Trying to setup DNS/DHCP server... I said "trying" - Update

[GeSuN]

Hi, I'm trying to setup the server for the company with MS Adv Server on it. I've never installed Adv Server before so there's a lot of new stuff in there...

Fist I want to make sure of a couple of things.

Is this ok to have the following setup :

DSL modem --> MS Adv Server (from one NIC) --> Switch (Connected with the second NIC) --> Client computers...

I'm pretty sure it's ok, but just wanna make sure.

Then, I want to setup the DNS and DHCP server on the server but! is it better to setup one or the other before???
Also, do I need to "tell" the DNS and DHCP servers they will work on a certain NIC? If so, how do I do this?

 

[Saltin]

Don't multi-home the server if you intend to make it a Domain Controller.
If it's just going to be a stand alone server in a workgroup, then you can get away with it.

It doesnt really matter which of DHCP or DNS you install first.

DHCP will only serve the nic that is configured with an IP that falls within the scope you configure in DHCP, so no further configuration is necessary there.

DNS, if you right click the server object in the DNS snap in, and select properties, then the interfaces tab. Make sure the IP you want DNS to listen on is the only one in the box.

 

[GeSuN]

Don't multi-home the server if you intend to make it a Domain Controller.

What do you mean by multi-home?

 

[Saltin]

A muti-homed machine is a machine with more than one NIC in it.
Domain Controllers should (generally) not be muti-homed.

 

[GeSuN]

A muti-homed machine is a machine with more than one NIC in it.
Domain Controllers should (generally) not be muti-homed.

So what do you suggest for my setup?

 

[Saltin]

Ideally, you would want to run a cheap router as your gateway to the Internet. For security reasons, you don't want your Domain Controller to have an exposed public IP.
You could buy a hardware router (hell even a linksys four port approx $60 would do the trick if it's a small network).
You could also configure a software router (weaker option).

My idea is

DSL modem=====>Router===>Switch====>All clients and server plug into switch.

 

[GeSuN]

Ok, I can get a router pretty easy.

Now what would it be the best : The router takes care of DHCP or the Server???

And do I still have to setup DNS? (I don't think so...)

 

[Saltin]

If you plan on making your server a Domain Controller, then you will be installing Active Directory. Active Directory requires DNS.
If that is the case, then I would also allow the server to handle DHCP. DHCP and DNS in Windows 2000 will work together to automatically add host records for all your clients as they recieve DHCP leases. It's just easier.

 

[stash]

To add to that, if you have any aspirations of using RIS on your active directory, it requires that your DHCP server be authorized in the AD. You will not be able to authorize a router's dhcp server (at least none of the consumer routers that I've seen).

 

[Saltin]

To add to that, if you have any aspirations of using RIS on your active directory, it requires that your DHCP server be authorized in the AD

All DHCP servers in a Win2k environment must be authorized in AD, regardless of the presence of RIS.
The idea is to put an end to rogue DHCP servers on the network, but I think it's got more to do with MS wanting you to use 2k DHCP.

 

[stash]

All DHCP servers in a Win2k environment must be authorized in AD, regardless of the presence of RIS

I'm well aware of that...my point is, you -cant- authorize the dhcp servers on consumer routers. AD will just return an error.

 

[JustinLerner]

I would like to differ with several posts near the top of the thread.

There are multiple reasons that multi-homing can be and should be used on servers like 2000 Server, Advanced Server or DataCenter. These include setting up and securing other networks or subnets with VPN, other services dedicated to other networks (isolated), and even adaptive load balancing, fault tolerance, or both (multiple NIC's required).

As with the Windows 2000 Server family and the .NET server framework and networks, ICS is not recommended for any network having any DNS servers, DHCP servers, gateways, any .NET DCs, or using any static IP addresses. [Of course, the use of static IP address creates obvious exclusions for ICS use and when used in combination with a DC, DNS (required for DC) or DHCP servers, this obviously creates the above recommendations. Obviously, these recommendations exist for security reasons, but you are all free to do even what is strongly cautioned and warned against, after all freedom exists to do even things which aren't so bright, right?]
.NET framework warnings: http://support.microsoft.com/default.aspx?scid=kb;en-us;q324286#1
----
2000 Server warnings: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307311#6

Multihoming on a DC is fine, but using ICS is strongly discouraged by MS for any network where a DOMAIN CONTROLLER exist as is making any DOMAIN CONTROLLER a DHCP client. Using either of these methods on a MS server is considered a security flaw by MS. Otherwise, the recommendations you all make are correct and fine and would be preferable for ease of setup.

---
Setting up NAT on the Server is a recommended alternative to using ICS on a network where DC,DNS,DHCP servers exist.
Windows 2000 Servers: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310357
Windows .NET framework: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q324264#2

 

[GeSuN]

Ok so now on one side it's better to have multihoming and on another it's not...

what should I do?

EDIT: Just read Justin's answer more carefully and I think that I'll follow what Saltin said. Besides I won't be using ICS.

REDIT: Ok my setup will be like this :

DSL modem--> router--> switch --> Clients and server.

Now I'll install DHCP and DNS on my server wich is the DC. but do I need to install the NAT service too? Or can I use th one on my router?

