Re: Single 2003 Server with DHCP, DNS and ISA 2006

Thanks again Herb for your help so far. It really is a great help.

At http://www.microsoft.com/technet/isa/2006/system_policy.mspx it mentions
that System Policies are enabled on a default installation i.e DHCP, DNS etc
but they didn't seem to get applied. As soon as I created my own DHCP
Request and Replies, DNS and LDAP rules the workstation was able to get an IP
address.

I was then able to be prompted for username and password when I tried to
join the workstation to the server but after a while it came up with Network
path not found.

I can ping the server by IP address and name from the workstation. The
other way round doesn't work yet though, I am sure I have to create another
access policy.

I don't understand why I have to create these access rules when there are
default system policy rules though. Need to do more reading.

Now to answer your questions.

"Herb Martin" wrote:


"Andy" <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BE7F175B-D8DB-4A43-9B25-75DBDEFBB10E@xxxxxxxxxxxxxxxx
It is a very poor practice to have 1 DC, worse to have a DC exposed on
the public side of the firewall.

I totally understand that but I have to use what I have.


A DNS server for YOUR users should almost certainly NOT be a public
DNS server (if that is what you mean.)

Our DNS Server is just for the internal clients. I am not sure I fully
understand you.

Then that is fine. Many people try to use the DNS on the firewall for
both
internal resolution AND for resolving their external resources like web
servers etc.

ISA should run on a non-DC. The DC should be "behind" the ISA or
other firearms and should NOT be doing recursion throughout the
Internet
to resolve DNS there.

Again due to what I mentioned in my reply above, that is what our
school
went for due to being told it would be OK, even though I would have
prefered
2 servers.

Or 3 really. Two DCs and the firewall ISA box. If I couldn't afford
that
then
I would buy a $50-$150 hardward firewall to put between the network and
the
public.

As far as I am aware our router already has a hardware firewall with it.

I would buy some obsolete hardward. 1 Gig or SLOWER even computer
with a cheap copy (see eBay) of Standard Server and ISA.

You spent enough on ISA to buy hardward a free solution. I like ISA
but given the choice of two computers for DC and Firewall then I would
take the extra machine and some other firewall.

I could use the old server if necessary and another licence for Win 2003
server doesn't cost a lot through our school agreement licensing.



This confirms the Subnet Mask mistake since you have both NICs on
the same (sub)Net, the fully 10 net.

So are you saying my internal NIC would be 255.255.255.0 and my
external
NIC
on another? I thought they had to be on the same?

No. A router is DESIGNED to separate DIFFERENT subnets. The mask
defines the subnets so they will in fact be different.

I am not literally saying that 255.255.255.0 is you ONLY correct answer
but
it is the most probable one and definitely better than the obviously
incorrect
255.0.0.0 in this case.

The problem is no workstations can get an IP address through DHCP.

Not too surprising with the above subnet problems. What does the DHCP
scope look like?

Will answer this later as I am at home, will be going back to school
later.

The DHCP scope must correspond to the addresses on the SIDE (internal)
where the clients will obtain addresses.

As far as I remember, something like:

Scope 0 [10.200.10.x]
Address Pool 10.200.10.1-10.200.10.255 with 10.200.10.10 excluded

What is the subnet mask on the scope? Presumably it will (need to) be
255.255.255.0.

Yes that's correct

Straightening all of this out and authorizing the server should be
sufficient
to get DHCP working.

That makes reasonable sense with the following being your INTERNAL
address range:

*** Internal with IP 10.200.10.10, Subnet 255.255.255.0


All workstations used to have an IP address of 10.210.10.x on the
old

Presumably the workstations are on the INSIDE and you have them on
the OUTSIDE network even if you correct the mistake in the subnet
mask.

That was the IP addresses they had when connected to the old server. I
would have thought that they would take the new DHCP settings on the
new
server when I released and renewed their IP addresses?

Not if the DHCP is not configured reasonably correctly.

You should also AUTHORIZE your DHCP server in the DHCP MMC (right
click on server and Authorize).

Ithe DHCP Server is Authorised.

BTW, ISA is VERY difficult for the average newcomer to get configured
both safely and securely, especially when the server must run these
services
such as DHCP etc.

