AD over the IPv6 Internet with end-to-end IPSec using certificate based authentication.
In a distributed IT environment like Stanford, where teams are empowered to create their own servers using IAAS solutions like Amazon EC2, there are several patterns of practice that enable greater velocity and scalability of change:
- Use of auto-assigned IP addresses and DNS servers, as provided by the cloud vendor
- Arbitrariness of the virtual network's private IP space
- Exclusive reliance on the publicly routed internet for service discovery and communication
While employing these patterns confers significant benefits, complications arise when applying them to a service like Active Directory, which as a high-value attack target, is often cordoned on private networks, with its services unexposed to the public internet. So a problem emerges: when a cloud-based server needs to join an AD domain, but the domain controllers (DCs) reside in a different virtual network, how are the DCs discovered and their services consumed over the public internet, without compromising security?