Solved

Server 2003 Domain Controller two nics setup

Posted on 2009-05-05
20
606 Views
Last Modified: 2012-05-06
this is a new setup and I have some questions.
I have two server 2003 computers.
One is a domain controller with active directory.
Second is just 2003 member server , but it will have exchange 2007 after these questions are answered.

Domain server has  external nic getting ip(dhcp 192.168.1.8) from verizon modem(it has static ip address).
Domain server internal nic was give an ip of 192.168.16.2 and is hooked to a switch.

Second 2003 server is hooked to the switch.

Questions:
#1 How do I setup the ip info for the second server, remembering it will be the exchange server? dhcp or put in ip like 192.168.16.x with gateway and and dns pointing to the first servers ip?

#2 will I need to give workstations attached to the switch ip's like 192.168.16.x with gateways and dns pointing to domain controller?

I have been using :
http://www.smallbizserver.net/Default.aspx?tabid=266&articleType=ArticleView&articleId=77
as my guide, but haven't done the additional setup part yet.
0
Comment
Question by:emumaster
  • 6
  • 6
  • 3
  • +3
20 Comments
 
LVL 18

Expert Comment

by:flyingsky
ID: 24308610
Question #1
Yes. You'd better give your exchange server an static IP address, 192.168.16.x, configure the dns and default gateway pointing to the first server.
Q #2.
Most often your workstations should be configured to use DHCP, which means you need to have a DHCP server on the network. You can use your first server to serve as a DHCP server.
0
 
LVL 6

Expert Comment

by:shahsejal
ID: 24308746
Exchange server should always have static IP address. Never use DHCP for Exchange server. If the Internal DNs uses External DNS (provided by your ISP) in the forwarders list, then that will do. Workstations would be a part of your internal domain so should have internal IP addresses.
0
 

Author Comment

by:emumaster
ID: 24309224
Will I have an issue with the domain controller having an address ip of 192.168.1.8 on the external nic and Its internal having an ip of 192.168.16.x when it comes to making the exchange sever having a static ip? Especially putting in the gateway address of 192.168.1.2?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24309673
Exchange really does not like being dual homed. It causes no end of problems. Is there any reason why you cannot flatten the network and have a single NIC and gateway?
Domain controllers also will have problems with it.

Simon.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24310621
In order for everything to communicate properly, it sounds like you will need to install RRAS on the domain controller so everyhing on the 192.168.16.x network can communicate with the internet.

Here is the configuration it sounds like you will need some of which you already completed.

Domain Controller
-DNS and setup forwarders to list external DNS servers
-RRAS to forward traffic between internal 192.168.16.x network and the internet
-DHCP Server service on the internal NIC and connect this NIC to internal switch. Setup DHCP service to only listen on the internal NIC.
-Configure DHCP scope for 192.168.16.x addreses and use this domain controllers ip address as the gateway and DNS server for the scope.
-External NIC will get DHCP lease from modem

Exchange Server
-Set static ip address from 192.168.16.x network with the domain controllers ip address as the gateway and DNS server
-Exchange Server

Workstations connected to the switch
-Get DHCP ip addresses from domain controllers DHCP service.

Can I ask why you have the domain controller between the modem and the switch? Why not just connect the switch directly to the modem and turn off the modems DHCP service? That way the domain controller will control all ip addresses leased and you dont have to install RRAS on the domain controller.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24310629
In short,

#1 correct!
#2 correct!
0
 

Author Comment

by:emumaster
ID: 24310779
ok.. Let's try it this way
Tell me (detailed) what the ideal way is to set everything up considering the two servers that I detailed.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24310951
I believe i have explained details in my previous post.
0
 

Author Comment

by:emumaster
ID: 24311012
Those details were for RRAS.
What about without RRAS and no dhcp from modem.
Can you give me detailed setup for the two servers without using RRAS?
Sorry but I'm getting confused...





0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24314416
I would listen to Methsa/Simon on Exchange related questions. For forty dollars, you could get yourself a simple DSL router and avoid routing over the server, and multihoming the server.

Domain services and Exchange do NOT like multihomed servers.

I have helped folks with setting up the communications to a multihomed server and I have also see a LOT of errors as a result of Multihoming a server.

Here is one that explains how to get your communications right, without the explanation of how to set up RRAS connection to route over the server.

These are just some of the issues you will see with a multihomed server:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23806816.html

It really is best to use a router to route with and forgo the issues with multihoming an exchange and/or domain server.



 
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:emumaster
ID: 24314602
ChiefIT,

So are you saying to just use the router and let it give all the computers and both servers their ip addresses?? Doesn't the member exchange server or the domain controller need a static ip??
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24316637
That's not quite what I had in mind to help you out.

Some servers come from the manufacturer with two nics, like the dell poweredge servers. This has led many astray from the configuration of the server that most administrators use. The best way to configure any LAN is to use one nic for the server UNLESS in one of three predicaments. Dual nics on servers are detrimental to communicating with them.

