Re: newbie lost in trying to setup NAT

From: Bill Grant (not.available_at_online)
Date: 09/12/04 

Date: Sun, 12 Sep 2004 15:31:20 +1000

   Also make sure you have not configured a default gateway on the private
NIC. This should be blank. The only default gateway on this machine shold be
to the Internet via the public NIC.

"Bill Grant" <not.available@online> wrote in message
news:e2pOlVtlEHA.748@TK2MSFTNGP11.phx.gbl...
> The settings in 2003 NAT are slightly different from 2000. I note you
are
> running 2003.
>
>
> 1. In the RRAS console, go to the NAT/Basic Firewall section. Your
internal
> NIC should have the "private interface connected to private network"
button
> set on. Your external NIC should have the "public interface connected to
the
> Internet" button set, and the "enable NAT on this interface" and the
"enable
> a basic firewall .. " boxes checked. On the Address Pool tab, there should
> be no addresses displayed ( so that NAT cannot try to act as a mini-DHCP
> server). So NAT is active, but not doing the DHCP bit itself.
>
> 2. Yes, that sounds correct for the DNS forwarding. Your clients should
now
> be able to resolve both local and Internet names from this server.
>
> 3. When you configure your DHCP server, you need to make sure that it
gives
> the clients the correct gateway and DNS addresses. If your server is the
> gateway and DNS server, then use its private LAN IP as the gateway and DNS
> address (192.168.1.1 in your case).
>
> 4. The DHCP server must be registered with Acive Directory before it can
> operate. The setup wizard may have done that for you if it already
working.
>
> After you have the server configured, check the settings on your
client.
> They should be set to obtain IP and DNS from DHCP. Then do an ipconfig
> /release to release the current settings and allow them to get a new
config
> from DHCP. Then do an ipconfig /all to check that they have received to
> correct settings for default gateway and DNS from your DHCP server.
>
> "vvu" <anonymous@discussions.microsoft.com> wrote in message
> news:87b501c4961b$72a90760$a601280a@phx.gbl...
> > ok so let me see if i get it.
> > my server can connect and browse the internet ok so i dont
> > have to create a dmeand dial.
> > i really want to use AD and AD cannot exist with out DNS
> > so i'd have to...
> > disable NAT from allocating IPs and stop the NATs DNS to
> > relay queries?
> > -so to disable NATs DNS i untick the name resolution box
> > in NAT. with this do you mean the properties for internal
> > or external interface in the 'Routing and Remote Access'
> > mmc?
> > -and how do i disable NAT to allocate IPs?
> > -to configure fowarding DNS was i doing it correctly?
> > i go into DNS via admin tools, go into properties of my
> > server, then 'forwarders' tab and in the 'selected
> > domain's forwareder IP address' box type in the IPs DNS IP
> > and click add?
> >
> > -when you say 'need to configure DHCP to give clients the
> > correct IP address and nemask, default gateway and
> > DNS address'
> > can't i have my DHCP server allocate any IP address to the
> > clients as long as they are all in the same subnet?(for
> > example my servers IP is 192.168.1.1 and subnet
> > 255.255.255.0 i configure the DHCP to distribute IPs in
> > the range of 192.168.1.5-192.168.1.10 with subnet
> > 255.255.255.0)
> > with the default gateway, how do i set that up on the
> > clients? because if i have the clients setup for obtain IP
> > automatically i cant put in a gateway in the TCP/IP
> > properties. I'd have to provide them with static IPs. does
> > that make sense? because in the TCP/IP properties its
> > either one or the other option.
> > also do i have to setup client pcs to direct queries to my
> > server?
> > so if my server's IP is 192.168.1.1 i have to add that to
> > the clients TCP/IP-DNS properties?
> > -and when you say 'must authorise your DHCP server in AD
> > so that it will operate.'
> > my 2003 server runs as a DHCP,DNS,AD so isnt it already
> > authorized when i set it up? because my AD network works
> > fine just not the internet connection.
> >
> > thanks again for all your help.
> >
> > >-----Original Message-----
> > > OK, that makes sense. That is a valid way to set up
> > Internet access for a
> > >home network (without AD). It really depends on how your
> > ISP handles things.
> > >
> > > Creating a demand-dial interface and using that as
> > your Internet
> > >connection is the normal situation if you use dialup or
> > if the cable modem
> > >is directly connected to the server. If you connect to
> > the Internet from a
> > >second NIC, you do not normally need to use this method.
> > You can use the NIC
> > >as your Internet interface.
> > >
> > > So the first thing to work out is exactly how your
> > Internet connection
> > >works. Can your server connect to and browse the
> > Internet without setting
> > >up a demand-dial interface? If it can, you do not need to
> > set up a
> > >demand-dial interface. You can use the second NIC as your
> > public interface
> > >for NAT.
> > >
> > > The other complication is Active Directory. The
> > normal setup for NAT is
> > >to use NAT to allocate addresses and other settings to
> > LAN clients (NAT has
> > >a built in allocator or mini-DHCP server) . NAT also acts
> > as a DNS relay to
> > >send DNS requests on the your ISP. This fails for AD
> > because the clients
> > >must use local DNS to find AD services.
> > >
> > > To use your server as an AD server running its own
> > DNS and DHCP, you
> > >have to disable both of these options. You disable the
> > allocator by not
> > >giving it any addresses to allocate. You disable DNS
> > relay by not ticking
> > >the name resolution box in NAT.
> > >
> > > When you have stopped NAT from trying to do these
> > things, you have to
> > >allow them to happen on your server. You have to
> > configure DNS to forward
> > >requests to a public DNS service (such as your ISP). You
> > need to configure
> > >DHCP to give clients the correct IP address and nemask,
> > default gateway and
> > >DNS address. You then must authorise your DHCP server in
> > AD so that it will
> > >operate.
> > >
> > > If you decide this is all too much, run dcpromo again
> > to remove AD. You
> > >can then use NAT to give Internet access to your LAN
> > machines, using its
> > >built in allocator and DNS proxy.
> > >
> > >"vvu" <anonymous@discussions.microsoft.com> wrote in
> > message
> > >news:725f01c494b1$d5a4b500$a501280a@phx.gbl...
> > >> sorry if i've confused you. i dont know how to put in a
> > >> diagram so i'll try my best to explain.
> > >>
> > >> ok so what i have at home is...
> > >> -a PC running win 2003 server which runs AD, DHCP and
> > DNS.
> > >> -this pc has 2 NICs,1 connected to the internal network
> > >> (via hub) and 1 connected to the cable modem.
> > >>
> > >> what i have done...
> > >> -installed NAT through the 'Routing aand Remote Access
> > >> Server Setup wizard'.(im a little unsure of how to
> > >> configure it but this is what i've done)
> > >> -on the first window(NAT Internet Connection), it gives
> > 2
> > >> options-'use this public interface to connect to the
> > >> internet' or 'create new demand dial interface to the
> > >> internet' i select 'create new demand dial interface to
> > >> the internet' is that right?
> > >> -then it asks to choose a name for this interface and
> > >> stuff...
> > >>
> > >> -after thats done i go into the 'Routing and Remote
> > >> Access' mmc.
> > >> -expand the 'server','IP Routing' and select 'NAT/Basic
> > >> Firewall'...in here there are 3 'Interfaces'. 1-
> > Internal,2-
> > >> external,3-Remote Router(which i had created in previous
> > >> wizard).
> > >> im not sure what im supposed to confugure here but
> > >> according to a tutorial i found, i go into the
> > properties
> > >> of the 'Remote Router' interface i make sure
> > that 'public
> > >> interface connected to the internet' and 'enable NAT on
> > >> this interface' and 'enable a basic firewall on this
> > >> interface' are selected.
> > >>
> > >> - now i need something to foward DNS queries to the ISP
> > >> because my DNS server cant translate internet queries(is
> > >> that right?)
> > >> -open up DNS via 'administrative tools' then in the
> > >> properties of my server i go into the 'fowarders' tab.
> > >> -here i put my ISPs DNS IPs in the 'select domain's
> > >> fowarder IP address' and click add.
> > >>
> > >> thats all that i've done i dont know what to do with the
> > >> clients,they have automatic settings for IP and DNS.
> > >> i have tried setting the DNS setting for the clients to
> > >> point to my win2003 server with no sucess.
> > >>
> > >> i really appriciate your help.thanks
> > >>
> > >>
> > >> >-----Original Message----
> > >> > I think you had better start again and tell us
> > exactly
> > >> how your network
> > >> >is configured and what you are trying to achieve. A
> > >> simple diagram would
> > >> >help. I was under the impression that you had a router
> > >> connected to the
> > >> >Internet and two NICs in the server. Now you say you
> > >> using a dialup
> > >> >connection through a modem.
> > >> >
> > >> >"vvu" <anonymous@discussions.microsoft.com> wrote in
> > >> message
> > >> >news:6b6101c49408$d50d14b0$a301280a@phx.gbl...