 

[Saltin]

Justin, obviously there are a million and one scenario's where a 2k member or stand alone server product would be multihomed. I can think of three machines on my network (ISA servers) that are. RRAS servers would be another case.

Multihoming on a DC is fine, but using ICS is strongly discouraged by MS for any network where a DOMAIN CONTROLLER exist as is making any DOMAIN CONTROLLER a DHCP client. Using either of these methods on a MS server is considered a security flaw by MS. Otherwise, the recommendations you all make are correct and fine and would be preferable for ease of setup.

Multihoming a DC is not fine. There is only one scenario under which it is acceptable (in my mind), and that is if the DC is a bridgehead server for an Active Directory site. Even under these circumstances, the DC is should never be exposed directly to the internet, and should communicate with other bridgheads via VPN.

Mulithomed DC's (especially when one of the NICs is sitting on a public network) expose the network to a host of undesireable issues. Security concerns are one, but many of the issues are operational in nature. Multihomed DC's have (in my experience) Master browser issues (NETBios). Often, rookie admins will set-up DNS on a multihomed machine and not limit the IP's the DNS service is listening on. There was a serious problem (since patched in SP2) with multi homed DC's losing Active Directory objects. They just up and disappeared!. My experience is that it isnt worth the trouble.

ICS is mickey mouse stuff. Obviously you don't want to use it in any serious set-up. It isn't robust NAT at all.
Obviously a DC shouldnt be a DHCP client. What server should be? Making a server (whether it is a DC or not) a DHCP client is just, well, stupid; I'm not sure I would call it a security flaw.

The original poster is obviously trying to get his head around alot of concepts right now. He's new to Windows 2000 and needs simple, thrifty advice that works. That's what I provided.

If you want to debate 2000 design concepts with me, lets do it somewhere else.

 

[GeSuN]

The original poster is obviously trying to get his head around alot of concepts right now. He's new to Windows 2000 and needs simple, thrifty advice that works. That's what I provided.

Thanks Saltin for trying to keep this simple And you're right about me trying to "get my head around alot of concepts right now" there's a lot of new stuff for me to lurn right now...

Anyway, I'll resume what I did understand and what I'll do and tell me if I got something wrong.

First the setup will look like this :
DSL modem=====>Router===>Switch====>All clients and server plug into switch. (like you told me to do Saltin)

Now, my server will have the DHCP and DNS server enabled
My router will take care of the NAT service.

For now that's what I'll do...

Then I have to ask you a question. Is it a good idea to setup a webserver, email server and FTP server on the DC?

 

[JustinLerner]

Multihoming is not a security flaw if one knows what they are doing.

I don't want anyone (newbie or otherwise any reader) who reads this post at the top to think Windows 2000 Servers or .NET Servers have security flaws when using multihoming or that Microsoft discourages this function.
Novice expectations aside, here is an explanation of why things often don't work with multihoming.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q175767
For example, how not to multihome a DHCP server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q265129

I'm not arguing about complexity to confuse the newbie, as my original post clearly states: "Otherwise, the recommendations you all make are correct and fine and would be preferable for ease of setup."

Just don't give other incorrect information about servers and services that can lead to misunderstandings for anyone.

Thanks

 

[JustinLerner]

Originally posted by: GeSuN

For now that's what I'll do...
Then I have to ask you a question. Is it a good idea to setup a webserver, email server and FTP server on the DC?

It's not a good idea, especially for FTP. Really, all of these services should be on other dedicated servers.

 

[Saltin]

Justin, nothing you said leads me to believe I should continue this conversation. Those links have very little to do with the topic at hand.

GeSun, In my opinion, you are right on track. If you have any more questions, feel free to private message me.

 

[ynotravid]

GeSun, I was just wondering why you want to setup a DNS server.

 

[GeSuN]

I think the server is almost all setup now... after that I will start the testing phase to make sure everything is working correctly with other computers...

I just have a question about the Server bootup... Is it normal that it takes almost a minute for "preparing network connections" ?

 

[JustinLerner]

After the system boots, go to the event log and view what is failing. Normally, the longer time for a client might indicate the system is trying to find the DNS server but can't. You may have to reorder the order of network devices to ensure that the appropriate devices access the DNS server at the appropriate time.

---

Ynoxx, it's not possible to setup a Windows 2000 DC without having both a DNS server and AD.

 

[GeSuN]

Justin, in fact it's not the client that is taking a long time too boot it's the server... but I'll check next time what the Even viewer says... is there a place where it tells my what the Error numbers means?

 

[JustinLerner]

No, not really. You need to take the error numbers and check them at the Microsoft knowledge base.

But really, the errors in services or dependecies will tell you a lot about what is not optimized or causing delays.

 

[Saltin]

GeSun, it is very normal for a Domain Controller to take several minutes to boot.

 

[GeSuN]

Ok I've checked the Event Viewer, and found it was a problem with the DNS server... corrected the problem and now I don't have any errors in the event viewer...

the testing phase is approching...

btw, my router has the 192.168.0.1 ip and the server has 192.168.0.2. so what the gateway for the clients machines??? or do I even need to set a gateway?