Mom & Pop Setup

[Google Mike]

I need some help on your almost average mom & pop shop DNS setup. I'm
just an MCSD, a programmer, and I goof around a lot with Linux too.
I'm helping out on a gig.

* They have about 25 workstations.
* They already have a firewall -- it's a tiny box on the router.
* They already have a router to an ISP -- it's a Cisco.
* The firewall is between the router and the rest of their network.
* They need a Win 2000 DNS server and a domain controller, and are too
cheap to separate the two, so it is on the same box, unfortunately.
Also, there's no BDC or second DNS server -- again, too cheap to
afford it.
* They have a separate database server.
* They have some weird medical billing application that requires all
workstations have static IP addresses.

Questions:

1. I believe they'll not need WINS anymore because this is Windows
2000, right?

2. The DNS server needs no reverse lookup zone, right?

3. The DNS server needs to be setup with a forward lookup zone. It
needs 2 addresses. The first one points to itself. The second one
points to the firewall. Right?

4. This is easy to setup via the Wizard in the DNS MMC, right?

5. If you have more than one DNS, then each DNS's first address in the
forward lookup zone must be the other DNS server's, and the second
address is the firewall, right?

6. When we setup the W2K workstations, they need to be mapped with a
default gateway and DNS set to the DNS/PDC server, right? They will
not have any WINS server addresses, but we should enable NetBIOS over
TCP/IP.

7. Anything else I should note about this?

8. Now, unfortunately, the customer didn't have Win 2000, so we used
Win 2003 Ent Edition eval for the time being. (Ugh -- more frustration
with this client.) Is there something funky about 2003? We set it up
with the DNS setup as in question #3 and it wasn't working. The W2K
workstations were extremely problematic when trying to add these to
the domain -- some worked, while others did not. Some worked if you
repeated the same task over and over again of moving it from workgroup
"workgroup" to the domain. Then, once the workstation was added to the
domain, logins were extremely slow. Are these symptoms of (a) Win
2003, (b) both Win 2000 and Win 2003 unless you do something, or (c)
just a misconfiguration in our DNS setup?

9. We bailed on getting the DNS/Domain Controller setup. We
reconfigured this as a workgroup and then stopped the license logging
service on the database server just to get some sleep. The trick
worked, but it's not the recommended thing, right?

10. Wouldn't you say that one of the motivating factors for Microsoft
to introduce a domain controller concept is so that people are forced
to pay for it? I'm aware that it is a way to synchronize passwords,
but for small shops, a PDC is pretty expensive. I just think that with
Linux, I don't have this issue and this expense.

 

[Herb Martin]

I need some help on your almost average mom & pop shop DNS setup. I'm
just an MCSD, a programmer, and I goof around a lot with Linux too.
I'm helping out on a gig.

* They have about 25 workstations.
* They already have a firewall -- it's a tiny box on the router.
* They already have a router to an ISP -- it's a Cisco.
* The firewall is between the router and the rest of their network.
* They need a Win 2000 DNS server and a domain controller, and are too
cheap to separate the two, so it is on the same box, unfortunately.

It's not necessary, nor even the best practice, to separate them for
internal use.

Some MS DNS features aren't even available unless the DNS is on a DC.

Also, there's no BDC or second DNS server -- again, too cheap to
afford it.

That's cheap -- when a serviceable second 'server' could be had for $200
plus software.

* They have a separate database server.

For this load, the db server could be the second DC/DNS (only 25 clients.)

* They have some weird medical billing application that requires all
workstations have static IP addresses.
Questions:

1. I believe they'll not need WINS anymore because this is Windows
2000, right?

Not necessarily true. The (probably) don't need WINS because they
likely have a single segment network (only one subnet.)

WINS is still still commonly needed in Win2000/Win2003 ROUTED
networks.

2. The DNS server needs no reverse lookup zone, right?

It probably isn't essential, but it is a good idea to set it up for most
situations and only takes five minutes to make (all) the private ranges
into reverse zones.

3. The DNS server needs to be setup with a forward lookup zone.

The Forward zone (really must already exist since you have a Win2000
Domain) must be Dynamic.

The DC/DNS server must point its OWN "client" properties at ITSELF
and at NO "external" DNS. It probably should use the ISP DNS as it's
"forwarder" (on the Server properties Forwarder tab.)

