DNS and DMZ zone problem

[Arne And]

Hi

I have an Windows 2000 server that is a DC in my DMZ zone. I have now
installed a new server in the same DMZ zone (windows 2003 server) that
joined my domain.

That worked fine, exept that when am trying to connect to the internet my
2003 server cant find any sites.

I dont haft to install a DNS server on my 2003 server when it allready is
installed on my DC (win2000)?

I can ping my DC, and my Default Gateway, but not on the internett.

what can I do?

-regards

-AA-

 

[Lanwench [MVP - Exchange]]

Hi

I have an Windows 2000 server that is a DC in my DMZ zone. I have now
installed a new server in the same DMZ zone (windows 2003 server) that
joined my domain.

Why do you have DCs in your DMZ?

That worked fine, exept that when am trying to connect to the
internet my 2003 server cant find any sites.

I dont haft to install a DNS server on my 2003 server when it
allready is installed on my DC (win2000)?

No - as long as you point to the correct DNS server in that new server's IP
config. As in, the DC's IP. Can you ping anything on the Internet by IP? As
in, a public DNS server?

 

[Arne And]

we have a lot of users that get stuff from us from our ftp site.

When we have just a server that is in a workgroup, its much harder too
restore users or have a failover contra a dc

-aa-


"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

we have a lot of users that get stuff from us from our ftp site.

Dangerous. Don't put DCs in your DMZ, and don't host a public FTP site on
your LAN, whether on a DC or member server or standalone server. Keep your
domain controllers entirely within your LAN, and stick a separate FTP server
in your DMZ (doesn't have to be a Windows box at all), and don't open up any
ports inbound from your DMZ to LAN (although opening up FTP the other way
around is fine, so your users can transfer files to the FTP server from
machines within the LAN).

When we have just a server that is in a workgroup, its much harder too
restore users or have a failover contra a dc

You're asking for major trouble with your existing config from a security
standpoint

-aa-


"Lanwench [MVP - Exchange]"

Why do you have DCs in your DMZ?


No - as long as you point to the correct DNS server in that new
server's IP config. As in, the DC's IP. Can you ping anything on the
Internet by IP? As in, a public DNS server?

 

[Arne And]

Hmmm well, if i have just a ftp server in my DMZ, and its packed with 100
users that have there one username and password and there own folder in my
ftp site. Its a hell of a admin work too manage all this, when the server is
only a mebmerserver.

Lets say that I have a server crach, and I haft to restore.. It would bee
easyer too have a DC there, then it would have all the useraccount on the
second DC. While on the memberserver I would have too punch them in all
manually....

or am I way off here....

Regards

-AA-



"Lanwench [MVP - Exchange]"

we have a lot of users that get stuff from us from our ftp site.

Dangerous. Don't put DCs in your DMZ, and don't host a public FTP site on
your LAN, whether on a DC or member server or standalone server. Keep your
domain controllers entirely within your LAN, and stick a separate FTP
server
in your DMZ (doesn't have to be a Windows box at all), and don't open up
any
ports inbound from your DMZ to LAN (although opening up FTP the other way
around is fine, so your users can transfer files to the FTP server from
machines within the LAN).

When we have just a server that is in a workgroup, its much harder too
restore users or have a failover contra a dc

You're asking for major trouble with your existing config from a security
standpoint

-aa-


"Lanwench [MVP - Exchange]"

Arne And wrote:
Hi

I have an Windows 2000 server that is a DC in my DMZ zone. I have
now installed a new server in the same DMZ zone (windows 2003
server) that joined my domain.

Why do you have DCs in your DMZ?


That worked fine, exept that when am trying to connect to the
internet my 2003 server cant find any sites.

I dont haft to install a DNS server on my 2003 server when it
allready is installed on my DC (win2000)?

No - as long as you point to the correct DNS server in that new
server's IP config. As in, the DC's IP. Can you ping anything on the
Internet by IP? As in, a public DNS server?

I can ping my DC, and my Default Gateway, but not on the internett.

what can I do?

-regards

-AA-

 

[Lanwench [MVP - Exchange]]

Hmmm well, if i have just a ftp server in my DMZ, and its packed with
100 users that have there one username and password and there own
folder in my ftp site. Its a hell of a admin work too manage all
this, when the server is only a mebmerserver.

It shouldn't be a member server, either. Many would say it shouldn't even be
a Windows server - I tend to agree.

Lets say that I have a server crach, and I haft to restore.. It would
bee easyer too have a DC there, then it would have all the
useraccount on the second DC. While on the memberserver I would have
too punch them in all manually....

or am I way off here....

Wait. Why do these external FTP users need to be users in your domain? It is
*your* domain - connected to the domain you use on the LAN side, right?
What's open between DMZ and LAN, and between WAN and DMZ, etc? I'm presuming
the DMZ is between your Internet connection and LAN, and not between two
trusted networks...correct me if I'm wrong.

I'm not sure why you can't just do regular full backups of whatever
standalone FTP server you run (OS, account database, data and everything)
and do any needed restores that way...even if you want a Windows FTP server,
you can make it totally standalone, make sure that nobody can get to your
LAN from the Internet even via the DMZ, etc. and do your backups of that
server separately.

This sounds like a bad setup to me. Unless I've completely misunderstood
you, and this domain exists solely for the purpose of supporting this FTP
server, and does not touch your internal domain/network at all. In which
case I still have to say I think it's overkill...

Regards

-AA-



"Lanwench [MVP - Exchange]"

we have a lot of users that get stuff from us from our ftp site.

Dangerous. Don't put DCs in your DMZ, and don't host a public FTP
site on your LAN, whether on a DC or member server or standalone
server. Keep your domain controllers entirely within your LAN, and
stick a separate FTP server
in your DMZ (doesn't have to be a Windows box at all), and don't
open up any
ports inbound from your DMZ to LAN (although opening up FTP the
other way around is fine, so your users can transfer files to the
FTP server from machines within the LAN).

When we have just a server that is in a workgroup, its much harder
too restore users or have a failover contra a dc

You're asking for major trouble with your existing config from a
security standpoint

-aa-


"Lanwench [MVP - Exchange]"
<[email protected]> skrev i
melding Arne And wrote:
Hi

I have an Windows 2000 server that is a DC in my DMZ zone. I have
now installed a new server in the same DMZ zone (windows 2003
server) that joined my domain.

Why do you have DCs in your DMZ?


That worked fine, exept that when am trying to connect to the
internet my 2003 server cant find any sites.

I dont haft to install a DNS server on my 2003 server when it
allready is installed on my DC (win2000)?

No - as long as you point to the correct DNS server in that new
server's IP config. As in, the DC's IP. Can you ping anything on
the Internet by IP? As in, a public DNS server?

I can ping my DC, and my Default Gateway, but not on the
internett.

what can I do?

-regards

-AA-

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hmmm well, if i have just a ftp server in my DMZ, and its
packed with 100 users that have there one username and
password and there own folder in my ftp site. Its a hell
of a admin work too manage all this, when the server is
only a mebmerserver.

You need to rethink this, a member server gets its ACL accounts from its
Domain Controller. You can also use local accounts but it is not required to
use local accounts.

Lets say that I have a server crach, and I haft to
restore.. It would bee easyer too have a DC there, then
it would have all the useraccount on the second DC. While
on the memberserver I would have too punch them in all
manually....

If the member server crashes and dies, it is a whole lot simpler and easier
to revive it from the dead, even on brand new hardware. If a DC crashes and
dies you'll have to remove all traces of it from AD before you can re-use
its name, unless you have a current upto date backup of the dead DC. If any
of the backup data is more than sixty days old don't even attempt to
restore from your backup.
I went through that this past week with someone who restored one DC from a
three month old backup. The two DCs totally refused to replicate with each
other because the data on the restored DC was older than the sixty day
tombstone life. The only way out was to do a force removal of AD on the
restored DC, do a metadata cleanup on the other DC, then DCPromo it restored
from backup DC back into the domain. This was a six hour process by itself.

or am I way off here....

You are.

 

[Arne And]

I have 2 domains in my LAN. One is where all the users that works in the
corporation. And I have a different domain in my DMZ.



The DMZ is between your Internet connection and LAN, and not between two

trusted networks



Have only gained access too send ftp from my internal domain to the domain
in the DMZ. From DMZ I have not open up for anything.



Well, my intension was failover and easy backup of users for my domain in
the DMZ. If I had 2 servers in there (2 DC) and I have replicated everything
on my web/ftp server too the second one. If the original server went down,
the other one could take over. Just route everything too the 2 server.



The users that are in my DMZ zone don't have anything with my domain on the
inside.



If I just have a windows 2003 server with IIS installed etc. I haft to use
local users and groups too set up my 100 external users. If that server went
down, too rebuild it, would take a lot of time.



But is there a better way too have 2 Win2003 server then, that is configured
exactly the same. But one is not plugged in too my DMZ. If the original
webserver should go down, then I could just boot up the "cold" one. But it
would bee much more work to keep those servers alike (one online and the
other not")



So that you recommend is just one standalone server, and backup systemstate,
and IIS, and use that too restore the server?



Regards



-AA-

 

[Lanwench [MVP - Exchange]]

I have 2 domains in my LAN. One is where all the users that works in
the corporation. And I have a different domain in my DMZ.



The DMZ is between your Internet connection and LAN, and not between
two

trusted networks



Have only gained access too send ftp from my internal domain to the
domain in the DMZ. From DMZ I have not open up for anything.



Well, my intension was failover and easy backup of users for my
domain in the DMZ. If I had 2 servers in there (2 DC) and I have
replicated everything on my web/ftp server too the second one. If the
original server went down, the other one could take over. Just route
everything too the 2 server.



The users that are in my DMZ zone don't have anything with my domain
on the inside.



If I just have a windows 2003 server with IIS installed etc. I haft
to use local users and groups too set up my 100 external users. If
that server went down, too rebuild it, would take a lot of time.



But is there a better way too have 2 Win2003 server then, that is
configured exactly the same. But one is not plugged in too my DMZ. If
the original webserver should go down, then I could just boot up the
"cold" one. But it would bee much more work to keep those servers
alike (one online and the other not")



So that you recommend is just one standalone server, and backup
systemstate, and IIS, and use that too restore the server?

That's what I'd do, if this indeed had to be a Windows server in the first
place, which it doesn't need to be. If someone hacks your DMZ, all your DCs
are probably toast anyway - and although I do now understand your setup
(which you didn't explain clearly in your first post, hence my erroneous
assumptions), I still think it sounds like it isn't optimal. Also, it sounds
expensive. Do you have CALs for each of these 100 users in your DMZ domain?
You need them. I probably wouldn't use Windows/IIS for this server at all.