Re: DNS and AD on same machine
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 4 Aug 2001 09:20:00 -0700
Inline commentary...
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: cismic
To: [ISAserver.org Discussion List]
Sent: Friday, August 03, 2001 6:11 PM
Subject: [isalist] DNS and AD on same machine
http://www.ISAserver.org
I've been reading though postings to the list about the pro's and con's of
having DNS on the AD machine. I have several questions.
1. Machine wise what is a good configuration i.e. P166 with 96MB with
minimal hits. Would this be a good system
to use for testing etc.
* No, this is not a good machine for W2K server at all, much less an AD. Get
at least a PII-300, 256MB RAM for the AD.
2. If you DNS server is in the DMZ is it still possible to AD enable DNS so
as not to comprimise the internal network?
* You can, but the configuration is a nightmare. The DNS must be a member of
the domain in order to use AD-integration for any zone and passing Kerberos and
NetBIOS through ISA.
3. Is it better to use ROUTE -P ADD x.x.x.1 MASK x.x.x.0 x.x.x.x rather then
use packet filters within the ISA machine?
* No. Never. If you want a router, install RRAS. If you want a firewall,
use ISA. Manual routes are just truck-sized holes in your firewall.
4. Is it best to place your WEB and SQL servers in the DMZ.
* That's a completely personal preference. You lose application-awareness
through ISA with DMZ traffic, but you gain isolation.
Thank you,
Joseph
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