It needs 2 addresses. The first one points to itself. The second one
points to the firewall. Right?

This doesn't make sense. The forward zone needs an SOA and NS
records for each DNS server that holds the zone, but these are done
by the MMC when you create it (mostly.)

Then of course you add the manual A-host records you need; and since
it is must be DYNAMIC the DCs and other stations can register
themselves too.

4. This is easy to setup via the Wizard in the DNS MMC, right?

Yes. Even the reverse zones will only take five minutes if you do them
all, (10-net, 192.168, and all the 172.16-31 plus 169.254.x.y)

5. If you have more than one DNS, then each DNS's first address in the
forward lookup zone must be the other DNS server's, and the second
address is the firewall, right?

Each server for a Zone has an EXACT copy of that zone, copied to the
secondaries from the master (perhaps the Primary) but you don't have but
one DNS server.

The firewall address is pretty irrelevant (for internal purposes) to DNS
here.

6. When we setup the W2K workstations, they need to be mapped with a
default gateway and DNS set to the DNS/PDC server, right?
Right.

They will
not have any WINS server addresses, but we should enable NetBIOS over
TCP/IP.

If you have a "routed internal" environment then you likely need WINS and
the
corresponding setup.

7. Anything else I should note about this?

You will probably have more questions after reading the above.

8. Now, unfortunately, the customer didn't have Win 2000, so we used
Win 2003 Ent Edition eval for the time being. (Ugh -- more frustration
with this client.) Is there something funky about 2003?

No, it is mostly just Win2000 only better.

We set it up
with the DNS setup as in question #3 and it wasn't working. The W2K
workstations were extremely problematic when trying to add these to
the domain -- some worked, while others did not.

Usually this is because
1) DNS not dynamic
2) DC server's own client settings not pointed at (itself) the
internal DNS
server ONLY
3) Other "clients" not pointed ONLY at this internal DNS server
4) "one tag" domain names, e.g., Domain and not the correct
"Domain.Com"
(note, you will usually have a NetBIOS or legacy name of
"DOMAIN"
when you use Domain.Com for the DNS name -- we are
talking about
the DNS name must be at least 2-tags -- or more.

If you change 1 or 2, then RESTART the "netlogon" service on the DC
as this is what registers the "special" DNS records needed in the Win2000+
domains.

Some worked if you
repeated the same task over and over again of moving it from workgroup
"workgroup" to the domain. Then, once the workstation was added to the
domain, logins were extremely slow. Are these symptoms of (a) Win
2003, (b) both Win 2000 and Win 2003 unless you do something, or (c)
just a misconfiguration in our DNS setup?

It's almost always because the DNS isn't setup correctly.

9. We bailed on getting the DNS/Domain Controller setup. We
reconfigured this as a workgroup and then stopped the license logging
service on the database server just to get some sleep. The trick
worked, but it's not the recommended thing, right?

Right. You need to get the DNS correct -- as you have likely guessed or
understood from the above.

10. Wouldn't you say that one of the motivating factors for Microsoft
to introduce a domain controller concept is so that people are forced
to pay for it?

No, they introduced the services of a DC because people would want
those features and CHOOSE to pay for it.

Just like car manufacturers put features on automobiles hoping people
will pay for them.

I'm aware that it is a way to synchronize passwords,
but for small shops, a PDC is pretty expensive. I just think that with
Linux, I don't have this issue and this expense.

True, you don't have that OS expense -- but the "issues" are due to
inexperience (on your part), just as someone who knows nothing about
Linux can muck that up too.

[Tyros are everywhere; some think they are pundits.]

The real expense is management over time -- this is why many
companies can make money "selling Linux" to those who need help,
support, or hardware to run Linux.

 

[William Stacey]

Also, there's no BDC or second DNS server -- again, too cheap to

afford it.

Abviously, that is a mistake. How "cheap" would it be to loose the box and
not have login access? I would push on that point at little more if
possible.

1. I believe they'll not need WINS anymore because this is Windows
2000, right?

They will probably still need WINS for browsing in nethood, etc.

2. The DNS server needs no reverse lookup zone, right?

Correct. No requirment for reverse zone unless an app requires it.

3. The DNS server needs to be setup with a forward lookup zone. It
needs 2 addresses. The first one points to itself. The second one
points to the firewall. Right?

