Solved

Setting up a Primary Domain Controller, not a DNS server, and Domains

Posted on 2001-06-03
8
208 Views
Last Modified: 2010-04-12
I'm currently ready to install 2 windows 2000 servers, one web server, one database server.  I would like to make the web server the primary domain controller but not a DNS server.  The DNS server is a Solaris server.  What I want to achieve is the creation of a user that can be authenticated at the domain level.  Please give me the step by step on how to do this (I can navigate win2000 pretty well, so not too much detail!), and let me know what type of security measures I need to take if these servers are going to be in the DMZ of this network.
0
Comment
Question by:compinfo
  • 4
  • 4
8 Comments
 
LVL 12

Accepted Solution

by:
Housenet earned 300 total points
Comment Utility
You can use any DNS server that supports the SRV record and also, hopefully, supports the dynamic update protocol.  
-Active directory works well with BIND 8.1.2, which supports the SRV record and the dynamic update protocol and BIND 4.9.7, which supports the SRV records.
-Solaris server is compatable I imagine ?

-I assume your solaris server is for some internet dns zones hosted by you ?
-You'll want to create a new zone for the 2000 domain ...say yourcompany.corp or office.domain.com or something that will not be exposed on the internet directly. Create a srv record for the domain controller.. server.yourcompany.corp....
-Install 2000,after its setup as a workgroup server, run dcpromo & create a new tree in a new forest.. Point to the solaris server for DNS resolution with the created records. If the dns server is compatable all should go smothly & fairly automatic.
-DMZ issue... there are a few factors...Like for example , do you mean you have a hardware firewall with a dmz port ? If so, setup the security via the firewall..
-If you simply want to block ports & have the servers in a segrigated subnet, you can use ip filtering to block ports & protocols from computers not in the same segment, or accessing the servers through a second NIC installed on the DC.
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-I should mention that installing DNS on the DC & forwarding requests to the Solaris server is a good option if it is not compatable. This would also simplify the installation process.
0
 

Author Comment

by:compinfo
Comment Utility
I am testing this proposed solution.  I was able to add the needed records to the DNS Server and NAT a real world Domain name to the windows 2000 web server.

I did go ahead and create a new tree in a new forest and I created a user login on the PDC with Administrator rights, added my database server to the Domain and logged in successfully to the domain from the database server.  

I do not have a hardware DMZ, so I will need some help from you in setting up IP Filtering to block ports and protocols.  I *do* have two NIC's in the DC, but I'm not sure how I can use them to create good security.

Thanks for your quick response! Compinfo.
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-Can you describe what exactly your interpritation of this "DMZ" is or will be... Here's an example...


-Say you have a LAN who's subnet is 192.168.1.0/24
-Say your 2000 LAN exists in 192.168.10.0/24

-You can to make sure that users in 192.168.1.0 should not have access to anything but pop/smtp, & the Sql database..

-Setup the Private Nic of the DC & the Sql servers as 192.168.10.2/24 & 192.168.10.3/24
*Second nic on the DC... 192.168.1.254 (Wired to same hubs as the 192.168.1.0/24 subnet..) In tcp/ip properties of this NIC you click on the advanced button & then options tab...TCP/IP filtering... Select "enable tcp/ip filtering" & for TCP click on permit only... Enter 25,53,110,1433.
-This would make your DC the router in a sence & not truly in a DMZ..It would have an 'arm' in each zone..
-You could of course place both servers in the DMZ & get another server to act as the DMZ server. Or a 2 interface IP router.. I dont know the equiptment you're working with here..
-Optionally with the 2 nics you can configure a "simple routing scenario" with RRAS... There is some more flexability with RRAS & protocol choices.. For this you'd have to startup rras & search for setup steps & help.. The rras help is extreemly good.. Search for "simple routing scenario"..
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:compinfo
Comment Utility
Basically, my scenario is this:

1 win2000 web server: 192.168.0.10/16
1 win2000 sql server: 192.168.0.11/16

The DMZ "server" is a Linux server (It used to be a Solaris server).  But also, we have a Nortel "Accelar" switch that allows certain IP's through (I'll have to get clarification from the Linux server administrators on this).  Anyway, I'm pretty much at the whim of the main DNS server (linux) and the administrators configuration.  All traffic comes through the Linux and Accelar side before anything touches the win2000 servers...

I hope this makes sense.  I'm learning, so thanks for patience here...
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-You know... Conscidering the fact that your scenario seems to have the Linux acting as the firewall & you have a switch (smart switch ?), You probably should just use routing to get to the inside LAN from the 2000 & visa-versa.. Then you can limit the tcp connections to ports with the simple filters I described... There obviously is no need to have the 2000 DC act as a firewall....
-I personally think, nothing works as well or is more trustable that a real hardware firewall anyway.. Like a netscreen 5 etile would be perfect for this scenario..
0
 

Author Comment

by:compinfo
Comment Utility
The actual firewall is a bare linux OS running ip tables on a small server with virtually no other processes running.
0
 

Author Comment

by:compinfo
Comment Utility
Thanks again for your help and ideas.  Your answer gave me some key words to look for, and I believe I will be able to find the best solution soon.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now