emumaster
asked on
Server 2003 Domain Controller two nics setup
this is a new setup and I have some questions.
I have two server 2003 computers.
One is a domain controller with active directory.
Second is just 2003 member server , but it will have exchange 2007 after these questions are answered.
Domain server has external nic getting ip(dhcp 192.168.1.8) from verizon modem(it has static ip address).
Domain server internal nic was give an ip of 192.168.16.2 and is hooked to a switch.
Second 2003 server is hooked to the switch.
Questions:
#1 How do I setup the ip info for the second server, remembering it will be the exchange server? dhcp or put in ip like 192.168.16.x with gateway and and dns pointing to the first servers ip?
#2 will I need to give workstations attached to the switch ip's like 192.168.16.x with gateways and dns pointing to domain controller?
I have been using :
http://www.smallbizserver.net/Default.aspx?tabid=266&articleType=ArticleView&articleId=77
as my guide, but haven't done the additional setup part yet.
I have two server 2003 computers.
One is a domain controller with active directory.
Second is just 2003 member server , but it will have exchange 2007 after these questions are answered.
Domain server has external nic getting ip(dhcp 192.168.1.8) from verizon modem(it has static ip address).
Domain server internal nic was give an ip of 192.168.16.2 and is hooked to a switch.
Second 2003 server is hooked to the switch.
Questions:
#1 How do I setup the ip info for the second server, remembering it will be the exchange server? dhcp or put in ip like 192.168.16.x with gateway and and dns pointing to the first servers ip?
#2 will I need to give workstations attached to the switch ip's like 192.168.16.x with gateways and dns pointing to domain controller?
I have been using :
http://www.smallbizserver.net/Default.aspx?tabid=266&articleType=ArticleView&articleId=77
as my guide, but haven't done the additional setup part yet.
Exchange server should always have static IP address. Never use DHCP for Exchange server. If the Internal DNs uses External DNS (provided by your ISP) in the forwarders list, then that will do. Workstations would be a part of your internal domain so should have internal IP addresses.
ASKER
Will I have an issue with the domain controller having an address ip of 192.168.1.8 on the external nic and Its internal having an ip of 192.168.16.x when it comes to making the exchange sever having a static ip? Especially putting in the gateway address of 192.168.1.2?
Exchange really does not like being dual homed. It causes no end of problems. Is there any reason why you cannot flatten the network and have a single NIC and gateway?
Domain controllers also will have problems with it.
Simon.
Domain controllers also will have problems with it.
Simon.
In order for everything to communicate properly, it sounds like you will need to install RRAS on the domain controller so everyhing on the 192.168.16.x network can communicate with the internet.
Here is the configuration it sounds like you will need some of which you already completed.
Domain Controller
-DNS and setup forwarders to list external DNS servers
-RRAS to forward traffic between internal 192.168.16.x network and the internet
-DHCP Server service on the internal NIC and connect this NIC to internal switch. Setup DHCP service to only listen on the internal NIC.
-Configure DHCP scope for 192.168.16.x addreses and use this domain controllers ip address as the gateway and DNS server for the scope.
-External NIC will get DHCP lease from modem
Exchange Server
-Set static ip address from 192.168.16.x network with the domain controllers ip address as the gateway and DNS server
-Exchange Server
Workstations connected to the switch
-Get DHCP ip addresses from domain controllers DHCP service.
Can I ask why you have the domain controller between the modem and the switch? Why not just connect the switch directly to the modem and turn off the modems DHCP service? That way the domain controller will control all ip addresses leased and you dont have to install RRAS on the domain controller.
Here is the configuration it sounds like you will need some of which you already completed.
Domain Controller
-DNS and setup forwarders to list external DNS servers
-RRAS to forward traffic between internal 192.168.16.x network and the internet
-DHCP Server service on the internal NIC and connect this NIC to internal switch. Setup DHCP service to only listen on the internal NIC.
-Configure DHCP scope for 192.168.16.x addreses and use this domain controllers ip address as the gateway and DNS server for the scope.
-External NIC will get DHCP lease from modem
Exchange Server
-Set static ip address from 192.168.16.x network with the domain controllers ip address as the gateway and DNS server
-Exchange Server
Workstations connected to the switch
-Get DHCP ip addresses from domain controllers DHCP service.
Can I ask why you have the domain controller between the modem and the switch? Why not just connect the switch directly to the modem and turn off the modems DHCP service? That way the domain controller will control all ip addresses leased and you dont have to install RRAS on the domain controller.
In short,
#1 correct!
#2 correct!
#1 correct!
