[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

Lab system oh boy! - NAT on a DC+DNS

want to set up a lab system with 3 pc's. One will be a windows 2003 DC with DNS running to serve clients in the domain.  The other systems will use this DC for domain and internet. DNS will be set up to forward internet requests to the ISP's dns.
The dc will connect to a DLS line with a public IP but I have no router to work with here. I want to put 2 nic cards in the dc - one public and one private but I am confused about the gateways.  Is this possible to do with one interface listening to client dns requests and one connected to the public network?

Here's what I'm thinking:

Private NIC
GW ?

Public NIC

Open RAS wizard and configure the box as a router with NAT on the public NIC. Can this work?

Thanks in advance!
1 Solution
Yes, this is how I have my home system set up.

Two NICs, the first with a private IP of your choice.  This NIC should have no default gateway set (your server is the default gateway), and it's only DNS server entry should be itself (using the private address).

The other NIC (connected to your DSL line) would be set up with your public IP, default gateway as provided by your ISP, and DNS itself again (but using the public IP address, in your example  It is your DNS server that should be set up to forward requests to your ISP's DNS server, this should not be set on your NICs.  If you do set up your ISPs DNS servers on your NIC, Windows will try and query it for Active Directory information, and also try to update it with this information - which will be rejected by most ISPs and just wastes bandwidth (can also create long delays when browsing resources on your local network).

After that, it is as you say... run RRAS wizard and tell it which interface is which... it pretty much takes care of itself.  It is worth enabling at least the basic firewall too on the public interface.  Many people recommend getting an additional firewall, though in a test set-up it is probably not necessary.  I stick with just the basic firewall for my set-up.
Sorry, but I always say firewalls are mandatory between public and private networks. Personal bias, but even in labs I would do it. You would essentially be turning that DC into a router, so you actually do have one to work with now...
I'm with you rburns50 .
There is NO substitute for a hardware firewall.
Why give your domain controller even more overheads by making it impersonate a router aswell?
the way i look at it is this. If i want to stop intruders into my network i want more than 1 hardware device doing it, and why let them get all the way to a server before trying to stop them?
Went to a seminar a few years ago and it has stuck with me, even way back in midevial times did they only have one line of defense? of course not they had a moat, then high walled castles, then archers. and if you got past that there were several decoys inside to mislead a potential thief/invader.
zenportafinoAuthor Commented:
Thanks a bunch purple. We're in a pinch so making the box a router as well is going to have to do. I know for some this is an a rotton thing to do but it will serve it's purpose and will be down by next week.  

Also, for excitement, we're not going to rename the administrator account either!
>>I stick with just the basic firewall for my set-up.

I knew that would get a comment or two...  Still, in my view what I do on my network is entirely up to me.  For other people's networks I always recommend and install a hardware firewall/router... but on my network, I'll do things my way...  A basic firewall is still a firewall, and I'm still waiting for those millions of hackers to break into my system...

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now