Re: newbie lost in trying to setup NAT

From: Bill Grant (not.available_at_online)
Date: 09/10/04 

Date: Fri, 10 Sep 2004 11:17:44 +1000

  The settings in 2003 NAT are slightly different from 2000. I note you are
running 2003.

1. In the RRAS console, go to the NAT/Basic Firewall section. Your internal
NIC should have the "private interface connected to private network" button
set on. Your external NIC should have the "public interface connected to the
Internet" button set, and the "enable NAT on this interface" and the "enable
a basic firewall .. " boxes checked. On the Address Pool tab, there should
be no addresses displayed ( so that NAT cannot try to act as a mini-DHCP
server). So NAT is active, but not doing the DHCP bit itself.

2. Yes, that sounds correct for the DNS forwarding. Your clients should now
be able to resolve both local and Internet names from this server.

3. When you configure your DHCP server, you need to make sure that it gives
the clients the correct gateway and DNS addresses. If your server is the
gateway and DNS server, then use its private LAN IP as the gateway and DNS
address (192.168.1.1 in your case).

4. The DHCP server must be registered with Acive Directory before it can
operate. The setup wizard may have done that for you if it already working.

   After you have the server configured, check the settings on your client.
They should be set to obtain IP and DNS from DHCP. Then do an ipconfig
/release to release the current settings and allow them to get a new config
from DHCP. Then do an ipconfig /all to check that they have received to
correct settings for default gateway and DNS from your DHCP server.