The second nic should only be used in one of three scenarios:
1) network load balancing (this option is used for a domain with let's say 250 nodes or more with few servers on the domain)
2) a VPN connection to an outside source (this option can usually be created with a router) so a VPN connection (hence a multiple nic) may not be needed to the server or resources.
3) for a specific connection to a sublan that you don't want others to see. Even then, resources can be blocked using permissions level.

If you read the follow up notes on the article I provided. It explains that dual nics interfere with communicating to the server. It confuses the server as to which nic is supplying NETBIOS translation, DNS, DHCP, Email, and can also confuse the clients to what gateway to use to the outside world. That was the intent of my point.

As Mestha/SAMBEE/Simon was pointing out, Exchange doesn't like dual nics. So expect consiquences with them on your domain and email services.

The best way to forgo any confusion on the servers is to allow the router to route for you. (NO RRAS {that stands for Routing and Remote Access Service}, and no dual nics). Let your DC provide DNS and DHCP, then configure your Mail server without dual nics if a separate server. Give all your servers fixed IPs, and use DHCP services on your DC to provide your clients with IP addresses. If you need outside access, your router probably has the ability to grant a VPN connection to your server.

So, instead of this:
WWW>>outside nic of the server>>inside nic of the server>>clients and other nodes

think about this:
WWW>>outside nic of the router>>inside nic of the router>>domain controller, mail server, clients and other nodes.

The router option will prevent a lot of problems with communications, give you a NAT firewall to the outside, give you a gateway to the outside world, and prevent you from taking up domain controller resources to route over the DC.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24317524
Thanks for clarifying that for him ChiefIT. I was simply suggesting RRAS as the workaround for the topology he was trying to use. But I definitely agree with all of the above in not dual homing any of those servers and letting the router do the routing as I suggested in the bottom of my first post.
0
 

Author Comment

by:emumaster
ID: 24318102
Final question on this.

My DSL is via a Westell 6100 which is a "single line out" - DSL Modem/Router. The address that comes to the modem is a static ip line. The Modem/Router is currently providing DHCP.

I assume I need change it to NOT provide DHCP and then run that single cable out to where?
A multiport switch that feeds everything?

How do I setup the single nic on the DC considering the Static IP and dns info in the modem?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24319248
Keep it simple.
Just plus the modem's internal network side in to a switch. Then set the devices (server, workstations etc) default gateway as the router's internal IP address. DHCP can be done by a domain controller, giving out the DC only as DNS.

Simon.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24321482
@Simon:

Disabling the second NIC will probably temporarily knock outside contact with Exchange and other domain services\shares, until its configured to go through the router. Do you have recommendations. I know you are the BEST at exchange for securing connections, I have ever seen.

emumaster:
What do you want access to from outside your LAN for your clients? Please provide that to Simon. He has shown the best way to secure exchange.

Also, since I have been more of a mediator than the fixer of these. I don't wish for credit for this question.


0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 500 total points
ID: 24321714
enumaster:
I'm not sure if this modem from verizon has any firewalls features so i'm going to suggest you purchase a common router from Linksys, Netgear, DLink, etc. If you choose not to, you can simply remove router from the recommended config below. Basically we are saying for the modem to just forward traffic to a routers WAN port so we have better control over port forwarding, firewall settings, etc. The other ports on the Router can connect to servers or a regular switch to expand to more clients.


                    Modem(Leave DHCP On to give IP to WAN port of router.)
                        ||
                   Router (192.168.0.1)(Linksys, Netgear, DLink, etc.) (Modem Connects to this WAN Port)
                        ||
       ______Switch______
      /                  |                 \
ExchSvr       DC(DHCP)      Client1

DC
-Static IP: 192.168.0.2
-Mask: 255.255.255.0
-Gateway: 192.168.0.1
-DNS Server: 127.0.0.1
DHCP SCOPE CONFIG:
     192.168.0.0/24 excluding 192.168.0.1-10 Assuming you will use 1-10 for servers/static IPs
     Gateway: 192.168.0.1
     DNS: 192.168.0.2

ExchSvr
-Static IP: 192.168.0.3
-Mask: 255.255.255.0
-Gateway: 192.168.0.1
-DNS Server: 192.168.0.2

Client1 (DHCP)
-DHCP IP From DC: 192.168.0.51
-Mask: 255.255.255.0
-Gateway: 192.168.0.1
-DNS Server: 192.168.0.2

Anyone who disagrees, feel free to offer other suggestions but this is a general layout, IP addresses can be changed of course.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24321726
Oh and by the way, for the internal network my example gives 192.168.0.x but you can change those ip addresses to use your existing 192.168.16.x so you can try to prevent completely wiping out your current configuration.
0
 

Author Comment

by:emumaster
ID: 24324600
OriNetworks.

Thank you VERY much!!!!!!
That's was EXACTLY what I needed!!!!!!

Honestly, that detailed explanation really helps.

No wonder your ranked as MASTER.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24327514
The only thing I would say is to avoid 192.168.0.x and 192.168.1.x. I just find that causes problems with remote access. Every other router is using one of those two subnets and it is far easier if you are going to re-ip a network to use something else. 16.x is common, I also frequently use 11.x, 22.x etc.

Simon.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now