> > >> >> sorry im not too sure what you mean by.. "you cannot
> > >> have
> > >> >> your clients using the default DHCP settings of your
> > >> >> router."
> > >> >>
> > >> >> at the moment the clients are using dynamic ip and
> > >> >> automatic dns settings.
> > >> >> so do you mean i should set the clients dns to point
> > to
> > >> >> the DC(which runs as NAT,DHCP,DNS)?
> > >> >>
> > >> >> this is what i have done so far with no sucess.
> > >> >> i have installed a NAT with the "Routing and Remote
> > >> Access
> > >> >> Server Setup Wizard".
> > >> >> I selected "Create a new demand dial interface to the
> > >> >> internet" option and selected the NIC that will
> > connect
> > >> to
> > >> >> the internet.
> > >> >> then i went into 'administrative tools-Routing and
> > >> Remote
> > >> >> Access',expanded 'my server-IP Routing' and there
> > are 3
> > >> >> interfaces. there is the one that i created with the
> > >> >> wizard and an 'internal' and 'external' one. should i
> > >> >> confugure all of these? or should i just configure
> > the
> > >> one
> > >> >> that i created?
> > >> >>
> > >> >> then i configured forwarders. in 'administrative
> > tools-
> > >> >> DNS' i right click the server then in the 'fowarders'
> > >> tab
> > >> >> i click on 'new' then type in the ISPs DNS IPs and
> > >> >> click 'add'.
> > >> >>
> > >> >> sory if i seem a little slow in still new at this
> > and im
> > >> >> really eager to get this working!
> > >> >> thanks for all your help guys.
> > >> >>
> > >> >> >-----Original Message-----
> > >> >> > If you are using Active Directory, you cannot
> > have
> > >> >> your clients using the
> > >> >> >default DHCP settings of your router. An Internet
> > NAT
> > >> >> router gives its
> > >> >> >clients a default gateway setting of itself (which
> > is
> > >> >> fine) and a DNS
> > >> >> >address of itself (which is not OK for AD).
> > >> >> >
> > >> >> > If you want to use the NAT router as your DHCP
> > >> >> server, you will have to
> > >> >> >modify it to give out your DC's IP address for DNS,
> > not
> > >> >> it's own IP.
> > >> >> >
> > >> >> > To test this, set up a client manually to have
> > the
> > >> >> router as its default
> > >> >> >gateway but your DC as its DNS address.
> > >> >> >
> > >> >> > Can your server now access the Internet?
> > >> >> >
> > >> >> >"vvu" <anonymous@discussions.microsoft.com> wrote in
> > >> >> message
> > >> >> >news:5d3d01c49224$42efb460$a501280a@phx.gbl...
> > >> >> >> i have now confirmed that the isp's DNS ip
> > addresses
> > >> are
> > >> >> >> correct. but they still are not working.
> > >> >> >> does it matter that the tcp/ip properties of the
> > NIC
> > >> >> >> (connected to the modem) are all on automatic?
> > >> >> >> do i need to configure anything on the clients?
> > >> >> >> the clients NIC settings are currently on auto
> > for IP
> > >> >> >> addressing and DNS.
> > >> >> >> when i try to access an internet address i get an
> > ie6
> > >> >> >> error 'cannot find server or dns error'
> > >> >> >>
> > >> >> >> thanks again.
> > >> >> >>
> > >> >> >> >-----Original Message-----
> > >> >> >> >"vvu" <anonymous@discussions.microsoft.com>
> > wrote in
> > >> >> >> >news:098c01c491c0$a1de8640$a401280a@phx.gbl:
> > >> >> >> >
> > >> >> >> >> Oh ok, so if I uninstall or disable DNS and
> > DHCP
> > >> >> will I
> > >> >> >> >> still be able to run an Active Directory
> > Network
> > >> >> >> without
> > >> >> >> >> any issues?
> > >> >> >> >>
> > >> >> >> >>>-----Original Message-----
> > >> >> >> >>>"vvu" <anonymous@discussions.microsoft.com>
> > wrote
> > >> in
> > >> >> >> >>>news:047a01c49081$a6c1b4b0$a401280a@phx.gbl:
> > >> >> >> >>>
> > >> >> >> >>>> Hi im a newbie here and any suggestion would
> > >> help
> > >> >> as
> > >> >> >> i
> > >> >> >> >> am
> > >> >> >> >>>> confused with setting up a NAT for my home AD
> > >> >> network.
> > >> >> >> >>>> I have a cable connection which provides a
> > >> dynamic
> > >> >> >> ip.
