Re: Single 2003 Server with DHCP, DNS and ISA 2006


"Andy" <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6A3EB678-B048-4011-BCA2-4760F4CAB383@xxxxxxxxxxxxxxxx
Hi Herb,

Thanks for the quick response. I'll answer what I can as best as I can
under your questions/comments.

"Herb Martin" wrote:


"Andy" <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8996BFB3-8B60-4C05-A00E-1268C222DFAB@xxxxxxxxxxxxxxxx
I work for a Primary School and we recently took delivery of a new
server
which I have just finished setting up. The Server has been configured
with
the Active Directory, DHCP and DNS roles. The server is also running
ISA
Server 2006.

A DC should practically NEVER be a router/firewall to the Internet.

That is what I told the ICT Coordinator. He told me to contact our
Schools
County ICT department and said that for a primary school a single server
is
all that was needed. The ICT Coordinator was happy with that as it was
cheaper. Not ideal but I am limited to budget restraints.

Also note that having AT LEAST 2 DCs should be the rule rather than the
exception. If you lose the only (or last) DC then you lose the entire
domain
unless you have (timely) System State backups. Even then you are down
until another DC can be brought online and are down even during normal
maintenance.

It is a very poor practice to have 1 DC, worse to have a DC exposed on
the public side of the firewall.

A DNS server for YOUR users should almost certainly NOT be a public
DNS server (if that is what you mean.)

Our DNS Server is just for the internal clients. I am not sure I fully
understand you.

Then that is fine. Many people try to use the DNS on the firewall for both
internal resolution AND for resolving their external resources like web
servers etc.

ISA should run on a non-DC. The DC should be "behind" the ISA or
other firearms and should NOT be doing recursion throughout the Internet
to resolve DNS there.

Again due to what I mentioned in my reply above, that is what our school
went for due to being told it would be OK, even though I would have
prefered
2 servers.

Or 3 really. Two DCs and the firewall ISA box. If I couldn't afford that
then
I would buy a $50-$150 hardward firewall to put between the network and the
public.


It has 2 NIC's as follows:

DCs are difficult to manage with multiple NICs. (It is possible but most
experts will just tell you not to try it.)

Internal with IP 10.200.10.10, Subnet 255.0.0.0

That is NOT a "Subnet" but a "Subnet Mask" and it looks (on casual
inspection) like it is WRONG. It should likely be 255.255.255.0 or
some other value since it makes the entire 10-net the local (sub)net.

Sorry I meant Subnet Mask. It used to be 255.255.255.0 on the old Server
but when I set the new one, it defaulted to 255.0.0.0 I have tried
changing
it to 255.255.255.0 on both the internal and external NIC but it didn't
make
any difference. Unless I have to change somewhere else other than in the
NIC
properties?

The DCHP Scope definitions is one other place.


External with IP 10.210.10.10, Subnet 255.0.0.0 and 10.210.10.1 gateway
with TCP/IP.

This confirms the Subnet Mask mistake since you have both NICs on
the same (sub)Net, the fully 10 net.

So are you saying my internal NIC would be 255.255.255.0 and my external
NIC
on another? I thought they had to be on the same?

No. A router is DESIGNED to separate DIFFERENT subnets. The mask
defines the subnets so they will in fact be different.

I am not literally saying that 255.255.255.0 is you ONLY correct answer but
it is the most probable one and definitely better than the obviously
incorrect
255.0.0.0 in this case.

The problem is no workstations can get an IP address through DHCP.

Not too surprising with the above subnet problems. What does the DHCP
scope look like?

Will answer this later as I am at home, will be going back to school
later.

The DHCP scope must correspond to the addresses on the SIDE (internal)
where the clients will obtain addresses.

As far as I remember, something like:

Scope 0 [10.200.10.x]
Address Pool 10.200.10.1-10.200.10.255 with 10.200.10.10 excluded

What is the subnet mask on the scope? Presumably it will (need to) be
255.255.255.0.

That makes reasonable sense with the following being your INTERNAL
address range:

*** Internal with IP 10.200.10.10, Subnet 255.255.255.0


All workstations used to have an IP address of 10.210.10.x on the old

Presumably the workstations are on the INSIDE and you have them on
the OUTSIDE network even if you correct the mistake in the subnet
mask.

That was the IP addresses they had when connected to the old server. I
would have thought that they would take the new DHCP settings on the new
server when I released and renewed their IP addresses?

Not if the DHCP is not configured reasonably correctly.

You should also AUTHORIZE your DHCP server in the DHCP MMC (right
click on server and Authorize).

BTW, ISA is VERY difficult for the average newcomer to get configured
both safely and securely, especially when the server must run these services
such as DHCP etc.

[I am generally thought to be pretty good and even *I* have to work hard
to get that silly thing right -- I have a long LOVE/HATE relationship with
ISA and frequently recommend it even though it can be irratatingly difficult
to configure.]

I have used IPCONFIG /relase and IPCONFIG /renew but they don't get an
address.

I needed to get this done this weekend ready for monday and now I am
stuck.
Please help if you can.

Where does the external NIC "go"? To the Internet? Elsewhere?

To the Internet.

Interesting that you are using Private Addressing on the EXTERNAL side.

Whose network is IMMEDIATELY out there? Technically your private
addresses cannot be routed on the Internet so SOMEONE is going to
have to translate those addresses to routable ones.

Usually the gateway to the Internet is a NAT (Network Address Translator)
in such scenarios but this is not always required. It is odd you are using
similar subnets on both side, but again not obviously incorrect.


.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... OK, yes, I've struck a router which would only allow DHCP clients access to ... no internet connection from the server. ...
    (microsoft.public.windows.server.sbs)
  • RE: 2 x DC, 2 sites and NT4 servers same domain HELP
    ... Your understanding is correct that you can add second DC in another subnet ... as long as there is router can provide the route. ... subnet to provide DHCP function for 192.168.86.0 scope will be ... better than using the original DHCP server in 192.168.82.0 subnet. ...
    (microsoft.public.windows.server.migration)
  • Re: Urgent! New router and big disaster
    ... Set the 'external' interface of SBS to get it's IP via DHCP from the router ... If the ws does not get an IP from DHCP check the event log on the server, ... They can go one day with out internet, ...
    (microsoft.public.windows.server.sbs)
  • Re: Single 2003 Server with DHCP, DNS and ISA 2006
    ... As soon as I created my own DHCP ... I can ping the server by IP address and name from the workstation. ... Not too surprising with the above subnet problems. ... To the Internet. ...
    (microsoft.public.windows.server.general)
  • RE: 2 x DC, 2 sites and NT4 servers same domain HELP
    ... with regards to the dhcp and dns on a second ... site, i understand i can install dhcp on a different subnet, but would it be ... a good idea to install dns on this server too, or should i keep it to only ...
    (microsoft.public.windows.server.migration)