Re: NAT and AD
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 09/01/04
- Next message: jabrandt_at_online.microsoft.com: "Re: Unable to login from DC only(Profile)"
- Previous message: jabrandt_at_online.microsoft.com: "Re: Unable to login to DC"
- In reply to: Charlie M: "Re: NAT and AD"
- Next in thread: Charlie M: "Re: NAT and AD"
- Reply: Charlie M: "Re: NAT and AD"
- Reply: Cary Shultz [A.D. MVP]: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 1 Sep 2004 14:42:40 -0400
Charlie M wrote:
> Thank you for your comments gentlemen. Allways good having food for
> thought.
>
> Let me expand a bit.
>
> 1. The network has been in place for almost 5 years, and with the
> exception of downtime for patches and upgrades has been extremely
> reliable.
>
> 2. The private IP's are a legacy of PCAnywhere use.
>
> 3. Our firewall is a loaded Sonicwall 3060 ($3,000)
>
> 4. As a one man shop with 50 Wall Street attorneys as clients, to be
> truthful, I am a little daunted about the prospect of changing the IP
> addresses on 4 server and 50 PCs and having all my applications work
> without having to re-install and re-patch them.
What app/s do you run on your network that is/are hard-coded to use a
specific IP address, rather than a computer name?
>
> 5) Why is it that the NAT configuration worked for 2 months and then
> broke when the only changes to the server was the installation of
> MS's security patches?
I really can't say for sure. Your setup sounds like nothing I've worked
with myself ... I've always used a router/firewall to handle NAT. So why not
just bite the bullet and set it up cleanly now?
>
<snip>
>
> I know that there are other network configuration that would
> eliminate the issue, but rebuilding the complete IP Infrastructure at
> a going concern is really not a practical choice.
Are you using DHCP? If so, this is really not a terribly daunting task and
could be done at night or on a weekend day. (And if you aren't using DHCP,
why not? There's no practical reason to use statics. Even if some clients
need to always use the same address, you can always use reservations. Heck,
you can do that for printers, too.)
Basics:
Set up your Sonicwall to do NAT.
Change the IPs on the servers
Change your DHCP server settings so everything is on a private IP network
such as 192.168.0.0, 172.30.1.0, whatever you want. Subnet mask of
255.255.255.0 will work fine for you. Set up a single scope from .1 - .254,
and exclude .1 - .50 or .1 - .100 - and perhaps also .200 - .254. Use the
lower end for your servers, printers, router, etc. Usually people use .1 for
the router/gateway (Sonicwall) but there's no law says you have to.
(If you run WINS, change it, too.)
Change your DNS server. Make sure you have everyone (servers & clients) use
*only* the AD DNS server's private IP - no outside DNS servers. Use
forwarders in your DNS server itself to point to your ISP's DNS servers.
Run ipconfig /release & ipconfig /renew on the clients. Make sure everyone
is registered with the new IPs in DNS (and that you're set to allow dynamic
updates). You can manually delete old entries in your forward/reverse lookup
zones if you have to. Check WINS if you use it to make sure it's got the
correct current info as well. .
I have used this setup a gazillion times and it will work better than what
you have now. Meaning, I suppose, that it should actually *work*. If I've
forgotten something in the above steps I welcome corrections, as always...
Hope this is at least somewhat helpful.
>
<snip>
- Next message: jabrandt_at_online.microsoft.com: "Re: Unable to login from DC only(Profile)"
- Previous message: jabrandt_at_online.microsoft.com: "Re: Unable to login to DC"
- In reply to: Charlie M: "Re: NAT and AD"
- Next in thread: Charlie M: "Re: NAT and AD"
- Reply: Charlie M: "Re: NAT and AD"
- Reply: Cary Shultz [A.D. MVP]: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
