configure Windows 2000 Server with RAS and Active Directory

  • Thread starter Thread starter Cheolieces Shannon
  • Start date Start date
C

Cheolieces Shannon

Hello,

I am totally new to this concept. I have heard you can
have a Windows 2000 machine with Active Directory and RAS
in one machine. I have a server with 2 NICs. The server
was set up with an internal IP and on a switch with 2
workstations. The 2nd NIC was setup for external Internet
use.

I was told that you either have to have a VPN server for
authentication or you can authenticate with Active
Directory setup on a Windows 2000 server. Question is does
this mean I can have both on one machine or do I have to
have 2 seperate machines with 2000 server. I really need
to set this up and test it as my company is going to task
us with this in a few short weeks.

Any help will be appreciated. If some one has a step-by-
step information sheet on how to properly setup the Server
with Active directory and the network, so all computers
have an internal IP and capable of getting on the
internet, and also how to run RAS on the same machine
please share this with me.

I have a cable modem and a Dynamic IP.

Thanks,
Che
 
I presently have 1 server - it does everything. DC, DHCP, DNS, AD, RRAS and
soon it'll will also have exchange server on it - but I have been told that
having the domain controller on the internet is bad, especialy as far as
security goes.

Have fun :)
Colin
 
Well since I was told the same thing, can I use my WINNT
4.0 Server as a RAS Server?

Intenet->Router->WINNT 4.0(RAS SERVER)->Private Network->
WIN2000 Server(PDC/AD) + 2 Workstation
 
I am totally new to this concept. I have heard you can
have a Windows 2000 machine with Active Directory and RAS
in one machine. I have a server with 2 NICs. The server
was set up with an internal IP and on a switch with 2
workstations. The 2nd NIC was setup for external Internet
use.

I was told that you either have to have a VPN server for
authentication or you can authenticate with Active
Directory setup on a Windows 2000 server. Question is does
this mean I can have both on one machine or do I have to
have 2 seperate machines with 2000 server. I really need
to set this up and test it as my company is going to task
us with this in a few short weeks.

Any help will be appreciated. If some one has a step-by-
step information sheet on how to properly setup the Server
with Active directory and the network, so all computers
have an internal IP and capable of getting on the
internet, and also how to run RAS on the same machine
please share this with me.
Click to expand...

This is actually a quite common situation on small networks, even if
everyone (me too) agrees it's somewhat insecure.

You should install the OS in a very basic way (no services at all, almost
only the Accessories group), fully setup the hardware and properly configure
the two NICs on the server, one with private IP addresses (such as
192.168.0.1/255.255.255.0) and the other with the Internet one. Then you
should apply service pack 4 (unless you installed from a CD with SP4
slipstreamed, which I personally recommend) and do a full
Windows Update. And be careful about the Blaster worm, until you do this.

After the OS is ready, you should run DCPROMO.EXE to create an Active
Directory domain, naming it something like mydomain.local, since I don't
think you have a DNS domain registered to your company; if you have one, use
that. During the AD installation, when the wizards asks you if you want to
setup DNS on the server, answer yes and then let the process complete.
Reboot, and your domain is ready for operation.

Now you should setup routing, so you'll need to open the Routing and Remote
Access Service console, right-click on your server's name and choose to
create a NAT router to connect your private network to Internet. Do this
(the wizard is quite straightforward), and then right-click again on your
server's name, go to the properties page and enable remote access.

Next comes the DHCP: install it (through windows components installation in
Control Panel), run the administration console and create a new scope with
your subnet's adresses, being careful to exclude the server's IP. Configure
the DNS and default gateway to be your server's IP, authorize the server
(right-click on it to find the option) and now your clients should be able
to obtain their addresses and to use Internet too.

Now you can install other server softwares like IIS or Exchange, if you need
them... but you'll find them quite useless if you don't have a static public
IP and a registered domain name, so I won't cover them here.

Finally you will setup client computers and join them to the domain, create
user accounts, set policies and so on.

Regarding the VPN, if you configured the server right, it'll be enough for
your remote users to establish a VPN connection to your public IP (you'll
have to track it, since it's dynamic) and authenticate using their AD
accounts.

I think it's best if you do some tests with a spare machine, before you try
to setup all of this on a production system... feel free to ask if you need
more help.