"vvu" <anonymous@discussions.microsoft.com> wrote in message
news:87b501c4961b$72a90760$a601280a@phx.gbl...
> ok so let me see if i get it.
> my server can connect and browse the internet ok so i dont
> have to create a dmeand dial.
> i really want to use AD and AD cannot exist with out DNS
> so i'd have to...
> disable NAT from allocating IPs and stop the NATs DNS to
> relay queries?
> -so to disable NATs DNS i untick the name resolution box
> in NAT. with this do you mean the properties for internal
> or external interface in the 'Routing and Remote Access'
> mmc?
> -and how do i disable NAT to allocate IPs?
> -to configure fowarding DNS was i doing it correctly?
> i go into DNS via admin tools, go into properties of my
> server, then 'forwarders' tab and in the 'selected
> domain's forwareder IP address' box type in the IPs DNS IP
> and click add?
>
> -when you say 'need to configure DHCP to give clients the
> correct IP address and nemask, default gateway and
> DNS address'
> can't i have my DHCP server allocate any IP address to the
> clients as long as they are all in the same subnet?(for
> example my servers IP is 192.168.1.1 and subnet
> 255.255.255.0 i configure the DHCP to distribute IPs in
> the range of 192.168.1.5-192.168.1.10 with subnet
> 255.255.255.0)
> with the default gateway, how do i set that up on the
> clients? because if i have the clients setup for obtain IP
> automatically i cant put in a gateway in the TCP/IP
> properties. I'd have to provide them with static IPs. does
> that make sense? because in the TCP/IP properties its
> either one or the other option.
> also do i have to setup client pcs to direct queries to my
> server?
> so if my server's IP is 192.168.1.1 i have to add that to
> the clients TCP/IP-DNS properties?
> -and when you say 'must authorise your DHCP server in AD
> so that it will operate.'
> my 2003 server runs as a DHCP,DNS,AD so isnt it already
> authorized when i set it up? because my AD network works
> fine just not the internet connection.
>
> thanks again for all your help.
>
> >-----Original Message-----
> > OK, that makes sense. That is a valid way to set up
> Internet access for a
> >home network (without AD). It really depends on how your
> ISP handles things.
> >
> > Creating a demand-dial interface and using that as
> your Internet
> >connection is the normal situation if you use dialup or
> if the cable modem
> >is directly connected to the server. If you connect to
> the Internet from a
> >second NIC, you do not normally need to use this method.
> You can use the NIC
> >as your Internet interface.
> >
> > So the first thing to work out is exactly how your
> Internet connection
> >works. Can your server connect to and browse the
> Internet without setting
> >up a demand-dial interface? If it can, you do not need to
> set up a
> >demand-dial interface. You can use the second NIC as your
> public interface
> >for NAT.
> >
> > The other complication is Active Directory. The
> normal setup for NAT is
> >to use NAT to allocate addresses and other settings to
> LAN clients (NAT has
> >a built in allocator or mini-DHCP server) . NAT also acts
> as a DNS relay to
> >send DNS requests on the your ISP. This fails for AD
> because the clients
> >must use local DNS to find AD services.
> >
> > To use your server as an AD server running its own
> DNS and DHCP, you
> >have to disable both of these options. You disable the
> allocator by not
> >giving it any addresses to allocate. You disable DNS
> relay by not ticking
> >the name resolution box in NAT.
> >
> > When you have stopped NAT from trying to do these
> things, you have to
> >allow them to happen on your server. You have to
> configure DNS to forward
> >requests to a public DNS service (such as your ISP). You
> need to configure
> >DHCP to give clients the correct IP address and nemask,
> default gateway and
> >DNS address. You then must authorise your DHCP server in
> AD so that it will
> >operate.
> >
> > If you decide this is all too much, run dcpromo again
> to remove AD. You
> >can then use NAT to give Internet access to your LAN
> machines, using its
> >built in allocator and DNS proxy.
> >
> >"vvu" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:725f01c494b1$d5a4b500$a501280a@phx.gbl...
> >> sorry if i've confused you. i dont know how to put in a
> >> diagram so i'll try my best to explain.
> >>
> >> ok so what i have at home is...
> >> -a PC running win 2003 server which runs AD, DHCP and
> DNS.
> >> -this pc has 2 NICs,1 connected to the internal network
> >> (via hub) and 1 connected to the cable modem.
> >>
> >> what i have done...
