Re: networking private and public hosts questions

From: Pierre (Pierre_at_discussions.microsoft.com)
Date: 01/05/05 

Date: Wed, 5 Jan 2005 11:51:06 -0800

Makes sense to me. Since my initial post, I have been given authority to use
some systmes in storage to create a test network. Here's how it's going......

The test network contains one AD DC which is the parent with a suffix of
domain.ca,
and one WS is a member of that domain, everything is fine with DNS installed
and both have a static IP.

A second DC is a child with a suffix of city.domain.ca (the parent is
domain.ca)
and also has DNS configured forwarding to the parent. (this test network is
live
on the internet)

DHCP server is running on the child DC which was configured on the parent
and replicated to the child (that part was pretty cool to set up). I have
attached
a WS to the child and attempted to pull an IP from the DHCP server, but no go.

I have added a second IP address in Internet Protocal/Advanced of
192.168.1.1 to
city.domain.ca which I want to distribute private IPs, that way I can keep
our local
network protected. Incidentally, the NAT Firewall will be configured as you
mention, I just don't want to concern myself with that at this time.

So, to recap, my test network has a public and private side. Each has a DC
and the
publlic side is static while the private side will be DHCP. The problem now
is that I
cannot receive IPs from the server even after I try all the
usuals....ipconfig/all, etc.

DHCP is set up as follows:
servername - city.domain.ca [static IP address]
- scope [192.168.1.0] city
- Address Pool
  - ....... exclusions, etc .......
- scope options
  - router - 192.168.1.1
  - DNS server - the parent IP address
  - DNS Domain Name - city.domain.ca

I do not currently have a second NIC in the DHCP server and would prefer not
to go that route, although I have done it before and it does work.

I have not set up NAT or Routing and figured there was no point if I can't
even
get an IP.

Do you see anything wrong here?

"Phillip Windell" wrote:

> Well,...there is no way to do this "live". There are so many things here
> that will not work like you are thinking, that I don't know where to begin.
> I'll indicate at the bottom how I think you should do this, but first, to
> try to clear up misunderstandings....
>
> There is no way to run them at the same time while you are doing it.
>
> DHCP isn't going to "help". It really doesn't matter if you ran DHCP or ran
> all Static,..it just doesn't matter.
>
> DHCP isn't going to give addresses from the other Scope if the first scope
> "filled up" anyway.
>
> DHCP Scopes should always use the full range of addresses that are in the
> Network being used. You then use Exclusions to separate the addresses you
> want it to hand vs the ones you don't
>
> The two addresses ranges (192.* and the 30 public ones) will not work
> together at the same time.
>
> RRAS with routing enabled is worthless unless you are building one machine
> in a key topological location as specifically a router. That will only work
> in a properly planned out and properly designed situation and I really can't
> tell what you have done or not done towards that.
>
> Private addresses are not compatible with the Internet,...they are not
> "internet routable". So yes, you need to run NAT. You could also use a
> proxy server like MS ISA. Both proxying and "nat" accomplish the same task,
> but the are *not* the same thing.
>
> You have a Checkpoint Firewall,...what aren't you using that as a NAT
> Device? That is primarily what it is designed for,..a NAT Firewall.
>
> ---- Here's how I would do it, .....off the top of my head ----
>
> Now, you could do this whole thing in a few hours. This is how I would
> recommend it be done. I like to keep things straight-forward, simple,
> logical, and organized. You can get complicated, convoluted, and strange
> all you want after you have a dependably running network:
>
> 1. Come in on the week-end or after hours and set all the workstations to
> get their address automatically (DHCP) and then shut them down and leave
> them down.
>
> 2. Setup the CheckPoint to run as a NAT Firewall, or use whatever your
> favorite NAT Device is going to be. Use one of your Public addresses for
> the External side interface. Choose a Private Range to use. Use a higher
> number in the third Octect (like maybe 192.168.50.x) to avoid future clashes
> with the heavily "over-used" lower numbers. Use the first one
> (192.168.50.1) as the NAT Firewalls Internal side interface. Assuming you
> only use one subnet on the private side, this number 192.168.50.1 will be
> the Default Gateway of all machines (via either DHCP or Static).
>
> 3. Move all the Servers to the private side of the Firewall and start
> Statically re-addressing them. Start with 192.168.50.10 and go up from
> there. This leaves a buffer of a few lower addresses for future Hubs,
> Switches, and other networking hardware that takes IP#s. Your Domain
> Controllers must point to themselves in thier DNS Setting and the ISP's DNS
> should be listed in their Forwarders List. Your ISP's DNS should *not*
> appear anywhere else other than the Forwarders List in your DNS
> Configuration.
>
> *Note*,....*all* Servers should run Static Addresses,..you don't want them
> to "slit their throats" if one morning you wake up and the DHCP Service
> isn't working. And also,...One active NIC per machine,...No multi-homed
> machines anywhere except for the NAT Device!
>
> 4. Create a DHCP Scope on the DHCP Server. Only one Scope. No Superscopes!
> Use the whole range of 192.168.50.1 -- 192.168.50.254. Set Exclusions for
> 192.168.50.1 -- 192.168.50.99 and another Exclusion for 192.168.50.201 --
> 192.168.50.254. This leaves the numbers below *.100 and above *.200 for
> future equipment use. This will give you 101 total address to automatically
> give to clients in the range of 192.168.50.100 -- 192.168.50.200. If you
> need more than 101, adjust your Exclusions to accomidate.
>
> In the DHCP setup use the Scope Options under the Scope,..do not use the
> Server Options. These are the Options you should set. If you don't run
> Active Directory then Option 006 would be your ISP's DNS and you would not
> use Option 015 at all. Omit Options 044 & 046 if you don't have a WINS
> Server:
>
> 003 Router = 192.168.50.1
> 006 DNS Servers = <List your AD DNS Servers>
> 015 DNS Domain Name = <Your AD FQDN, like "mycompany.loc">
> 044 WINS/NBNS Servers = <Your WINS Servers if you have any>
> 046 WINS/NBT Node Type = 0x8 (Only if you have WINS)
>
> 5. Power up the workstations. They should all grab a new address from the
> freshly configured DHCP and all should be well.
>
> I don't think I left anything out, but I *did* do this off the top of my
> head, so think it all though as you do this, in case I forgot anything.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "Pierre" <pdeguire@sirc.ca> wrote in message
> news:2fc9adc2.0412150943.10249cb0@posting.google.com...
> > We currently have a W2K network consisting of the following;
> >
> > DSL line thru a Checkpoint Firewall, to 3 switches, then to
> > servers/workstations. Servers are using a mix of static (for web
> > server, etc.) and dhcp (for file/print servers, etc.) addresses on a
> > block of addresses provided by our ISP. Currently all is well.
> >
> > We are switching to a new ISP and have only 30 addresses so we will be
> > changing to a private range for our internal network, likely
> > 192.168.0.0 with a dhcp range of 192.168.0.2 to 192.168.0.254
> > (192.168.0.1 will be assigned to the NIC on the DC which will also
> > have the new public IP address asigned to it).
> >
> > We are unable to test due to budget restraints, so it all has to
> > happen live.
> >
> > The only way I can test is by connecting a laptop and temporarily
> > assigning a static IP (192.169.0.50). So far, I am able to see the
> > whole network but can only 'talk' to the DC. I cannot browse and
> > other machines, nor can I get out to the web.
> >
> > I have already set up a second scope for the private range, but I
> > understand that dhcp will not use this range until the public range is
> > full (4 IP's left).
> >
> > Do I need to use NAT? I am planning to adjust the registry to enable
> > IP routing at end of day, will this help? I have tried to use
> > IProuting in RRAS but that doesn't seem to affect anything.
> >
> > Any help will be appreciated.
>
>
>

Relevant Pages

  • RE: Problems with Permissions
    ... For the "Network Configuration Wizard" not accessible issue, ... The DHCP not working properly issue may due to DNS not correctly ... ipconfig /all on SBS server, ...
    (microsoft.public.windows.server.sbs)
  • Re: Multiple IP Schemes for Different Buildings
    ... The linksys on your first network stays as it is, ... DHCP broadcast is on the local subnet only, ... router to forward internet traffic to your firewall. ... If each server has it's own DHCP server then I don't need to worry ...
    (microsoft.public.windows.server.general)
  • Re: Any Way to Pass DHCP From Internal to Perimiter?
    ... WON'T BE a separate network. ... Regardless of the above DHCP operations are confined to the "physical" ... subnet where the DHCP server resides. ... DHCP relay service on your ISA server itself, then of course you will have ...
    (microsoft.public.isa)
  • Re: Slow Network Speed from 2008 Server
    ... Network Adaptor properties which are a bit scary. ... I'm running AD on it as well as SQL Server 2005. ... that the DHCP didn't work. ...
    (microsoft.public.windows.server.networking)
  • Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?
    ... through to create our test network was different to what you have suggested ... Our live network at the time only had one 2000 DC. ... NTBackup of the DC and restored it onto a server with the same hardware. ... There were no errors apart from the decomissioned signature for the first ...
    (microsoft.public.windows.server.active_directory)