Hi Jim, I'm going to disagree with you regarding the DNS server configuration. If you use a Win2k Server that doing nothing else but serve as a very low volume DNS server, and the DNS server is acting as a Standard Secondary to a AD Integrated DNS somewhere else, it should work fine. I mention this because that was the original question posited by Joseph on the Web Boards. I agree wholeheartedly with everything else you said :-) Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Saturday, August 04, 2001 11:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: DNS and AD on same machine http://www.ISAserver.org Inline commentary... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: cismic To: [ISAserver.org Discussion List] Sent: Friday, August 03, 2001 6:11 PM Subject: [isalist] DNS and AD on same machine http://www.ISAserver.org I've been reading though postings to the list about the pro's and con's of having DNS on the AD machine. I have several questions. 1. Machine wise what is a good configuration i.e. P166 with 96MB with minimal hits. Would this be a good system to use for testing etc. * No, this is not a good machine for W2K server at all, much less an AD. Get at least a PII-300, 256MB RAM for the AD. 2. If you DNS server is in the DMZ is it still possible to AD enable DNS so as not to comprimise the internal network? * You can, but the configuration is a nightmare. The DNS must be a member of the domain in order to use AD-integration for any zone and passing Kerberos and NetBIOS through ISA. 3. Is it better to use ROUTE -P ADD x.x.x.1 MASK x.x.x.0 x.x.x.x rather then use packet filters within the ISA machine? * No. Never. If you want a router, install RRAS. If you want a firewall, use ISA. Manual routes are just truck-sized holes in your firewall. 4. Is it best to place your WEB and SQL servers in the DMZ. * That's a completely personal preference. You lose application-awareness through ISA with DMZ traffic, but you gain isolation. Thank you, Joseph ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')