operational functionality, and campus DNS services will resolve the p172 DNS records associated with Active Directory services that DCs require for functionality. However, only clients that are within the UW border can resolve the p172 DNS records. Clients outside the border will not resolve those p172 based DNS records. Your off-campus clients can leverage a VPN to get access to your domain controllers.

NOTE: putting your DCs on p172 does not completely insulate them from brute-force attacks–any domain client that has an open port to internet traffic can be used to brute force users on your domain controllers. For example, remote desktop on domain clients is a common way to brute force users on your domain controller regardless of whether the DCs are on p172 or have a firewall.

How to move a DC to p172

  • Identify the p172 IP network matching your public IP network the existing domain controller is on.
             128.95.x    - 172.25.x 
             128.208.y    - 172.28.y 
             140.142.z    - 172.22.z  
    
  • Send an email to netops@u, asking to coordinate DNS changes. The NOC should respond within one business day and issue you a new IP on p172. Coordinate with the NOC on timing to move all DNS records to utilize the new IP.

Example:

From:  Jane Smith <jsmith@u.washington.edu> 
To: netops@u.washington.edu 
Subject:  migrate domain controller(s) to 172 network 
Hello, 
I'm Jane Smith, the domain contact for xyz.washington.edu. 
I would like to move Domain Controller(s) in my domain to 172 network: 
    host name             =   hostname.domainname.washington.edu 
    current IP address    =   128.xxx.xxx.xxx 
Please check all corresponding DNS records for this host(s) to reflect the IP address change. 
Jane Smith 
  • After receiving a response from the NOC please allow up to 30 minutes for propagation to occur. You can use nslookup or other DNS client tools to verify for yourself that the change has been made.
  • Change the IP address on the domain controller to p172.
  • Run the support tools dcdiag and netdiag to verify directory and network operations.
  • Check the event logs on other DCs in that domain for errors.