?
Solved

Setting up a Primary Domain Controller, not a DNS server, and Domains

Posted on 2001-06-03
8
Medium Priority
?
230 Views
Last Modified: 2010-04-12
I'm currently ready to install 2 windows 2000 servers, one web server, one database server.  I would like to make the web server the primary domain controller but not a DNS server.  The DNS server is a Solaris server.  What I want to achieve is the creation of a user that can be authenticated at the domain level.  Please give me the step by step on how to do this (I can navigate win2000 pretty well, so not too much detail!), and let me know what type of security measures I need to take if these servers are going to be in the DMZ of this network.
0
Comment
Question by:compinfo
  • 4
  • 4
8 Comments
 
LVL 12

Accepted Solution

by:
Housenet earned 900 total points
ID: 6151306
You can use any DNS server that supports the SRV record and also, hopefully, supports the dynamic update protocol.  
-Active directory works well with BIND 8.1.2, which supports the SRV record and the dynamic update protocol and BIND 4.9.7, which supports the SRV records.
-Solaris server is compatable I imagine ?

-I assume your solaris server is for some internet dns zones hosted by you ?
-You'll want to create a new zone for the 2000 domain ...say yourcompany.corp or office.domain.com or something that will not be exposed on the internet directly. Create a srv record for the domain controller.. server.yourcompany.corp....
-Install 2000,after its setup as a workgroup server, run dcpromo & create a new tree in a new forest.. Point to the solaris server for DNS resolution with the created records. If the dns server is compatable all should go smothly & fairly automatic.
-DMZ issue... there are a few factors...Like for example , do you mean you have a hardware firewall with a dmz port ? If so, setup the security via the firewall..
-If you simply want to block ports & have the servers in a segrigated subnet, you can use ip filtering to block ports & protocols from computers not in the same segment, or accessing the servers through a second NIC installed on the DC.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6151310
-I should mention that installing DNS on the DC & forwarding requests to the Solaris server is a good option if it is not compatable. This would also simplify the installation process.
0
 

Author Comment

by:compinfo
ID: 6154599
I am testing this proposed solution.  I was able to add the needed records to the DNS Server and NAT a real world Domain name to the windows 2000 web server.

I did go ahead and create a new tree in a new forest and I created a user login on the PDC with Administrator rights, added my database server to the Domain and logged in successfully to the domain from the database server.  

I do not have a hardware DMZ, so I will need some help from you in setting up IP Filtering to block ports and protocols.  I *do* have two NIC's in the DC, but I'm not sure how I can use them to create good security.

Thanks for your quick response! Compinfo.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 12

Expert Comment

by:Housenet
ID: 6154722
-Can you describe what exactly your interpritation of this "DMZ" is or will be... Here's an example...


-Say you have a LAN who's subnet is 192.168.1.0/24
-Say your 2000 LAN exists in 192.168.10.0/24

-You can to make sure that users in 192.168.1.0 should not have access to anything but pop/smtp, & the Sql database..

-Setup the Private Nic of the DC & the Sql servers as 192.168.10.2/24 & 192.168.10.3/24
*Second nic on the DC... 192.168.1.254 (Wired to same hubs as the 192.168.1.0/24 subnet..) In tcp/ip properties of this NIC you click on the advanced button & then options tab...TCP/IP filtering... Select "enable tcp/ip filtering" & for TCP click on permit only... Enter 25,53,110,1433.
-This would make your DC the router in a sence & not truly in a DMZ..It would have an 'arm' in each zone..
-You could of course place both servers in the DMZ & get another server to act as the DMZ server. Or a 2 interface IP router.. I dont know the equiptment you're working with here..
-Optionally with the 2 nics you can configure a "simple routing scenario" with RRAS... There is some more flexability with RRAS & protocol choices.. For this you'd have to startup rras & search for setup steps & help.. The rras help is extreemly good.. Search for "simple routing scenario"..
0
 

Author Comment

by:compinfo
ID: 6154877
Basically, my scenario is this:

1 win2000 web server: 192.168.0.10/16
1 win2000 sql server: 192.168.0.11/16

The DMZ "server" is a Linux server (It used to be a Solaris server).  But also, we have a Nortel "Accelar" switch that allows certain IP's through (I'll have to get clarification from the Linux server administrators on this).  Anyway, I'm pretty much at the whim of the main DNS server (linux) and the administrators configuration.  All traffic comes through the Linux and Accelar side before anything touches the win2000 servers...

I hope this makes sense.  I'm learning, so thanks for patience here...
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6163556
-You know... Conscidering the fact that your scenario seems to have the Linux acting as the firewall & you have a switch (smart switch ?), You probably should just use routing to get to the inside LAN from the 2000 & visa-versa.. Then you can limit the tcp connections to ports with the simple filters I described... There obviously is no need to have the 2000 DC act as a firewall....
-I personally think, nothing works as well or is more trustable that a real hardware firewall anyway.. Like a netscreen 5 etile would be perfect for this scenario..
0
 

Author Comment

by:compinfo
ID: 6163756
The actual firewall is a bare linux OS running ip tables on a small server with virtually no other processes running.
0
 

Author Comment

by:compinfo
ID: 6163769
Thanks again for your help and ideas.  Your answer gave me some key words to look for, and I believe I will be able to find the best solution soon.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If anyone asked you to network diagram of the internet, it was drawn in the form of a fluffy cloud which further became known as cloud computing. Popularly cloud computing is defined as workloads that run over the internet in a commercial provider’s…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month17 days, 5 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question