Re: DNS and AD on same machine
- From: "cismic" <cismic@xxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 4 Aug 2001 10:56:38 -0700
From looking at the boards, I noticed different people posting and asking
questions then the email solution.
And, I wasn't receiving replies to my questions...So, I thought I would ask
the same question and combine the best of the answers! <grin>
However, I had my P166 with 96MB running great with W2K and enterprise ISA.
When I loaded W2K svc pack #2 is when the network
cards just stopped working. I've not gone any further in my investigations
as to why they quit. That is what really prompted my quesitons about the 166
in the first place. I'll post what I find when I put that machine on my
test bench (small network)
All the answers have been great! I think I'll use DNS/AD in the back
configuration and DNS as a secondary in public side of things. I think that
the DMZ would be good if I was running a pretty big site and need to control
access to the internal network. At some point in the future it looks like
it will be an easy thing to do with information I've found via the
newsgroups and email list. Most likely I'll try both just to see the
differences.
As far as a Rock....It's "Hot Import Night In Seattle" I must attend to see
what other toys beside my p166 I can't have! <grin>
I'll keep you all posted with my results.
Joseph
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, August 04, 2001 9:52 AM
Subject: [isalist] Re: DNS and AD on same machine
> http://www.ISAserver.org
>
>
> Hiya Tom,
>
> I see; ask one question on one board and a different question on
another
> board and see which answer suits you best... Shame on Joseph.. :-)
> Still, a P1-166, 96MB is not even a supported config for W2K,
regardless
> of it's intended job. W2K might work on that box, but it certainly won't
> "run". I have a W2K web server running on an AMD K6-2/500, 256MB with UW
> SCSI and it's slower than I can tolerate some days. I'd end up shooting
> Joseph's intended DNS server purely as a mercy killing.
> As far as DNS on the AD; that's my preferred config for the
> AD-supporting DNS zone. That way, you don't get the chicken-and-egg issue
> of who has to be started first and also avoid potential network issues...
> You only have to make sure that the NetLogon service is dependent on the
DNS
> service in that scenario. Otherwise, it's solid as a rock. ..Chevy, that
> is...
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Saturday, August 04, 2001 9:32 AM
> Subject: [isalist] Re: DNS and AD on same machine
>
>
> http://www.ISAserver.org
>
>
> Hi Jim,
>
> I'm going to disagree with you regarding the DNS server configuration.
> If you use a Win2k Server that doing nothing else but serve as a very
> low volume DNS server, and the DNS server is acting as a Standard
> Secondary to a AD Integrated DNS somewhere else, it should work fine. I
> mention this because that was the original question posited by Joseph on
> the Web Boards.
>
> I agree wholeheartedly with everything else you said :-)
>
> Tom
> www.isaserver.org/shinder
>
>
> Thomas W Shinder, M.D., MCSE, MCT
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Saturday, August 04, 2001 11:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: DNS and AD on same machine
>
>
> http://www.ISAserver.org
>
>
> Inline commentary...
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: cismic
> To: [ISAserver.org Discussion List]
> Sent: Friday, August 03, 2001 6:11 PM
> Subject: [isalist] DNS and AD on same machine
>
>
> http://www.ISAserver.org
>
>
> I've been reading though postings to the list about the pro's and con's
> of having DNS on the AD machine. I have several questions.
>
> 1. Machine wise what is a good configuration i.e. P166 with 96MB with
> minimal hits. Would this be a good system
> to use for testing etc.
> * No, this is not a good machine for W2K server at all, much less an AD.
> Get at least a PII-300, 256MB RAM for the AD.
>
> 2. If you DNS server is in the DMZ is it still possible to AD enable
> DNS so as not to comprimise the internal network?
> * You can, but the configuration is a nightmare. The DNS must be a
> member of the domain in order to use AD-integration for any zone and
> passing Kerberos and NetBIOS through ISA.
>
> 3. Is it better to use ROUTE -P ADD x.x.x.1 MASK x.x.x.0 x.x.x.x rather
> then use packet filters within the ISA machine?
> * No. Never. If you want a router, install RRAS. If you want a
> firewall, use ISA. Manual routes are just truck-sized holes in your
> firewall.
>
> 4. Is it best to place your WEB and SQL servers in the DMZ.
> * That's a completely personal preference. You lose
> application-awareness through ISA with DMZ traffic, but you gain
> isolation.
>
>
> Thank you,
>
> Joseph
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
