Inline commentary... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: cismic To: [ISAserver.org Discussion List] Sent: Friday, August 03, 2001 6:11 PM Subject: [isalist] DNS and AD on same machine http://www.ISAserver.org I've been reading though postings to the list about the pro's and con's of having DNS on the AD machine. I have several questions. 1. Machine wise what is a good configuration i.e. P166 with 96MB with minimal hits. Would this be a good system to use for testing etc. * No, this is not a good machine for W2K server at all, much less an AD. Get at least a PII-300, 256MB RAM for the AD. 2. If you DNS server is in the DMZ is it still possible to AD enable DNS so as not to comprimise the internal network? * You can, but the configuration is a nightmare. The DNS must be a member of the domain in order to use AD-integration for any zone and passing Kerberos and NetBIOS through ISA. 3. Is it better to use ROUTE -P ADD x.x.x.1 MASK x.x.x.0 x.x.x.x rather then use packet filters within the ISA machine? * No. Never. If you want a router, install RRAS. If you want a firewall, use ISA. Manual routes are just truck-sized holes in your firewall. 4. Is it best to place your WEB and SQL servers in the DMZ. * That's a completely personal preference. You lose application-awareness through ISA with DMZ traffic, but you gain isolation. Thank you, Joseph ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')