Re: DNS NAT Problem

Hi,

I agree with Kevin's greate information.

Hope it helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Reply-To: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
References: <57945B0D-51C9-450B-8650-91936AE60C79@xxxxxxxxxxxxx>
<fBq9WamaGHA.5300@xxxxxxxxxxxxxxxxxxxxx>
<BB40559E-19F2-4FE7-80E7-E785E75BA7F3@xxxxxxxxxxxxx>
Subject: Re: DNS NAT Problem
Date: Fri, 28 Apr 2006 07:55:00 -0500
Lines: 88
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <e8qY3LsaGHA.4972@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.dns
NNTP-Posting-Host: ns2.lonestaramerica.com 65.65.91.210
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:27947
X-Tomcat-NG: microsoft.public.windows.server.dns

ace95hockey wrote:
This is a very strange situation. It is a University and because of
students and such all being on the same network we get as many
problems from hackers and viruses than we do from outside the
University. Because of physical location and network structure it is
not possible to have clients behind the firewall. We have this
scenerio setup in other locations without the NAT though. Can anyone
think of a way to make this work with NAT?

Yes, it is possible, but as I said in my earlier reply, you'll be making
the
firewall into Swiss cheese. Once you open the ports it would be just as
well
to put the DC in a DMZ, so as to not exposed other servers behind the
firewall. You would be better off to use a VPN.

You can make the DC publish public IP addresses for itself and you will
need
to manually create a few records after you stop the registrations.

Here's the reg key for the domain controller name:
Use Regedt32 navigate to this key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

On the Edit menu, point to New, and then click String Value to add the
following registry value:
Value name: PublishAddresses
Data type: REG_SZ
Value data: IP address of the server's local network adapter. If you have
to
specify more than one IP address, separate the addresses with spaces.

Here's the reg key for the LDAP IP address and Global catalog address
Netlogon registers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords

Data type: REG_MULTI_SZ
LdapIpAddress
GcIpAddress

Create hosts in DNS

In DNS in the Forward Lookup Zone for the Active Directory domain name,
create a new host, leave the name field blank, give it the IP of the
internal interface.(Windows 2000 barks at you saying "(same as parent
folder) is not a valid host name", click OK to create the record anyway).

If this is also a Global Catalog, open the Forest Root domain forward
lookup
zone, expand the _msdcs sub domain, and open the gc sub domain. Create a
new
host, leave the name field blank and give it the IP you want.

Windows Server 2003 moved the _msdcs.<forestrootdomain> to its own
Forward
Lookup Zone, expand this zone and open the gc sub domain, create the new
host leaving the name field blank with the IP you want.





In addition to the article Vincent referred.

Q179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q179442

Network Address Translators (NATs) can block Netlogon traffic:
http://support.microsoft.com/kb/172227/

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================




.

Relevant Pages

  • Re: Re: Re: F8 Network Woe
    ... It'll still be useable on the network, but no other machine will be able ... to dig, host, or nslookup, it. ... That depends on what you mean by "responding". ...
    (Fedora)
  • Re: Re: Re: F8 Network Woe
    ... It'll still be useable on the network, but no other machine will be able ... to dig, host, or nslookup, it. ... That depends on what you mean by "responding". ...
    (Fedora)
  • Re: Split-brain DNS
    ... sagy posted a question ... > If my ISP will host it - I will need to use it publicly. ... When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ...
    (microsoft.public.win2000.dns)
  • Re: TELNET instead PING
    ... but why would you use TELNET for that? ... > open a socket to the port to see if the host is responding. ... I was on some kind of Network course, where teacher said, that telnet ...
    (comp.lang.python)
  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... If the second card is lost on HOST PC then DSL Internet does not connect. ... Ditch the second network card in the one ...
    (microsoft.public.windowsxp.security_admin)