Re: adding a second nic
From: James W. Long (JamesLong_at_wowway.com)
Date: 05/02/04
- Next message: eddiec: "Re: Two DHCP servers on same subnet"
- Previous message: Steve Grosz: "Adding 2nd web server to DNS?"
- In reply to: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Next in thread: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Reply: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 2 May 2004 19:56:58 -0400
Dear Kevin:
Thank you for your reply!
More follows, see below,
Thanks,
James Long.
"Kevin D. Goodknecht [MVP]" <admin@nospam.WFTX.US> wrote in message
news:u92gNoEMEHA.3664@TK2MSFTNGP10.phx.gbl...
> In news:i4KdndqH7O_ZzAnd4p2dnA@wideopenwest.com,
> James W. Long <JamesLong@wowway.com> posted a question
> Then Kevin replied below:
> > The checkbox "only the following IP addresses" is checked.
> > the two addresses are 10.0.0.200 (my inside) and 192.168.1.200 (my
> > outside).
> > I figured I had to check that, so I did that a while back.
>
> You should only have DNS listening on the internal address 10.0.0.200 That
> will create a host record with the macine name with the internal IP in the
> internal Active Directory domain zone. If you put 192.168.1.200 in the
> listener IP it will create a host for the machine name in the AD zone,
which
> you stated you do not want.
>
ok I took out the 192.168.1.200 listen.
BUT. my original intent was to run a second nic on 192.168.1.200
with a gateway of 192.168.1.1 and assign it in DNS as a domain name
of outside. with a host name of ohostname,
and use that as my internet connection (ohostname.outside)
then use internet connection sharing or wingate to route
it to the 10.0.0.200 card, thus firewalling me to a degree.
BUT. DNS still thinks 192.168 card has some affinity with my inside domain
name.
and that does not satisfy us.
so.
I switch over the 192.168.1.200 card to dhcp and everything goes away.
(meaning that it gets a NEW address and nothin in DNS applies anymore)
so that doesnt work either, plus it STILL puts our inside hostname
and domainname in the DHCP request.
(if you have never seen this happen, try using netmon with its built in
protocol analyser)
So, the plan NOW is to put a hardware firewall box upstream of the
server. this box runs DHCP client ONLY on its outside address,
and its INSIDE address is 192.168.1.200, same as my new OUTSIDE nic.
this lets me go back to the idea I had before where I define a domain
on 192.168.1.200 called outside, with hostname ohostname.
unfortunately, it doesnt work that way. DHCP one way or another
will ultimately get my internal domain and hostname, which
we dont want sent outside our network in any fashion whatsoever.
unless I can specify a hostname and domain name in the firewall box
that does not match mine, and it know how to route between.
we do not care for anything else from our inside network to get out,
or from outside to get in, other than http port 80, Bootp,DHCP
to get our address.
no java no axtivex no ldap nada,
nothing from ntoskernl, no ports or protcols that arent
http 80.
we only ran DNS on 192.168.1.200 in hopes that our
external hostname and domain name (ohostname.outside)
would be seen rather than our inside hostname and domain.
but we just gave that idea up because it doesnt work.
incedentally,
why cant I add a 27.in-addr.arpa file ?
why cant I add a 255.in-addr.arpa file?
I think I may go to a non AD integrated DNS server and run from files.
then I can put anything I want in in those and that is how I will be seen
from
the outside.
maybe I will go back to NT and do it with that.
we used 192.168 because it is "supposed to be private".
I dont believe that for a second and that is why my lan is on 10.
>
> > I used regedt32 to add a REG_MULTI_SZ DnsAvoidRegisterRecords entry in
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> > I set its value to "LdapIpAddress" (no quotes).
> >
> > I am not understanding the part where you say to manually create a
> > blank host record I want
> > published as ldap record, and how to do the ldap part of it.
> > ???
>
> To create this record open the Forward lookup zone for your Active
Directory
> domain, create a new host, leave the name field blank, give it the
internal
> IP 10.0.0.200, cleck 'Create' then click OK to create the record anyway
when
> it barks at you saying (same as parent folder) is not a valid host name.
> This record will cause you domain name to resolve to 10.0.0.200.
>
well, ok I did, but. if I need it for ldap on the inside ok. I added it.
BUT.
hostname, ie machinename, already resolves via netbios over tcpip and ping
sees it.
hostname.domainname already resolves via DNS (I think this is the only
mechanism but
I would not be surprised if netbios also does this)
The only two ways to cause domainname ( by itself) to resolve are:
1. place a domainname CNAME insidehostname.domainname. in the forward
lookup zone for the domain.
or
2. place domainname in HOSTS as 10.0.0.200, and on other inside lan
machines.
>
> > The machine name is ihostname and the domain is inside.
> >
> > In DNS I defined two domains, inside and outside.
> > machinename = ihostname, domain = inside.
> > ihostname.inside is on 10.0.0.200. static.
> >
> > the other domain =outside (not recognized by netbios) dns server (name
> > server) = ohostname.
> > ohostname.outside is on 192.168.1.200. static for now.
> >
> > I repeatedly deleted A recs for the opposing NS in my two zones (the
> > opposite one which does not belong with it)
> > ihostname A 192.168.0.200 always comes back on forward domain inside
> > after reboot.
> > that is NOT correct, ihostname is 10.0.0.200.
> >
> > (same as parent) SOA ihostname.inside always returns in forward
> > domain outside after reboot.
> > (same as Parent) NS ihostname.inside always returns in forward
> > domain outside after reboot.
> >
> > (same as parent) SOA ihostname.inside always returns in reverse
> > domain 192.168.1 after reboot.
> > (same as parent NS ihostname.inside always returns in reverse
> > domain 192.168.1 after reboot.
>
> You cannot change the SOA of the AD Domain zone, it will always return to
> the machines hostname when the zone refreshes.
> But you can stop it from resolving to the 192.168.1.200 by removing that
> address from the listenter address on the Interfaces tab.
I can tell you two ways you can.
a. change domain and nv_domain, hostname and nv_hostname in
hklm\system\currentcontrolset\services\tcpip\parameters.
b. put in 127.in-addr.arpa and 255.in-addr.arpa files that say what you
want.
>
>
> > I am not used to this AD thing, I also see a grey inside zone and a
> > grey ouside zone
> > under "." and have tried to correct those as well.
>
> You have a "." (root) in Forward Lookup Zones?
> You should remove that zone by deleting it, as described in this KB:
> 300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
> http://support.microsoft.com/?id=300202
>
> >
> > no mattter how sweet it looks before I reboot, it gets messed up
> > again after I reboot.
> > ad just hoses me.
> >
> > 1. cant inside and outside stay independent? It keeps putting
> > references to inside
> > in my outside domain.
>
> They are two differnet names in different zones, correct?
apparently not. this DNS server cannot distinguish them as being
separate. it necessitates that the inside domain name is always
associated with the second nic no matter what.
maybe I just need two DNS server machines to do what I want.
> > 2. I can fortell that its going to send a dhcp request containing
> > ihostname.inside again.
>
> You lost me here?
check out a netmon trace of a machine issuing a dhcp request from
command with ipconfig/renew. you will see your internal
hostname go out onto the internet. and, your internal domain name.
and, your DC status.
and, ldap will then try to send a whole lot of other stuff.
if you dont stop it.
>
>
> > 3. is there a way to get it to send ohostname.outside as the internet
> > connection name?
> > that would be what Iam trying to get it to do.
>
> So are you hosting the public domain zone on this DNS server, too?
> This is really not recommended but it can be done as long as the zone only
> contains Publically routable IP addresses for the records. It cannot give
> out any private addresses to the public.
dhcp will not hesitate one iota to give out your private domain name and
hostname or machinname.
if a zone is named "outside" and its dns server is ohostname,
and it runs on 192.168.1.200, is that public? I hope not. but thats the
closest
this DC comes to running anyhing public, and it was a temporary idea to
isolate
the outside from the inside.
out of ideas.
James W. Long.
>
>
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your issue.
> To respond directly to me remove the nospam. from my email.
> ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>
- Next message: eddiec: "Re: Two DHCP servers on same subnet"
- Previous message: Steve Grosz: "Adding 2nd web server to DNS?"
- In reply to: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Next in thread: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Reply: Kevin D. Goodknecht [MVP]: "Re: adding a second nic"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
