Solved

Does a windows sbs 2008 server need to be on a private IP range?

Posted on 2010-08-19
16
624 Views
Last Modified: 2012-05-10
Does a windows sbs 2008 server need to be installed on a private IP range?  if not, why do people (train signal, books and other training material ) suggest it shouldnt be?
0
Comment
Question by:resolver1
  • 4
  • 3
  • 3
  • +4
16 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 33477275
All servers should have static IP addresses. This is because the servers need to be accessed on the network.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33477338
Yes, all of your servers should be on a private network scheme unless they are in a DMZ type environment which would be your Web or Email systems which isn't used much.

External IPs are only for use on the internet.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 33477339
So yes, the best practice is to installed servers on a private ip address range. The Network Interface Card has to use a private ip address other wise it will communicate on the network.

Check out this link:
http://technet.microsoft.com/en-us/library/cc527495(WS.10).aspx
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33477492
You can use whatever ip-range you want on your private network. Noone will ever "forbid" you to use public addreses. But if you decide to use 8.8.8.0/24 you must prepare yourself for having difficulties communicating with googles dns who use the ip 8.8.8.8. But noone else cares.

You say that "people" recommend NOT to use private ip on windows-servers. Can you point to a reference source for this?

/Kvistofta
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33477834
kvistofta: Not quite accurate.
MS actually does forbid the wizards that one usually uses on SBS 2008 from accepting non-private IP ranges.
So to the original question. Yes, to use SBS as intended, it *must* be installed to use one of the pre-defined non-routable IP ranges. This is best practice for all the reasons others have already outlined, and since MS targets the small business that may not have a dedicated IP person to otherwise lock down security, they've made it pretty much mandatory for their wizards.
Now, as far as the second part of your question, I haven't seen legitimate training for SBS 2008 (2003 was a different beast, so don't think the training materials overlap) that suggests it not be on a private IP. In fact, since SBS pretty much requires this now, I'd be suspicious of training or books that advocate otherwise.
-Cliff
 
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33478016
I didnt know about that silly limitation about SBS. Another reason not to touch SBS-thingies. ;)
0
 
LVL 2

Expert Comment

by:sbs-mix
ID: 33483076
ok, from my own experience with SBS 2008, my advice is REALLY stick to the topology recommended by Microsoft because this product is really powerful, but also VERY delicate to handle. you have no idea how integrated all these wizards are, and going the old "manual" way in configuring an sbs server is probably the worst idea someone will ever have. just stick to the wizards, unless you're really a guru at configuring domains, exchange, dns, IIS, and perhaps every product/technology invented by Microzerosoft.
No public ip for SBS 2008. No dual network supported in any configuration, that's no teaming, no natting, no routing, no whatsoever.
private IP address range, FIXED ip adress on SBS machine, a firewall to protect your network from outside attacks. PERIOD.
Putting a DC (sbs, remember) in a DMZ doens't look very attractive to me, and security experts will advise against doing so, am pretty sure about that.
You just need to forward ports 987 and 443 for owa and remote access on ur firewall to ur private server ip and that's it.  any other variation is gonna be a big headache. don't try bridging, pushing an external ip to ur lan card or some other thing where you think it "might/should" work. "might" works on std configs, not sbs.
0
 

Author Comment

by:resolver1
ID: 33491127
Just to give you a bit more information into my issues:

I'm in the process of planning a SBS 2008 server which is currently a windows NT 4 domain (old I know).  All the devices are running static public IP's including printers,servers, desktops (apart from laptops) IP's. I know this is not good practice and I am trying to change the company's network to use dhcp and a private IP range.  

If I was to install the new SBS 2008 on a private IP and start to add clients PC's department by department with this new private IP scheme.  The problem is the pc's added to the new domain wont be able to talk to the printers and our default gateway (I.e. the internet).  If I change the IP's of the default gateway and the printers to the new private IP scheme, then the departments client pc's who I have not changed and therefore not added to the new 2008 domain and not changed to a private IP scheme, will not be able to access the printers and default gateways.  

My original plan was to use the current IP scheme (the public version) for the 2008 server and then set the DHCP server to distribute the IP's of the public IP scheme currently in use.  Then add department by department  and set each client to get the IP's from the DHCP.  That way everyone would be able to talk to the default gateway and printers ect..  Once all the clients are added and set to receive IPs from the DHCP server I would change the servers IP to a private address and then dhcp to give out the private scheme.  Can anyone see any problem with this senerio? Or offer me suggestions? Any advice welcome!

My goal is to achieve as little distruption to my clients as possible.  Just like me they have to continue to work.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 2

Expert Comment

by:sbs-mix
ID: 33491422
well you are going to have to disrupt your service at some point or another, there's no way to circumvent that.
now as i said earlier, a public ip adress on an sbs machine is not a good idea.
With regards to your printers and other equipment, you should make reservations for these in the dhcp server tables so they always keep the same ip adress even if assigned by dhcp.
with regards to your old system, you can have the dhcp server provide ips while maintaining the old domain. trick is that your new domain should NOT use the same name as the old one, otherwise you're looking for trouble.

so in summary:
1. there's no way you have this transition without any disruption at all. you're going to have to accept the fact that you're going to lose network connectivity for a bunch of minutes at least, the time it's going to take to select the "assign by dhcp" option in network connections.
2. the method i'm offering here will just let you maintain ip connectivity. you still have to disjoin/join each computer independently, reconfigure accounts, ect.... what we're doing here is just maintaining network connections up so you don't get yelled at because some manager can't print his super important paper, or browse his facebook/twitter account.
3. once you disjoin/join a pc to the new domain, keep in mind that any network share between a pc belonging to the old domain and the new domain will cause authentication issues (popup requesting a username/password when user trying to access), ect..... to avoid this, you will have first to create your users on the new domain, this will allow you to use their new credentials to access the new domain shares, on a temporary basis. once all your pc's are transferred, you just take out your nt domain controller and turn it into an aquarium or something.

so again :
1. configure active directory on new Domain controller.
2. configure dhcp server.
3. have old domain pcs select have ip adress assigned by dhcp.
4. start disjoining/joining every pc after another.

Sorry for the long posts, but I'm new around here, and pretty excited about giving back to this community since it's helped me so many times.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33493022
This actually seems fairly trivial.
Every network should have a business edge firewall. Period. Most of your business-claa firewall devices also do routing. So, depending on if you have one or not, you have two options:
Option #1:
 If you do not have a business class firewall, purchase one. Set it up with the public IP you planned on giving to SBS 2008, and put 2008 on a private IP behind it. Make it the gateway on the new 2008 network. Now machines have a default gateway (the firewall) and will be able to access the internet *and* print to the old printers as that traffice can be routed as well. Problem solved.
Option #2:
 If you already have an existing business-class firewall in place somewhere else then you can go purchase a ridiculously cheap consumer "router" (the kind most cable subscribers would use, like a Linksys or Netgear) from best buy. Since it doesn't need to be wireless and doesn't need to do security (you have your firewall already in place somewhere else for that) it can be the $20 variety.
Now you can configure that cheap router exactly as I outlined above. Give its WAN port the public IP, give its LAN port a private IP, and poof, you have a gateway and a way to route NAT traffic to your printers outside the private network.
Once the migration is complete, you reconfigure your business class firewall to handle the NAT job instead of the cheap router, make a switch over (2 minutes downtime max) and remove the cheap router form the equation.
The end result will be the same topology. Just getting there is slightly different.
Hope that helps,
-Cliff
 
0
 
LVL 2

Assisted Solution

by:sbs-mix
sbs-mix earned 250 total points
ID: 33494548
From what you say, it seems like you already have a business class firewall.
In  case you don't have a business class firewall, first thing I would do is go BUY one ! this is EXTREMELY important because this is your first line of defense (and in quite a few cases your last) against internet intrusions in an sbs08 topology.

you then configure the gateway ip in dhcp server, along with the scope and dns servers. note that they should all belong to the same address range, otherwise windows will give you an error msg.

so, if we summarize up (i love doing that, makes things very clear) :
1. configure active directory/users on new Domain controller.
3. configure dhcp server by specifying a new ip address for your existing firewall/gateway (in the dcp server, not yet on the gateway). Also, you do the same for the printers, don't forget to make reservations for those ips so they keep the same ip even if assigned by dhcp. all ips should be in the private range.
2. change old gateway/firewall ip adress to the private ip address you have specified in the dhcp server.
3. have old domain pcs select have ip adress assigned by dhcp.
4. start disjoining/joining every pc after another.

Cliff, why do you go for a consumer router then reconfigure your server? seems to me there's an extra step you're making. In this case, you do not need to buy a consumer router since sbs already provides the dhcp and dns functions you need. note that these are roles you should add, but it's microsoft recommended topology to have them on the sbs box.(if you don't have many computers though, i'd advice to keep fixed private ips, it will allow you to maintain network connectivity between pcs if server goes off.)
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33495955
To answer that question, depending on existing topology, with all printers and machines having public addresses, it may not be possible to configure the existing firewall (if one exists) to service both a private IP range and a public IP range. I have seen some UTM devices that are very specifically designed to do firewall and perimeter, and either do not do multiple subnets with routing or charge per port to activate multiple subnet routing.
In such a case, a cheap consumer router would accomplish the necessary task of segmenting the two networks and yet keep a routing path open between them until the migration is complete.
See, the important part here is that routing path. To allow machines on both subnets to print to a printer  that would only exist on one subnet, a route must exist. And, as mentione above, this may not be possible with the equipment on the premises or may be prohibitively expensive. Since very few details are known about the exact topology, I provided a scenario to accomodate such a situation.
-Cliff.
 
0
 
LVL 2

Expert Comment

by:sbs-mix
ID: 33496358
Thanks for the tip. Personnally, I haven't encountered a firewall with this type of limitation, so I didn't think of it. in my scenario, everything is on the same subnet/ip range. we're an office with about 20 pcs, so it's not really complicated.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33598488
Could you post a few of the 'public' ips your system uses? It seems unlikely and quite
expensive for your company to have sufficient public ips for a network infrastructure.
Most of the posts above are correct as you should use public ips sparingly, with your main server rarely being one of them (mostly for security)
i you do have your systems on public ips, it seems likely that your system would be behind firewalls/routers which means that, although the ips may be from a set of public addresses, they wouldnt actually be exposed to the public.
If you do not have firewalls/routers, you urgently need to assess your network and secure it as you may be at risk.
 
0
 

Author Closing Comment

by:resolver1
ID: 33618905
ive gone for option 1 posted by cgaliher.  
0
 

Author Comment

by:resolver1
ID: 33618911
thanks for all your help guys! its much appreciated!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now