> >> -installed NAT through the 'Routing aand Remote Access
> >> Server Setup wizard'.(im a little unsure of how to
> >> configure it but this is what i've done)
> >> -on the first window(NAT Internet Connection), it gives
> 2
> >> options-'use this public interface to connect to the
> >> internet' or 'create new demand dial interface to the
> >> internet' i select 'create new demand dial interface to
> >> the internet' is that right?
> >> -then it asks to choose a name for this interface and
> >> stuff...
> >>
> >> -after thats done i go into the 'Routing and Remote
> >> Access' mmc.
> >> -expand the 'server','IP Routing' and select 'NAT/Basic
> >> Firewall'...in here there are 3 'Interfaces'. 1-
> Internal,2-
> >> external,3-Remote Router(which i had created in previous
> >> wizard).
> >> im not sure what im supposed to confugure here but
> >> according to a tutorial i found, i go into the
> properties
> >> of the 'Remote Router' interface i make sure
> that 'public
> >> interface connected to the internet' and 'enable NAT on
> >> this interface' and 'enable a basic firewall on this
> >> interface' are selected.
> >>
> >> - now i need something to foward DNS queries to the ISP
> >> because my DNS server cant translate internet queries(is
> >> that right?)
> >> -open up DNS via 'administrative tools' then in the
> >> properties of my server i go into the 'fowarders' tab.
> >> -here i put my ISPs DNS IPs in the 'select domain's
> >> fowarder IP address' and click add.
> >>
> >> thats all that i've done i dont know what to do with the
> >> clients,they have automatic settings for IP and DNS.
> >> i have tried setting the DNS setting for the clients to
> >> point to my win2003 server with no sucess.
> >>
> >> i really appriciate your help.thanks
> >>
> >>
> >> >-----Original Message----
> >> > I think you had better start again and tell us
> exactly
> >> how your network
> >> >is configured and what you are trying to achieve. A
> >> simple diagram would
> >> >help. I was under the impression that you had a router
> >> connected to the
> >> >Internet and two NICs in the server. Now you say you
> >> using a dialup
> >> >connection through a modem.
> >> >
> >> >"vvu" <anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >news:6b6101c49408$d50d14b0$a301280a@phx.gbl...
> >> >> sorry im not too sure what you mean by.. "you cannot
> >> have
> >> >> your clients using the default DHCP settings of your
> >> >> router."
> >> >>
> >> >> at the moment the clients are using dynamic ip and
> >> >> automatic dns settings.
> >> >> so do you mean i should set the clients dns to point
> to
> >> >> the DC(which runs as NAT,DHCP,DNS)?
> >> >>
> >> >> this is what i have done so far with no sucess.
> >> >> i have installed a NAT with the "Routing and Remote
> >> Access
> >> >> Server Setup Wizard".
> >> >> I selected "Create a new demand dial interface to the
> >> >> internet" option and selected the NIC that will
> connect
> >> to
> >> >> the internet.
> >> >> then i went into 'administrative tools-Routing and
> >> Remote
> >> >> Access',expanded 'my server-IP Routing' and there
> are 3
> >> >> interfaces. there is the one that i created with the
> >> >> wizard and an 'internal' and 'external' one. should i
> >> >> confugure all of these? or should i just configure
> the
> >> one
> >> >> that i created?
> >> >>
> >> >> then i configured forwarders. in 'administrative
> tools-
> >> >> DNS' i right click the server then in the 'fowarders'
> >> tab
> >> >> i click on 'new' then type in the ISPs DNS IPs and
> >> >> click 'add'.
> >> >>
> >> >> sory if i seem a little slow in still new at this
> and im
> >> >> really eager to get this working!
> >> >> thanks for all your help guys.
> >> >>
> >> >> >-----Original Message-----
> >> >> > If you are using Active Directory, you cannot
> have
> >> >> your clients using the
> >> >> >default DHCP settings of your router. An Internet
> NAT
> >> >> router gives its
> >> >> >clients a default gateway setting of itself (which
> is
> >> >> fine) and a DNS
> >> >> >address of itself (which is not OK for AD).
> >> >> >
> >> >> > If you want to use the NAT router as your DHCP
> >> >> server, you will have to
> >> >> >modify it to give out your DC's IP address for DNS,
> not
> >> >> it's own IP.
> >> >> >
> >> >> > To test this, set up a client manually to have
> the
> >> >> router as its default
> >> >> >gateway but your DC as its DNS address.
> >> >> >
> >> >> > Can your server now access the Internet?
> >> >> >
> >> >> >"vvu" <anonymous@discussions.microsoft.com> wrote in
> >> >> message
> >> >> >news:5d3d01c49224$42efb460$a501280a@phx.gbl...
