2 differnet domains, 1 SQL server under 1 firewall and DSL connection...help

  • Thread starter Thread starter Garett
  • Start date Start date
G

Garett

Hope I get this off as clear as possible:

* Moving 1 company( A COMPANY) network(25 users, 1 win2k server) to
location where B company is(15 users). At LOCATION B, both A and B
have separate win2k servers w/differnet IP addresses, diff subnets,
different domains. At location B, there is 1 firewall out to the net
via DSL.
Also, there is a SQL server w/ accounting data on it where BOTH
companies have to pull from.

GOAL:

To have each company under their own SERVER(and domain) and IP, both
go out through the 1 firewall, and have both companies(domains) attach
and pull data from the single SQL accounting server(which can be a
memeber of either domain), and they are both in the same server room
location using the same firewall and switch.

What do I need to do to make both domains work under 1 firewall?
HOw can I allow both domains to attach to the SQL server and grab data
off it?

THanks in advance.

GC
 
You need:

1. Configure domain trust(s). See:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315053

2. Configure a router between the 2 networks - not a $50 NAT router. You
can use a 'real' router or any Windows machine with 2 network adapters. In
Windows 2000 Professional, you configure the 'router' as follows:

a. Start/Run redit ENTER

b. navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters

Set the value for IPEnableRouter to 1.

c. Manually configure TCP/IP settings for each adapter and connect one
adapter to network B and the other to network A. Configure network B
adapter with a default gateway using the Firewall IP. Do not configure a
default gateway for the Network A adapter.

d. Configure all machines on the A network with a default gateway - the IP
address of the 'router's' network A adapter.

e. Configure all network B machines (or at least the SQL Server and domain
controller) with a static route:

route /p add <network A. mask <subnet mask for network A> <IP address of
router's network B adapter>

Possibly you can configure this on your Firewall instead.

f. If you want Internet on network A machines, configure forwarders on the
network A domain controller/DNS - use ISP's DNS server IP.

Doug Sherman
MCSE Win2k/NT4.0,MCSA, MCP+I, MVP
 
Buy a Router (a *real* router, a LAN router, not some Cable/DSL NAT box)
1. Place the Router between the two subnets
2. No static routes, no routing protocols are used. Both subnets are
directly connected to the router, so it already knows where they are.
3. All Clients on both networks use the LAN router as the Default
Gateway
4. The LAN router uses the Firewall as its Default Gateway

The Firewall
1. Does not matter which subnet it is in as long as the LAN router knows
where it is because it will be the LAN router's Default Gateway.
2. It will need a static route pointing at the LAN router as a path to
get to the opposite subnet from the subnet the firewall is in. It doesn't
matter which subnet is which, the principle doesn't change.

The SQL Server.
1. Almost irrelevant. Put it where ever you want, it doesn't matter. Who
can access the SQL Server is controlled by the SQL Server Service's own
security features that are already built into SQL Server. It is also
capable of leveraging Domain Level Security from the DCs.

2. Subnets, routers, and IP#s have nothing to do with it.

Security
1. Controlled by the respective Domain Controller of each domain and the
NTFS filesystem permissions that are controlled by the DCs. Depending on how
you handle that, the SQL Server which can also leverage the security provied
by the DCs may be effect by how you do this.

2. Simply put, users cannot access anything their credentials aren't
given permission to. As with the SQL Server,... subnets, routers, and IP#s
have nothing to do with it. In special cases you can use ACLs on the LAN
Router, but in a well designed security system that should not be required
in such a simple two-subnet LAN like this.
 
You have three possible configurations:

You can plug both networks together and just tell
the firewall about both of them (assuming it is capable
of handling that.) Since the domains (I presume)
don't have a trust setup, they won't be talking to each
other.

The SQL box doesn't have to be domain-joined to be
accessible for data service to other machines (a computer can
only be joined to one domain), and it will be accessible through
the firewall to both networks, providing -- again -- that you
have a firewall capable of this type of multi-LAN-network routing.

However, the thing people sometimes dislike about this
setup is that users can "see" the other LAN's network servers
in network neighborhood, and if there are any security
lapses they may be able to access resources.

So one better alternative is to put a little broadband NAT router
at the front of each network where they interconnect. The
firewall then routes to these boxes, which shield their
networks from each other.

I've used this above type of setup in a shared office with
5 different companies and it works quite well. You can
pinhole ports through the NAT router for the SQL box
to be accessed from the other network, or give it it's own
IP and connect it in the DMZ area between the firewall
and the routers.

Yet another way is to get -- if yours isn't already one -- a
3-port firewall like a Sonicwall TZ170, Checkpoint, Symantec 200,
etc. You can connect one LAN network to the LAN port and the other
network to the "Option" or "DMZ" port as it is usually termed, and
setup rules to route traffic between them as needed.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.
 
Thanks guys.

1. I think I'm going to put a LAN router between the 2 boxes, then to
the firewall.
I have a Netgear FVS328 firewall and a Dlink Dss+ unmanaged switch.
Will the FVS328 handle it?

2. Can you reccomend some REAL Lan routers that don't cost an arm and
a leg?(, and has a gui interface. I prefer not alot of programming,
sorry)

3. Also, how about consolodating both servers and use 2003 Advanced
server. That can manage more than one domain, correct? Is that
difficut to setup?

Thanks again and for your detailed suggestions.

Garett
 
Garett said:
2. Can you reccomend some REAL Lan routers that don't cost an arm and
a leg?(, and has a gui interface. I prefer not alot of programming,
sorry)
Click to expand...

They all cost $$$. I doubt any have a GUI. I't doesn't require
programming skills, typical programmers wouldn't know what to do with a
router (no offence to them). They are a command line interface via Telnet
that is similar to using DOS.

But.....
The simplest LAN router (that has a GUI) would be an old NT4.0 Workstation
with two NICs and "IP Forwarding" enabled in the TCP/IP settings. The term
IP Forwarding refers to *normal* Layer3 routing, *not* the Static-NAT
abilities of Firewalls and Internet NAT Device where you often see the term
misused and abused.

You could do this with 2 NICs in Server2000 or 2003 with RRAS as well. That
is what RRAS is designed to do.
3. Also, how about consolodating both servers and use 2003 Advanced
server. That can manage more than one domain, correct? Is that
difficut to setup?
Click to expand...

I have no idea what that question means.
 
Hope I get this off as clear as possible:

* Moving 1 company( A COMPANY) network(25 users, 1 win2k server) to
location where B company is(15 users). At LOCATION B, both A and B
have separate win2k servers w/differnet IP addresses, diff subnets,
different domains. At location B, there is 1 firewall out to the net
via DSL.
Also, there is a SQL server w/ accounting data on it where BOTH
companies have to pull from.

GOAL:

To have each company under their own SERVER(and domain) and IP, both
go out through the 1 firewall, and have both companies(domains) attach
and pull data from the single SQL accounting server(which can be a
memeber of either domain), and they are both in the same server room
location using the same firewall and switch.

What do I need to do to make both domains work under 1 firewall?
Click to expand...

Either firewall that can accept multiple LAN addresses, or a router
between the two domain networks and the firewall.
HOw can I allow both domains to attach to the SQL server and grab data
off it?
Click to expand...

Use SQL Authorization and you're out of any domain login issues, or if
you use Windows authentication you'll need to set up trusts.

By the way, there's no reason that two separate logical networks can't
use the same physical network. All your systems can be on the same
cabling and switches and still separated.

You can also drop everything into the same logical network, easing
your routing to the internet, and use domain security to separate
them.

Jeff
 
Back
Top