Re: DNS and AD on same machine

Inline commentary...

Jim Harrison
MCP(2K), A+, Network+, PCG

  ----- Original Message ----- 
  From: cismic 
  To: [ISAserver.org Discussion List] 
  Sent: Friday, August 03, 2001 6:11 PM
  Subject: [isalist] DNS and AD on same machine


  http://www.ISAserver.org


  I've been reading though postings to the list about the pro's and con's of 
having DNS on the AD machine.  I have several questions.

  1.  Machine wise what is a good configuration i.e. P166 with 96MB  with 
minimal hits. Would this be a good system
       to use for testing etc.
  * No, this is not a good machine for W2K server at all, much less an AD.  Get 
at least a PII-300, 256MB RAM for the AD.

  2.  If you DNS server is in the DMZ  is it still possible to AD enable DNS so 
as not to comprimise the internal network?
  * You can, but the configuration is a nightmare.  The DNS must be a member of 
the domain in order to use AD-integration for any zone and passing Kerberos and 
NetBIOS through ISA.

  3.  Is it better to use ROUTE -P ADD x.x.x.1 MASK x.x.x.0 x.x.x.x rather then 
use packet filters within the ISA machine?
  * No.  Never.  If you want a router, install RRAS.  If you want a firewall, 
use ISA.  Manual routes are just truck-sized holes in your firewall.

  4.  Is it best to place your WEB and SQL servers in the DMZ.
  * That's a completely personal preference.  You lose application-awareness 
through ISA with DMZ traffic, but you gain isolation.


  Thank you,

  Joseph 
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: