Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Setting up a Primary Domain Controller, not a DNS server, and Domains

Posted on 2001-06-03
Medium Priority
Last Modified: 2010-04-12
I'm currently ready to install 2 windows 2000 servers, one web server, one database server.  I would like to make the web server the primary domain controller but not a DNS server.  The DNS server is a Solaris server.  What I want to achieve is the creation of a user that can be authenticated at the domain level.  Please give me the step by step on how to do this (I can navigate win2000 pretty well, so not too much detail!), and let me know what type of security measures I need to take if these servers are going to be in the DMZ of this network.
Question by:compinfo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 12

Accepted Solution

Housenet earned 900 total points
ID: 6151306
You can use any DNS server that supports the SRV record and also, hopefully, supports the dynamic update protocol.  
-Active directory works well with BIND 8.1.2, which supports the SRV record and the dynamic update protocol and BIND 4.9.7, which supports the SRV records.
-Solaris server is compatable I imagine ?

-I assume your solaris server is for some internet dns zones hosted by you ?
-You'll want to create a new zone for the 2000 domain ...say yourcompany.corp or office.domain.com or something that will not be exposed on the internet directly. Create a srv record for the domain controller.. server.yourcompany.corp....
-Install 2000,after its setup as a workgroup server, run dcpromo & create a new tree in a new forest.. Point to the solaris server for DNS resolution with the created records. If the dns server is compatable all should go smothly & fairly automatic.
-DMZ issue... there are a few factors...Like for example , do you mean you have a hardware firewall with a dmz port ? If so, setup the security via the firewall..
-If you simply want to block ports & have the servers in a segrigated subnet, you can use ip filtering to block ports & protocols from computers not in the same segment, or accessing the servers through a second NIC installed on the DC.
LVL 12

Expert Comment

ID: 6151310
-I should mention that installing DNS on the DC & forwarding requests to the Solaris server is a good option if it is not compatable. This would also simplify the installation process.

Author Comment

ID: 6154599
I am testing this proposed solution.  I was able to add the needed records to the DNS Server and NAT a real world Domain name to the windows 2000 web server.

I did go ahead and create a new tree in a new forest and I created a user login on the PDC with Administrator rights, added my database server to the Domain and logged in successfully to the domain from the database server.  

I do not have a hardware DMZ, so I will need some help from you in setting up IP Filtering to block ports and protocols.  I *do* have two NIC's in the DC, but I'm not sure how I can use them to create good security.

Thanks for your quick response! Compinfo.
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

LVL 12

Expert Comment

ID: 6154722
-Can you describe what exactly your interpritation of this "DMZ" is or will be... Here's an example...

-Say you have a LAN who's subnet is
-Say your 2000 LAN exists in

-You can to make sure that users in should not have access to anything but pop/smtp, & the Sql database..

-Setup the Private Nic of the DC & the Sql servers as &
*Second nic on the DC... (Wired to same hubs as the subnet..) In tcp/ip properties of this NIC you click on the advanced button & then options tab...TCP/IP filtering... Select "enable tcp/ip filtering" & for TCP click on permit only... Enter 25,53,110,1433.
-This would make your DC the router in a sence & not truly in a DMZ..It would have an 'arm' in each zone..
-You could of course place both servers in the DMZ & get another server to act as the DMZ server. Or a 2 interface IP router.. I dont know the equiptment you're working with here..
-Optionally with the 2 nics you can configure a "simple routing scenario" with RRAS... There is some more flexability with RRAS & protocol choices.. For this you'd have to startup rras & search for setup steps & help.. The rras help is extreemly good.. Search for "simple routing scenario"..

Author Comment

ID: 6154877
Basically, my scenario is this:

1 win2000 web server:
1 win2000 sql server:

The DMZ "server" is a Linux server (It used to be a Solaris server).  But also, we have a Nortel "Accelar" switch that allows certain IP's through (I'll have to get clarification from the Linux server administrators on this).  Anyway, I'm pretty much at the whim of the main DNS server (linux) and the administrators configuration.  All traffic comes through the Linux and Accelar side before anything touches the win2000 servers...

I hope this makes sense.  I'm learning, so thanks for patience here...
LVL 12

Expert Comment

ID: 6163556
-You know... Conscidering the fact that your scenario seems to have the Linux acting as the firewall & you have a switch (smart switch ?), You probably should just use routing to get to the inside LAN from the 2000 & visa-versa.. Then you can limit the tcp connections to ports with the simple filters I described... There obviously is no need to have the 2000 DC act as a firewall....
-I personally think, nothing works as well or is more trustable that a real hardware firewall anyway.. Like a netscreen 5 etile would be perfect for this scenario..

Author Comment

ID: 6163756
The actual firewall is a bare linux OS running ip tables on a small server with virtually no other processes running.

Author Comment

ID: 6163769
Thanks again for your help and ideas.  Your answer gave me some key words to look for, and I believe I will be able to find the best solution soon.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Article by: evilrix
Looking for a way to avoid searching through large data sets for data that doesn't exist? A Bloom Filter might be what you need. This data structure is a probabilistic filter that allows you to avoid unnecessary searches when you know the data defin…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question