> > >> >> >> >> i
> > >> >> >> >>>> have a 2003 server acting as a DNS,DHCP for
> > the
> > >> AD
> > >> >> >> >> network
> > >> >> >> >>>> and 2 client pc's.
> > >> >> >> >>>> the server has 2 NIC's in which 1 is for the
> > >> >> internal
> > >> >> >> >>>> network(static ip) and the other connected to
> > >> the
> > >> >> >> cable
> > >> >> >> >>>> modem(dynamic ip). im not too sure on how to
> > >> setup
> > >> >> a
> > >> >> >> >> NAT
> > >> >> >> >>>> and foward DNS queries(is that theory
> > correct)
> > >> but
> > >> >> i
> > >> >> >> >> have
> > >> >> >> >>>> info on it. i am confused as to how would i
> > >> >> redirect
> > >> >> >> >>>> queries to the NIC connected to the modem if
> > the
> > >> >> NIC
> > >> >> >> >>>> connected has a dynamic ip.
> > >> >> >> >>>> can anyone assist please?
> > >> >> >> >>>> thanks in advanced.
> > >> >> >> >>>
> > >> >> >> >>>If you enable Internet Connection Sharing
> > (ICS) on
> > >> >> the
> > >> >> >> >> NIC that is
> > >> >> >> >>>connected to the cable modem, you have enabled
> > >> NAT.
> > >> >> ICS
> > >> >> >> >> has a built-in DHCP
> > >> >> >> >>>and DNS server, so you don't want to deploy DNS
> > >> and
> > >> >> >> DHCP
> > >> >> >> >> as well as ICS. If
> > >> >> >> >>>you do, nothing will work correctly.
> > >> >> >> >>>
> > >> >> >> >>>I don't recall if you can disable DHCP and DNS
> > in
> > >> >> ICS,
> > >> >> >> >> you will need to
> > >> >> >> >>>read the Help. Otherwise you will need to
> > disable
> > >> or
> > >> >> >> >> uninstall the DHCP and
> > >> >> >> >>>DNS services on the server.
> > >> >> >> >>>
> > >> >> >> >>>
> > >> >> >> >>>
> > >> >> >> >>>--
> > >> >> >> >>>James McIllece, Microsoft
> > >> >> >> >>>
> > >> >> >> >>>Please do not send email directly to this
> > alias.
> > >> >> This
> > >> >> >> is
> > >> >> >> >> my online account
> > >> >> >> >>>name for newsgroup participation only.
> > >> >> >> >>>
> > >> >> >> >>>This posting is provided "AS IS" with no
> > >> warranties,
> > >> >> >> and
> > >> >> >> >> confers no rights.
> > >> >> >> >>>.
> > >> >> >> >>>
> > >> >> >> >
> > >> >> >> >Talked to a couple of people over here and
> > changed
> > >> my
> > >> >> >> mind about your best
> > >> >> >> >course of action.
> > >> >> >> >
> > >> >> >> >Instead of using ICS for NAT, you can use NAT in
> > >> >> Routing
> > >> >> >> and Remote Access
> > >> >> >> >Service (RRAS) without disabling DNS and DHCP on
> > the
> > >> >> >> server. See the Help
> > >> >> >> >topic called "Deploying network address
> > >> translation" in
> > >> >> >> Windows Server 2003
> > >> >> >> >Help and Support Center on your PC, or on the
> > Web at
> > >> >> >>
> > >> >>
> > >>
> > >http://www.microsoft.com/resources/documentation/WindowsSe
> > >> >> >> rv/2003/standard/
> > >> >> >> >proddocs/en-
> > >> >> >> >us/Default.asp?
> > >> >> >>
> > >> >>
> > >>
> > url=/resources/documentation/windowsserv/2003/standard/prod
> > >> >> >> d
> > >> >> >> >ocs/en-us/sag_rras-ch3_06d.asp.
> > >> >> >> >
> > >> >> >> >--
> > >> >> >> >James McIllece, Microsoft
> > >> >> >> >
> > >> >> >> >Please do not send email directly to this alias.
> > >> This
> > >> >> is
> > >> >> >> my online account
> > >> >> >> >name for newsgroup participation only.
> > >> >> >> >
> > >> >> >> >This posting is provided "AS IS" with no
> > warranties,
> > >> >> and
> > >> >> >> confers no rights.
> > >> >> >> >.
> > >> >> >> >
> > >> >> >
> > >> >> >
> > >> >> >.
> > >> >> >
> > >> >
> > >> >
> > >> >.
> > >> >
> > >
> > >
> > >.
> > >
>
>