Massimo
 
After the OS is ready, you should run DCPROMO.EXE to create an Active
Directory domain, naming it something like mydomain.local, since I don't
think you have a DNS domain registered to your company; if you have one, use
that. During the AD installation, when the wizards asks you if you want to
setup DNS on the server, answer yes and then let the process complete.
Reboot, and your domain is ready for operation.
Click to expand...

I forgot a very important step here: as soon as you have the DNS service
running, you should open the DNS console, where you'll find two forward
lookup zones, one for the domain you configured and another called "."
(dot). You should delete this one, otherwise the server will think it's a
root server and refuse to answer internet-related queries. Restart the DNS
service, and you're ok.
Never understood why Microsoft decided this was a good default...
fortunately it was removed in Windows 2003.

Another thing: it would also be good to create reverse lookup zone for your
private subnet's addresses; when doing this, choose it to be AD-integrated.

Massimo
 
This is actually a quite common situation on small networks, even
if everyone (me too) agrees it's somewhat insecure.
Click to expand...

Some security tips, more or less related to this configuration:

- Put your server behind a firewall. You're connecting it to the Internet,
so it will be directly addressable and accessible for everyone. If you don't
have a firewall (which I think you don't have), consider A) buying one
(which can be expensive) or B) switching to Windows Server 2003, which has
excellent integrated firewall capabilities *and* it's also a lot better than
Windows 2000 Server in many other ways.
- Even if you have a firewall (and more then ever if you don't have one),
don't install anything unless it's absolutely needed. I'm talking about IIS
and everything else that comes on the Windows 2000 CD, but also about any
other server software. Every open port is a potential security hole, and
this is your one and only server, so keep it as much secure as possible.
Speaking of this: remember to disable file and print sharing on the public
network interface, you won't need them there.
- Stay up to date with security patches. Remember that until you install
patch 823980 you're vulnerable to the Blaster worm which is still alive and
kicking, so download it using another computer and apply it to the server
before even *thinking* about connecting it to the Internet.
- Choose a strong Administrator password, and rename your domain
Administrator account to something else.
- Back up your DC. If you can't afford a tape device, do it on a network
share, on CDs, on paper, but for God's sake, *BACK IT UP*. This is the
second most important thing on your network, sitting right in the middle
between your company's core-business data and your boss's MP3s. If you lose
it, every user on the network will be unable to do anything. You'll have to
re-create the domain and the users, and to re-join every computer to the new
domain, since you'll lose the SIDs for the old one. I'm coming from a week
spent on rebuilding from scratch a customer's network after a DC disk
failure (two mirrored disks failed at once... did anyone say "cheap
hardware" ?), and this was absolutely *no fun*.

Massimo
 
Microsoft say that, but then they go and sell Small
Business Server which does EXACTLY that! :-) go figure!

Just need to be more vigilant with security, is all
 
Yes, Microsoft do recommend not doing all this on one server if you can
avoid it. And there are very good reasons for not making your first DC a
router or remote access server. But they also acknowledge that some people
need a single-server system.
 
Microsoft say that, but then they go and sell Small
Business Server which does EXACTLY that! :-) go figure!
Click to expand...

It's just the easiest and cheapest solution for companies that can't afford
more than one server :-)

Massimo
 
I wanted to say thanks. I tried doing all of this and
everythign works except the VPN. I have a firewall VPN
Router. but I think this is the issue. Linksys's BEFVP41
seems to only like IPSec, and not PPTP. So I'm going to
look aroud. The VPN seems to be the only issue at the
moment, but I thank you for all the help.

Cheo S
 
I wanted to say thanks. I tried doing all of this and
everythign works except the VPN. I have a firewall VPN
Router. but I think this is the issue. Linksys's BEFVP41
seems to only like IPSec, and not PPTP. So I'm going to
look aroud. The VPN seems to be the only issue at the
moment, but I thank you for all the help.
Click to expand...

Try removing the firewall and directly connecting the server's public
interface to Internet.
If this works, then you'll simply need to find a way to open the right port
on the firewall.
I don't recommend using the firewall for VPN, since it could be quite
difficult to have it authenticate users against the Windows domain.

Massimo
 
Back
Top