Re: How to decide on which network interface domain controller is available
- From: "RAP" <rap.nospam2@xxxxxxx>
- Date: 18 Jun 2006 04:13:52 -0700
Hi Cliff,
By now I was able to solve the problem at least partly, I reordered the
network interfaces under the extended settings of the network
neighborhood. Now all communication goes through the internal LAN.
Regards, Robert
Enkidu schrieb:
Fair enough. I still think it is the wrong decision - you *will* as you
have found have problems with multi-homed DCs as you have found - since
you expose your DC even if only a little bit. I hope that someone can
answer the original question for you.
Cheers,
Cliff
RAP wrote:
Hi Cliff,
I am aware that our setup is not optimal from a security point of view,
but we are a private network with limited resources, from hardware to
software everything is 2nd hand.
We are having two servers (normal PCs) and I decided that for us it is
more important to have fault-tolerance (since I am away often and a
hardware failure could mean a downtime of several weeks) then to
increase security. Therefore we dedicated both machines to both jobs
(DC and Internet Gateway/Servers).
Regards, Robert
Enkidu wrote:
RAP wrote:
Hi,
I have two domain controllers, both are connected to an internal (LAN
with clients) and an external (a DMZ) network.
How can I configure the servers in a way that the domain controller
functionality is only available on the internal network?
My current problem is that the DNS server has both IP addresses for
each server under one name. I cannot remove the external one, Windows
automatically re-creates the entry. Now, when I resolve the name of
server2 on server1 with nslookup it results in both IP addresses. For
some reason the external address is choosen and any communication (e.
g. ping or mount network drive) goes via the external network. This is
not what I want, it should go via the internal (much faster) network.
I was hoping that when I deactivate the domain controller functionality
on the external interface it will not re-create the entry in the DNS,
however I'd be happy about any other solution for my problem as well.
Multi-homed DCs are always a bad idea, unless you cannot think of any
other way of doing it. The way that you are doing it is essentially
nullifying the security of having a DMZ, since if the DC on the DMZ
(which is not absolutely trusted) is compromised, the attacker has a
machine on your LAN!
Of course you may have reasons for doing it that way that I know nothing
about, in which case my comments may help others. Just please disregard
them.
.
- Follow-Ups:
- Re: How to decide on which network interface domain controller is available
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: How to decide on which network interface domain controller is available
- References:
- How to decide on which network interface domain controller is available
- From: RAP
- Re: How to decide on which network interface domain controller is available
- From: Enkidu
- Re: How to decide on which network interface domain controller is available
- From: RAP
- Re: How to decide on which network interface domain controller is available
- From: Enkidu
- How to decide on which network interface domain controller is available
- Prev by Date: Re: Upgrade Help!
- Next by Date: Re: GPO update issue, \\domain.net\sysvol not accesible
- Previous by thread: Re: How to decide on which network interface domain controller is available
- Next by thread: Re: How to decide on which network interface domain controller is available
- Index(es):
Relevant Pages
|
Loading