#2 correct!
ASKER
ok.. Let's try it this way
Tell me (detailed) what the ideal way is to set everything up considering the two servers that I detailed.
Tell me (detailed) what the ideal way is to set everything up considering the two servers that I detailed.
I believe i have explained details in my previous post.
ASKER
Those details were for RRAS.
What about without RRAS and no dhcp from modem.
Can you give me detailed setup for the two servers without using RRAS?
Sorry but I'm getting confused...
What about without RRAS and no dhcp from modem.
Can you give me detailed setup for the two servers without using RRAS?
Sorry but I'm getting confused...
I would listen to Methsa/Simon on Exchange related questions. For forty dollars, you could get yourself a simple DSL router and avoid routing over the server, and multihoming the server.
Domain services and Exchange do NOT like multihomed servers.
I have helped folks with setting up the communications to a multihomed server and I have also see a LOT of errors as a result of Multihoming a server.
Here is one that explains how to get your communications right, without the explanation of how to set up RRAS connection to route over the server.
These are just some of the issues you will see with a multihomed server:
https://www.experts-exchange.com/questions/23806816/How-do-I-enable-DHCP-on-only-one-network-interface.html
It really is best to use a router to route with and forgo the issues with multihoming an exchange and/or domain server.
Domain services and Exchange do NOT like multihomed servers.
I have helped folks with setting up the communications to a multihomed server and I have also see a LOT of errors as a result of Multihoming a server.
Here is one that explains how to get your communications right, without the explanation of how to set up RRAS connection to route over the server.
These are just some of the issues you will see with a multihomed server:
https://www.experts-exchange.com/questions/23806816/How-do-I-enable-DHCP-on-only-one-network-interface.html
It really is best to use a router to route with and forgo the issues with multihoming an exchange and/or domain server.
ASKER
ChiefIT,
So are you saying to just use the router and let it give all the computers and both servers their ip addresses?? Doesn't the member exchange server or the domain controller need a static ip??
So are you saying to just use the router and let it give all the computers and both servers their ip addresses?? Doesn't the member exchange server or the domain controller need a static ip??
That's not quite what I had in mind to help you out.
Some servers come from the manufacturer with two nics, like the dell poweredge servers. This has led many astray from the configuration of the server that most administrators use. The best way to configure any LAN is to use one nic for the server UNLESS in one of three predicaments. Dual nics on servers are detrimental to communicating with them.
The second nic should only be used in one of three scenarios:
1) network load balancing (this option is used for a domain with let's say 250 nodes or more with few servers on the domain)
2) a VPN connection to an outside source (this option can usually be created with a router) so a VPN connection (hence a multiple nic) may not be needed to the server or resources.
3) for a specific connection to a sublan that you don't want others to see. Even then, resources can be blocked using permissions level.
If you read the follow up notes on the article I provided. It explains that dual nics interfere with communicating to the server. It confuses the server as to which nic is supplying NETBIOS translation, DNS, DHCP, Email, and can also confuse the clients to what gateway to use to the outside world. That was the intent of my point.
As Mestha/SAMBEE/Simon was pointing out, Exchange doesn't like dual nics. So expect consiquences with them on your domain and email services.
The best way to forgo any confusion on the servers is to allow the router to route for you. (NO RRAS {that stands for Routing and Remote Access Service}, and no dual nics). Let your DC provide DNS and DHCP, then configure your Mail server without dual nics if a separate server. Give all your servers fixed IPs, and use DHCP services on your DC to provide your clients with IP addresses. If you need outside access, your router probably has the ability to grant a VPN connection to your server.
So, instead of this:
WWW>>outside nic of the server>>inside nic of the server>>clients and other nodes
think about this:
WWW>>outside nic of the router>>inside nic of the router>>domain controller, mail server, clients and other nodes.
The router option will prevent a lot of problems with communications, give you a NAT firewall to the outside, give you a gateway to the outside world, and prevent you from taking up domain controller resources to route over the DC.
Some servers come from the manufacturer with two nics, like the dell poweredge servers. This has led many astray from the configuration of the server that most administrators use. The best way to configure any LAN is to use one nic for the server UNLESS in one of three predicaments. Dual nics on servers are detrimental to communicating with them.
The second nic should only be used in one of three scenarios:
1) network load balancing (this option is used for a domain with let's say 250 nodes or more with few servers on the domain)
2) a VPN connection to an outside source (this option can usually be created with a router) so a VPN connection (hence a multiple nic) may not be needed to the server or resources.
3) for a specific connection to a sublan that you don't want others to see. Even then, resources can be blocked using permissions level.
If you read the follow up notes on the article I provided. It explains that dual nics interfere with communicating to the server. It confuses the server as to which nic is supplying NETBIOS translation, DNS, DHCP, Email, and can also confuse the clients to what gateway to use to the outside world. That was the intent of my point.
As Mestha/SAMBEE/Simon was pointing out, Exchange doesn't like dual nics. So expect consiquences with them on your domain and email services.
The best way to forgo any confusion on the servers is to allow the router to route for you. (NO RRAS {that stands for Routing and Remote Access Service}, and no dual nics). Let your DC provide DNS and DHCP, then configure your Mail server without dual nics if a separate server. Give all your servers fixed IPs, and use DHCP services on your DC to provide your clients with IP addresses. If you need outside access, your router probably has the ability to grant a VPN connection to your server.
So, instead of this:
WWW>>outside nic of the server>>inside nic of the server>>clients and other nodes
think about this:
WWW>>outside nic of the router>>inside nic of the router>>domain controller, mail server, clients and other nodes.
The router option will prevent a lot of problems with communications, give you a NAT firewall to the outside, give you a gateway to the outside world, and prevent you from taking up domain controller resources to route over the DC.
Thanks for clarifying that for him ChiefIT. I was simply suggesting RRAS as the workaround for the topology he was trying to use. But I definitely agree with all of the above in not dual homing any of those servers and letting the router do the routing as I suggested in the bottom of my first post.
ASKER
Final question on this.
My DSL is via a Westell 6100 which is a "single line out" - DSL Modem/Router. The address that comes to the modem is a static ip line. The Modem/Router is currently providing DHCP.
I assume I need change it to NOT provide DHCP and then run that single cable out to where?
A multiport switch that feeds everything?
How do I setup the single nic on the DC considering the Static IP and dns info in the modem?
My DSL is via a Westell 6100 which is a "single line out" - DSL Modem/Router. The address that comes to the modem is a static ip line. The Modem/Router is currently providing DHCP.
I assume I need change it to NOT provide DHCP and then run that single cable out to where?
A multiport switch that feeds everything?
How do I setup the single nic on the DC considering the Static IP and dns info in the modem?
Keep it simple.
Just plus the modem's internal network side in to a switch. Then set the devices (server, workstations etc) default gateway as the router's internal IP address. DHCP can be done by a domain controller, giving out the DC only as DNS.
Simon.
Just plus the modem's internal network side in to a switch. Then set the devices (server, workstations etc) default gateway as the router's internal IP address. DHCP can be done by a domain controller, giving out the DC only as DNS.
Simon.
@Simon:
Disabling the second NIC will probably temporarily knock outside contact with Exchange and other domain services\shares, until its configured to go through the router. Do you have recommendations. I know you are the BEST at exchange for securing connections, I have ever seen.
emumaster:
What do you want access to from outside your LAN for your clients? Please provide that to Simon. He has shown the best way to secure exchange.
Also, since I have been more of a mediator than the fixer of these. I don't wish for credit for this question.
Disabling the second NIC will probably temporarily knock outside contact with Exchange and other domain services\shares, until its configured to go through the router. Do you have recommendations. I know you are the BEST at exchange for securing connections, I have ever seen.
emumaster:
What do you want access to from outside your LAN for your clients? Please provide that to Simon. He has shown the best way to secure exchange.
Also, since I have been more of a mediator than the fixer of these. I don't wish for credit for this question.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh and by the way, for the internal network my example gives 192.168.0.x but you can change those ip addresses to use your existing 192.168.16.x so you can try to prevent completely wiping out your current configuration.
ASKER
OriNetworks.
Thank you VERY much!!!!!!
That's was EXACTLY what I needed!!!!!!
Honestly, that detailed explanation really helps.
No wonder your ranked as MASTER.
Thank you VERY much!!!!!!
That's was EXACTLY what I needed!!!!!!
Honestly, that detailed explanation really helps.
No wonder your ranked as MASTER.
The only thing I would say is to avoid 192.168.0.x and 192.168.1.x. I just find that causes problems with remote access. Every other router is using one of those two subnets and it is far easier if you are going to re-ip a network to use something else. 16.x is common, I also frequently use 11.x, 22.x etc.
Simon.
Simon.
Yes. You'd better give your exchange server an static IP address, 192.168.16.x, configure the dns and default gateway pointing to the first server.
Q #2.
Most often your workstations should be configured to use DHCP, which means you need to have a DHCP server on the network. You can use your first server to serve as a DHCP server.