Re: Single 2003 Server with DHCP, DNS and ISA 2006
- From: Andy <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 21 Apr 2007 10:52:00 -0700
"Herb Martin" wrote:
"Andy" <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6A3EB678-B048-4011-BCA2-4760F4CAB383@xxxxxxxxxxxxxxxx
Hi Herb,
Thanks for the quick response. I'll answer what I can as best as I can
under your questions/comments.
"Herb Martin" wrote:
That is what I told the ICT Coordinator. He told me to contact our
"Andy" <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8996BFB3-8B60-4C05-A00E-1268C222DFAB@xxxxxxxxxxxxxxxx
I work for a Primary School and we recently took delivery of a new
server
which I have just finished setting up. The Server has been configured
with
the Active Directory, DHCP and DNS roles. The server is also running
ISA
Server 2006.
A DC should practically NEVER be a router/firewall to the Internet.
Schools
County ICT department and said that for a primary school a single server
is
all that was needed. The ICT Coordinator was happy with that as it was
cheaper. Not ideal but I am limited to budget restraints.
Also note that having AT LEAST 2 DCs should be the rule rather than the
exception. If you lose the only (or last) DC then you lose the entire
domain
unless you have (timely) System State backups. Even then you are down
until another DC can be brought online and are down even during normal
maintenance.
It is a very poor practice to have 1 DC, worse to have a DC exposed on
the public side of the firewall.
I totally understand that but I have to use what I have.
As far as I am aware our router already has a hardware firewall with it.
A DNS server for YOUR users should almost certainly NOT be a publicOur DNS Server is just for the internal clients. I am not sure I fully
DNS server (if that is what you mean.)
understand you.
Then that is fine. Many people try to use the DNS on the firewall for both
internal resolution AND for resolving their external resources like web
servers etc.
ISA should run on a non-DC. The DC should be "behind" the ISA orAgain due to what I mentioned in my reply above, that is what our school
other firearms and should NOT be doing recursion throughout the Internet
to resolve DNS there.
went for due to being told it would be OK, even though I would have
prefered
2 servers.
Or 3 really. Two DCs and the firewall ISA box. If I couldn't afford that
then
I would buy a $50-$150 hardward firewall to put between the network and the
public.
The subnet mask in the scope is 255.255.255.0
Sorry I meant Subnet Mask. It used to be 255.255.255.0 on the old ServerIt has 2 NIC's as follows:
DCs are difficult to manage with multiple NICs. (It is possible but most
experts will just tell you not to try it.)
Internal with IP 10.200.10.10, Subnet 255.0.0.0
That is NOT a "Subnet" but a "Subnet Mask" and it looks (on casual
inspection) like it is WRONG. It should likely be 255.255.255.0 or
some other value since it makes the entire 10-net the local (sub)net.
but when I set the new one, it defaulted to 255.0.0.0 I have tried
changing
it to 255.255.255.0 on both the internal and external NIC but it didn't
make
any difference. Unless I have to change somewhere else other than in the
NIC
properties?
The DCHP Scope definitions is one other place.
Yes that's correct
So are you saying my internal NIC would be 255.255.255.0 and my externalExternal with IP 10.210.10.10, Subnet 255.0.0.0 and 10.210.10.1 gateway
with TCP/IP.
This confirms the Subnet Mask mistake since you have both NICs on
the same (sub)Net, the fully 10 net.
NIC
on another? I thought they had to be on the same?
No. A router is DESIGNED to separate DIFFERENT subnets. The mask
defines the subnets so they will in fact be different.
I am not literally saying that 255.255.255.0 is you ONLY correct answer but
it is the most probable one and definitely better than the obviously
incorrect
255.0.0.0 in this case.
Will answer this later as I am at home, will be going back to schoolThe problem is no workstations can get an IP address through DHCP.
Not too surprising with the above subnet problems. What does the DHCP
scope look like?
later.
The DHCP scope must correspond to the addresses on the SIDE (internal)
where the clients will obtain addresses.
As far as I remember, something like:
Scope 0 [10.200.10.x]
Address Pool 10.200.10.1-10.200.10.255 with 10.200.10.10 excluded
What is the subnet mask on the scope? Presumably it will (need to) be
255.255.255.0.
That makes reasonable sense with the following being your INTERNALIthe DHCP Server is Authorised.
address range:
*** Internal with IP 10.200.10.10, Subnet 255.255.255.0
That was the IP addresses they had when connected to the old server. IAll workstations used to have an IP address of 10.210.10.x on the old
Presumably the workstations are on the INSIDE and you have them on
the OUTSIDE network even if you correct the mistake in the subnet
mask.
would have thought that they would take the new DHCP settings on the new
server when I released and renewed their IP addresses?
Not if the DHCP is not configured reasonably correctly.
You should also AUTHORIZE your DHCP server in the DHCP MMC (right
click on server and Authorize).
BTW, ISA is VERY difficult for the average newcomer to get configured
both safely and securely, especially when the server must run these services
such as DHCP etc.
[I am generally thought to be pretty good and even *I* have to work hard
to get that silly thing right -- I have a long LOVE/HATE relationship with
ISA and frequently recommend it even though it can be irratatingly difficult
to configure.]
Tell me about it.
The county LEA that our school is connected through (which is also
To the Internet.I have used IPCONFIG /relase and IPCONFIG /renew but they don't get an
address.
I needed to get this done this weekend ready for monday and now I am
stuck.
Please help if you can.
Where does the external NIC "go"? To the Internet? Elsewhere?
Interesting that you are using Private Addressing on the EXTERNAL side.
Whose network is IMMEDIATELY out there? Technically your private
addresses cannot be routed on the Internet so SOMEONE is going to
have to translate those addresses to routable ones.
Usually the gateway to the Internet is a NAT (Network Address Translator)
in such scenarios but this is not always required. It is odd you are using
similar subnets on both side, but again not obviously incorrect.
firewalled) wanted out External NIC configured as 10.210.10.10 Subnet mask
255.255.255.0
I thought I would configure the internal NIC as 10.200.10.10 Subnet mask
255.255.255.0
As this isn't working, I just need help in how I should configure it.
Thanks for your help so far and if anybody else can help that would be also
appreciated.
.
- Follow-Ups:
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- From: Herb Martin
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- References:
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- From: Herb Martin
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- From: Andy
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- From: Herb Martin
- Re: Single 2003 Server with DHCP, DNS and ISA 2006
- Prev by Date: Re: 2000 GPO to prevent saving mp3 files
- Next by Date: Re: Single 2003 Server with DHCP, DNS and ISA 2006
- Previous by thread: Re: Single 2003 Server with DHCP, DNS and ISA 2006
- Next by thread: Re: Single 2003 Server with DHCP, DNS and ISA 2006
- Index(es):
Relevant Pages
|