[I am generally thought to be pretty good and even *I* have to work hard
to get that silly thing right -- I have a long LOVE/HATE relationship
with
ISA and frequently recommend it even though it can be irratatingly
difficult
to configure.]

Tell me about it.

<GRIN>


Where does the external NIC "go"? To the Internet? Elsewhere?

To the Internet.

Interesting that you are using Private Addressing on the EXTERNAL side.

Whose network is IMMEDIATELY out there? Technically your private
addresses cannot be routed on the Internet so SOMEONE is going to
have to translate those addresses to routable ones.

Usually the gateway to the Internet is a NAT (Network Address Translator)
in such scenarios but this is not always required. It is odd you are
using
similar subnets on both side, but again not obviously incorrect.

The county LEA that our school is connected through (which is also
firewalled) wanted out External NIC configured as 10.210.10.10 Subnet mask
255.255.255.0

Ok then you made a significant mistake with that subnet mask on both the
internal and external NICs.

I thought I would configure the internal NIC as 10.200.10.10 Subnet mask
255.255.255.0

You also have to ensure that NO ONE (with whom you would ever communicate)
is also using 10.200.10.0 on the LEA network.

You cannot just pick an address in use by others in your organization (if
you
wish to communicate with them sometimes.)

Also, you do realize that the LEA routers must KNOW about 10.200.10.0?

My guess (but it is a VERY educated guess) is that they wanted you to use
10.210.10.0 with 255.255.255.0 internally and some other address on
the OUTSIDE.

Now that I think about it, you are likely trying to subdivide the
10.210.10.0
network without realizing how to do that.

Is that still the case if those addresses on the internal card though which
isn't connected to the internet? Sorry for being thich there.


Call me if you wish. I will get you started here although I won't take you
through all of the ISA stuff over the phone.

That is great to know you would do that for me. Very helpfull to know.
Thanks.

As this isn't working, I just need help in how I should configure it.

Thanks for your help so far and if anybody else can help that would be
also
appreciated.

Likely you need to do this if you INSIST on using two NICs with ISA/DC:

I only decided on the two NIC's as I read that was better to have one for
external (Internet) and the other for internal traffic?

mask 255.255.255.128
External addresses in the range BELOW 128 of the last octet:
10.210.10.1 -- 10.210.10.126
and Internal Addresses (NIC and Scope) ABOVE 128:
10.210.10.129 -- 10.210.10.254

I can certainly try that if you think that will help.

If I recall correctly, ISA can be configured with a single NIC, when you
only use it as a Caching and control server (as opposed to a firewall)
but I have never done that. This would eliminate the need for the second
NIC and the subnetting to divide 10.210.10.0 into two subnets.

I wonder if I should have my external NIC as 10.210.10.10 and my Internal
NIC as 10.210.20.10 with subnet mask 255.255.255.x or would that not make any
difference?


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)



.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... OK, yes, I've struck a router which would only allow DHCP clients access to ... no internet connection from the server. ...
    (microsoft.public.windows.server.sbs)
  • RE: 2 x DC, 2 sites and NT4 servers same domain HELP
    ... Your understanding is correct that you can add second DC in another subnet ... as long as there is router can provide the route. ... subnet to provide DHCP function for 192.168.86.0 scope will be ... better than using the original DHCP server in 192.168.82.0 subnet. ...
    (microsoft.public.windows.server.migration)
  • Re: Urgent! New router and big disaster
    ... Set the 'external' interface of SBS to get it's IP via DHCP from the router ... If the ws does not get an IP from DHCP check the event log on the server, ... They can go one day with out internet, ...
    (microsoft.public.windows.server.sbs)
  • RE: 2 x DC, 2 sites and NT4 servers same domain HELP
    ... with regards to the dhcp and dns on a second ... site, i understand i can install dhcp on a different subnet, but would it be ... a good idea to install dns on this server too, or should i keep it to only ...
    (microsoft.public.windows.server.migration)
  • Re: Issue when changing IP address from Static to DHCP
    ... - DHCP disabled ... - Subnet 255.255.255.0 ... I try to run the server on my desktop and the client on the pxa board and it ... >> it worked but it took forever to load. ...
    (microsoft.public.windowsce.platbuilder)