> >> >> >> i have now confirmed that the isp's DNS ip
> addresses
> >> are
> >> >> >> correct. but they still are not working.
> >> >> >> does it matter that the tcp/ip properties of the
> NIC
> >> >> >> (connected to the modem) are all on automatic?
> >> >> >> do i need to configure anything on the clients?
> >> >> >> the clients NIC settings are currently on auto
> for IP
> >> >> >> addressing and DNS.
> >> >> >> when i try to access an internet address i get an
> ie6
> >> >> >> error 'cannot find server or dns error'
> >> >> >>
> >> >> >> thanks again.
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >"vvu" <anonymous@discussions.microsoft.com>
> wrote in
> >> >> >> >news:098c01c491c0$a1de8640$a401280a@phx.gbl:
> >> >> >> >
> >> >> >> >> Oh ok, so if I uninstall or disable DNS and
> DHCP
> >> >> will I
> >> >> >> >> still be able to run an Active Directory
> Network
> >> >> >> without
> >> >> >> >> any issues?
> >> >> >> >>
> >> >> >> >>>-----Original Message-----
> >> >> >> >>>"vvu" <anonymous@discussions.microsoft.com>
> wrote
> >> in
> >> >> >> >>>news:047a01c49081$a6c1b4b0$a401280a@phx.gbl:
> >> >> >> >>>
> >> >> >> >>>> Hi im a newbie here and any suggestion would
> >> help
> >> >> as
> >> >> >> i
> >> >> >> >> am
> >> >> >> >>>> confused with setting up a NAT for my home AD
> >> >> network.
> >> >> >> >>>> I have a cable connection which provides a
> >> dynamic
> >> >> >> ip.
> >> >> >> >> i
> >> >> >> >>>> have a 2003 server acting as a DNS,DHCP for
> the
> >> AD
> >> >> >> >> network
> >> >> >> >>>> and 2 client pc's.
> >> >> >> >>>> the server has 2 NIC's in which 1 is for the
> >> >> internal
> >> >> >> >>>> network(static ip) and the other connected to
> >> the
> >> >> >> cable
> >> >> >> >>>> modem(dynamic ip). im not too sure on how to
> >> setup
> >> >> a
> >> >> >> >> NAT
> >> >> >> >>>> and foward DNS queries(is that theory
> correct)
> >> but
> >> >> i
> >> >> >> >> have
> >> >> >> >>>> info on it. i am confused as to how would i
> >> >> redirect
> >> >> >> >>>> queries to the NIC connected to the modem if
> the
> >> >> NIC
> >> >> >> >>>> connected has a dynamic ip.
> >> >> >> >>>> can anyone assist please?
> >> >> >> >>>> thanks in advanced.
> >> >> >> >>>
> >> >> >> >>>If you enable Internet Connection Sharing
> (ICS) on
> >> >> the
> >> >> >> >> NIC that is
> >> >> >> >>>connected to the cable modem, you have enabled
> >> NAT.
> >> >> ICS
> >> >> >> >> has a built-in DHCP
> >> >> >> >>>and DNS server, so you don't want to deploy DNS
> >> and
> >> >> >> DHCP
> >> >> >> >> as well as ICS. If
> >> >> >> >>>you do, nothing will work correctly.
> >> >> >> >>>
> >> >> >> >>>I don't recall if you can disable DHCP and DNS
> in
> >> >> ICS,
> >> >> >> >> you will need to
> >> >> >> >>>read the Help. Otherwise you will need to
> disable
> >> or
> >> >> >> >> uninstall the DHCP and
> >> >> >> >>>DNS services on the server.
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>--
> >> >> >> >>>James McIllece, Microsoft
> >> >> >> >>>
> >> >> >> >>>Please do not send email directly to this
> alias.
> >> >> This
> >> >> >> is
> >> >> >> >> my online account
> >> >> >> >>>name for newsgroup participation only.
> >> >> >> >>>
> >> >> >> >>>This posting is provided "AS IS" with no
> >> warranties,
> >> >> >> and
> >> >> >> >> confers no rights.
> >> >> >> >>>.
> >> >> >> >>>
> >> >> >> >
> >> >> >> >Talked to a couple of people over here and
> changed
> >> my
> >> >> >> mind about your best
> >> >> >> >course of action.
> >> >> >> >
> >> >> >> >Instead of using ICS for NAT, you can use NAT in
> >> >> Routing
> >> >> >> and Remote Access
> >> >> >> >Service (RRAS) without disabling DNS and DHCP on
> the
> >> >> >> server. See the Help
> >> >> >> >topic called "Deploying network address
> >> translation" in
> >> >> >> Windows Server 2003
> >> >> >> >Help and Support Center on your PC, or on the
> Web at
> >> >> >>
> >> >>
> >>
> >http://www.microsoft.com/resources/documentation/WindowsSe
> >> >> >> rv/2003/standard/
> >> >> >> >proddocs/en-
> >> >> >> >us/Default.asp?
> >> >> >>
> >> >>
> >>
> url=/resources/documentation/windowsserv/2003/standard/prod
> >> >> >> d
> >> >> >> >ocs/en-us/sag_rras-ch3_06d.asp.
> >> >> >> >
> >> >> >> >--
> >> >> >> >James McIllece, Microsoft
> >> >> >> >
> >> >> >> >Please do not send email directly to this alias.
> >> This
> >> >> is
> >> >> >> my online account
> >> >> >> >name for newsgroup participation only.
> >> >> >> >
> >> >> >> >This posting is provided "AS IS" with no
> warranties,
> >> >> and
> >> >> >> confers no rights.
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >