Need help with WS2012 config

MrColin

Platinum Member
May 21, 2003
2,403
3
81
tl;dr My actual questions are bolded.

I picked up a complimentary license for 2012 Standard from MS's dreamspark site and a couple of SSD's. I'm attempting to duplicate the functionality of my Ubuntu home server. It used to (and still will if I boot the HDD) do all of the following on my network:

-File Server (samba, sftp, nfs, http)
-DHCP & DNS (dnsmasq)
-Firewall/NAT (shorewall)
-DRBL (dnsmasq, nfs, apache)
-local only http(s) (apache)

I do like the look and feel of the OS but I get frustrated with the silly wizards and the MS specific jargon and protocols.

My current, biggest, problem is with the NAT/routing. The config manager wizard insists that I implement either "DirectAccess" and/or VPN along with NAT/routing. The initial wizard offers the option to add/configure NAT alone but then the DA/VPN wizard keeps popping up, with some apparent claim of necessity. If I enable either one, the devices on my LAN lose internet connectivity. I'm assuming each device would then require some configuration to join the VPN. Not all of my devices are windows so I don't think DirectAccess is appropriate. This surprised me because I thought VPNs were only for securing WAN to LAN access. The NAT works currently but the nag wizard disturbs me.

1. Is VPN/DirectAccess really necessary?

My other problem/goal is to achieve some DNS tweaks I had with dnsmasq. It let me create records for devices on the LAN, in addition to reading a separate file of blacklisted domains (about 15000 of them) in the form of
Code:
0.0.0.0    somegarbagespewingdomain.com
for the purpose of blocking ads and malware (similar to using a HOSTS file). The MS DNS server GUI doesn't look very useful or make much sense to me. If I find myself looking at a helpful error message in windows explaining that 0.0.0.0 isn't a valid address, I fear that I might punch a baby or something. Also, I can't figure out how to tell it not to answer queries on my WAN port.

So briefly my questions on MS DNS are;
2. How to load/import massive numbers of custom records?
3. How to keep it from answering queries on the WAN port?
4. Other efficient options for blocking huge lists of domains on the entire lan?
5. Will MS DNS read records from the OS's HOSTS file file?


TIA for any help.
 

Dstoop

Member
Sep 2, 2012
151
0
0
As for #2, it's yelling at you because 0.0.0.0 *isnt* a valid address. DNS wasn't designed to be used as a ghetto content filter. You might have better luck redirecting to 127.0.0.1 or your servers IP address to force a "bad" connection, but you might be stuck waiting for timeouts and have errors loading pages depending on the layout.

The better way to do this is with dedicated filtering software, either on the server if it's acting as the default gateway (which it seems like thats your goal) or on the workstations themselves via something like Adblock Plus or a software firewall (just create a custom list of blocked stuff).
 

MrColin

Platinum Member
May 21, 2003
2,403
3
81
As for #2, it's yelling at you because 0.0.0.0 *isnt* a valid address. DNS wasn't designed to be used as a ghetto content filter. You might have better luck redirecting to 127.0.0.1 or your servers IP address to force a "bad" connection, but you might be stuck waiting for timeouts and have errors loading pages depending on the layout.

The better way to do this is with dedicated filtering software, either on the server if it's acting as the default gateway (which it seems like thats your goal) or on the workstations themselves via something like Adblock Plus or a software firewall (just create a custom list of blocked stuff).

Actually, its not yelling at me yet because I haven't even started using the 9-steps-for-each-DNS-record-wizard (I have over 13k records I want to add). I don't particularly care what the *intended* purpose of DNS is. You're right about using 127.0.0.1 vs 0.0.0.0 and timeout delays from the former.

I was considering running Linux or BSD in a Hyper-V and pointing the MS DHCP options to the DNS service on that OS. As it turns out, installing the Hyper-V role appears to require a dedicated NIC, or at least it wants to hijack one of the available network connections all for its own "vEthernet." Its counter intuitive to me that I should end up with less hardware from using virtualization. It should be able to add its own virtual NIC, but aparently not. I might try a different virtualization tech that doesn't hijack my NIC like Hyper-V does.

^This post is largely just a rant, thanks for the reply.
 

MrColin

Platinum Member
May 21, 2003
2,403
3
81
Mmmkay!
I'm working through this proposed solution from the MS social board regarding the Hyper-V+NAT autobork wizard. I feel like pointing out that all of this could be accomplished with a line or two of shell code under Linux. My hatred for the wizards continues to grow, they should be called something less flattering like robots or configbots as "wizard" implies intelligence, which is absent in these dialogs. I wish more of these experts posted powershell-centric solutions as they would be more accurate and efficient to use.

I just performed a test on my side. The virtual network adapter can be added to the RRAS console properly. I recommend that you disable routing and remote access option and then reconfigure routing and remote access option again.

For your reference, the following part describes how to configure NAT via RRAS on Hyper-V host:

Steps to Configure NAT on Hyper-V Host Machine
-----------------------------------------------------------------

A. Configuring Hyper-V Virtual Network to talk to Host

1. Selected the already existing network or create the new network if note present
2. Go to Hyper-V Manager -> Virtual Network Manager -> Add/Edit a Virtual Network. Set the connection type to Internal only.

B. Configure the Hyper-v Host machine
Above step will add a virtual adapter to the hyper-v host machine.
1. Go to network connections. You should see a newly added Virtual Adapter with the device name same as the network added in Hyper-V. (in Step A)
2. Assign a IP from internal IP address range(eg. 192.168.1.100). This would now become a gateway for all VM clients.

C. Configure VM Client
Go to client hyper-v settings --- > network adapter -- >select the adapter and change the networks to the network configured in previous slide.

D. Configure the Client IP Address

Configure the Client IP using any one of the below options.

a. Assign static IP address. Default gateway should be IP configured in virtual network on host in the previous slide.
b. Leave the IP address to Dynamic and let the NAT provide the Dynamic IP
c. Configure the DHCP server in the internal network. DHCP should be configured to provide the default gateway to clients(IP configured on virtual network on host in previous slide).

Note : In all the above cases the default gateway should be the one configured in step B.

E. Installing NAT on Hyper-V Host

1. Click Start-> Server Manager and start the server Manager wizard.
2. Click Roles and then AddRoles to add a new Role.
3. Select Network Policy and Access Services and click Next
4. Select Routing and Remote Access Services, Remote Access Service and Routing. Click next.
5. System will now install the role. Click Close to finish the installation

F. Configuring NAT

1. Expand Roles and Network Policy and Access. Right click Configure and Enable Routing and Remote Access. Click Next
2. Select Network address translation(NAT) and click Next
3. Leave the default if you want to let RRAS provide the IP addresses to VM client. In case your VM environment has DHCP server configured select the second option.
4. Click Finish to complete the RRAS wizard.

Wizard will now configure the NAT with default settings. You can explore the RRAS
admin console and configure individual options to customize the environment.


Best regards,
Vincent Hu