Re: I'll explain it again :D
From: Bill Grant (not.available_at_online)
Date: 05/02/04
- Next message: Bill Grant: "Re: New 2003 domain"
- Previous message: Massimo: "Supply route to VPN clients"
- In reply to: noobtech: "I'll explain it again :D"
- Next in thread: Phillip Windell: "Re: I'll explain it again :D"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 2 May 2004 13:54:47 +1000
You cannot successfully run an AD domain behind an ICS connection. ICS is
designed as a simple Internet sharing device for a few LAN clients. It is
not configurable, and cannot cope with a domain structure behind it.
The main reason it cannot do this is DNS. ICS simply acts as a DNS proxy
and forwards client requests to the DNS server used by the ICS host. The
clients must use the ICS host's LAN IP as their default gateway and their
DNS server. This is useless for Active Directory. AD clients must use the AD
DNS service to access AD services (such as logon).
If you use an ADSL router or a RRAS router, you can turn off the DNS
proxy function and configure it so that the clients can use your local DNS.
You then configure your local DNS to forward to the DNS servive on your
Internet connection. But this is not an option with ICS (or with the Shared
NAT option in VPC, which works much like ICS).
So the short answer is you need to replace ICS with a configurable
router which can do NAT for you but will allow you to use your local (ie the
one you use for your AD clients) DNS server.
"noobtech" <anonymous@discussions.microsoft.com> wrote in message
news:48DC3441-AED9-4795-87AA-98893679B1F5@microsoft.com...
> Windows help states, "When ICS is enabled, your lan adapter will be set
to use ip 192.168.0.1. To use the Internet Connection Sharing feature, users
on your home or small office network should configure TCP/IP on their local
area connection to obtain an IP address automatically."
>
> I have a winxp pro machine that's connected to the internet via dial-up.
ICS is enabled on the dial-up and the machine has a nic card installed. ICS
gives my Nic card the ip of 192.168.0.1, changing the IP to something else
and ICS does not work.
>
> I have another machine (let's call it B) B machine is a 2003 server with 2
nics. First nic has "automatically obtain IP". This nic gets it's Ip from
the winxp machine above. It allows this machine access to the internet. The
second Nic has a static IP of 192.168.5.1
>
> Picture:
> ICS enable on dial up
> Winxp
windows 2003 server
> NIC IP 192.168.0.1 <------Internet sharing---- >Nic 1 ="obtain Ip
automatically"
>
Nic 2 ip 192.168.5.1 <-----------connects to local network---->
>
> I have another machine (machine C) C machine has one Nic but it is a
window 2003 server that is a domain controller. It has a static Ip address
of 192.168.5.2 This machine also hosts DNS and DHCP for my local lan/domain.
The default gateway for this machine is 192.168.5.1 It is the IP address of
NIC 2 on machine B.
>
> My client computers are set to "obtain ip automatically" and the DHCP on
machine B hands the ip's out. The default gateway for my client computers
are set to the windows 2003 DC which is 192.168.5.2
>
> finished PIC view:
>
> ICS enable on dial up
> Winxp windows 2003
server
> NIC IP 192.168.0.1 <----Internet---- >Nic 1 ="obtain Ip automatically"
2003 DC / Domain
> Nic 2 ip
192.168.5.1 <---------connects to local network----> IP 192.168.5.2
>
Default gateway
>
192.168.5.1
>
> Locally my network is fine. All computers on the LAn can communicate with
each other and the DC. I can also ping Nic 2 on machine B from any machine
in the local LAN. The problem is that none of the client machines nor the DC
on the local lan has access to the internet. The only machine that has any
access to the internet is Machine B. The machine that has the duel nic
installed.
>
> I was told that I can configure machine B as a ip router and route traffic
between nic 1's connection and nic 2's connection. But from what I read in
books a machine that is acting as a ip router between two segments can not
have a default gateway on either of it's nics. Nic 1 on machine B has
gateway information because it is set to "obtain ip automatically. Would IP
routing still work in this case?
>
> My question is how do I enable internet access for the client computers on
the local lan?
> what are the steps and how do I do? How do I transfer the traffic directed
to Nic 2 on machine B over to nic 1 on machine B?
>
>
>
> ----- Phillip Windell wrote: -----
>
> > I don't quite understand that. Then how does a dsl router work?
>
> Because they aren't real routers and are really NAT/DHCP Boxes. But
they
> won't sell as many calling them a "DSL NAT/DHCP Devices", people
won't know
> what they are talking about, so they call them "routers" for
marketing
> purposes. Since NAT is related to Layer3 Routing and most *real*
routers can
> also do NAT & DHCP, it isn't totally wrong to call them routers, but
there
> is no comparison between a "DSL Router" and a real router like a
Cisco 2600
> Series.
>
> Anyway, they are not "routing" between your private network and the
> Internet, they are "NAT'ing" between the two. The Windows ICS and
the
> RRAS/NAT of Windows Server work on the same "NAT'ing" principle.
>
> Anyway if you want to create two private subnets on your network and
use a
> Windows machine to route between them, then the two-nic machine must
use
> statically assigned addresses on the NICs and *not* get the IP# from
the ICS
> machine. I think ICS only uses a certain range of numbers, so you can
> statically use one that is above that range but still be in the
correct
> subnet.
>
> The machine running ICS will require a static Route pointing to the
duel nic
> machine as a Gateway for the subnet on the opposite side of the
duel-nic
> machine. If the IP#s aren't static in the duel-nic machine then the
ICS
> machine's Static Route back to the second subnet will fail the next
time the
> IP# changes. The hosts that reside on that same opposite subnet will
use the
> dule-nic machine as their Default Gateway.
>
> The KB Article "324264" that Bill mentioned will help you better than
I can
> explain it in this email.
>
> If this doesn't express what you are trying to do then you are going
to have
> to explain it more clearly. We cannot see your network and cannot
know how
> you have it cabled up,...we only can know what you tell us and if
that isn't
> done clearly what we suggest to you may not be correct.
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
- Next message: Bill Grant: "Re: New 2003 domain"
- Previous message: Massimo: "Supply route to VPN clients"
- In reply to: noobtech: "I'll explain it again :D"
- Next in thread: Phillip Windell: "Re: I'll explain it again :D"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