No. The DNS Server IP address in the TCP properties should point to itself
only. This is used by client utils on the box like IE, ping, nslookup and
registration (so it can register itself in dns.) All clients should point
to this box for DNS only. If you also need INET rez, then setup the DNS
server to forward to the ISP DNS IP and/or use root-hints.

4. This is easy to setup via the Wizard in the DNS MMC, right?

DNS specific things are easy to setup in the DNS MMC. The DNS Servers (as
shown in ipconfig /all) needs to be setup in tcp properties tab.

5. If you have more than one DNS, then each DNS's first address in the
forward lookup zone must be the other DNS server's, and the second
address is the firewall, right?

No. Don't point anything at the firewall except for the default gateway (if
that is your default gateway.) If the firewall also can act as a dns proxy
then you can forward to that or forward to ISP's DNS server if you allow
that in the firewall. Is the firewall a proxy server or a NAT?

6. When we setup the W2K workstations, they need to be mapped with a
default gateway and DNS set to the DNS/PDC server, right? They will
not have any WINS server addresses, but we should enable NetBIOS over
TCP/IP.

On a single lan segment you don't need WINS, but you should keep NBT on if
you want to browse which I would recommend. Point the clients default
gateway to the firewall (if that is the gateway and you want outbound INET
access.) Set the DNS server IP on the clients to the DNS/PDC IP.

7. Anything else I should note about this?

Enable dynamic update on the zone and make sure the Primary DNS suffix is
set to the same as the AD domain name before you run dcpromo. Check this
with "ipconfig /all".

8. Now, unfortunately, the customer didn't have Win 2000, so we used
Win 2003 Ent Edition eval for the time being. (Ugh -- more frustration
with this client.) Is there something funky about 2003? We set it up
with the DNS setup as in question #3 and it wasn't working. The W2K
workstations were extremely problematic when trying to add these to
the domain -- some worked, while others did not. Some worked if you
repeated the same task over and over again of moving it from workgroup
"workgroup" to the domain. Then, once the workstation was added to the
domain, logins were extremely slow. Are these symptoms of (a) Win
2003, (b) both Win 2000 and Win 2003 unless you do something, or (c)
just a misconfiguration in our DNS setup?

Probably because of misconfig on clients regarding the DNS Server IP
addresses. Make sure clients only point to the single internal DNS IP.

9. We bailed on getting the DNS/Domain Controller setup. We
reconfigured this as a workgroup and then stopped the license logging
service on the database server just to get some sleep. The trick
worked, but it's not the recommended thing, right?

Workgroup can work for simple file sharing, etc. However to get the
benefits of AD and a domain, you need an AD forest in w2k(3). Depends on
your needs. Do they want Group Policy, login scripts, better security, etc?
If not, workgroups can work.

10. Wouldn't you say that one of the motivating factors for Microsoft
to introduce a domain controller concept is so that people are forced
to pay for it? I'm aware that it is a way to synchronize passwords,
but for small shops, a PDC is pretty expensive. I just think that with
Linux, I don't have this issue and this expense.

Depends what you need. If they need/want the features of a domain model,
then an AD domain is a great thing. However if they just want to share
files then you can use w2k/NT server in a workgroup. For 25 users, they
probably are ready for a domain model. You have to pay for anything good.
You can use Linux or other to share files, but I wish you luck with
supporting that for Windows clients (it can be done however.) Again, it
depends on what they want and how they may want to grow their network in the
future and what other services they will need (i.e. Exchange, SQL, backups,
GPO, etc.)

 

[Kenneth Porter]

Abviously, that is a mistake. How "cheap" would it be to loose the
box and not have login access? I would push on that point at little
more if possible.

You'd still have local login, wouldn't you? Login isn't by itself
compelling to me, but perhaps file services would be. OTOH, the question
then becomes how much down time can you afford? A tiny shop could probably
wait for the hardware to get replaced, but a medium shop (where I'd place
25 workstations) should have backup.

 

[Kenneth Porter]

That's cheap -- when a serviceable second 'server' could be had for $200
plus software.

True, for 25 clients. But note that the server OS is a grand on top of
that. The hardware is cheap in comparison, assuming fairly low-end
hardware. Add a high-capacity tape drive and RAID controller with multiple
disks and the price begins to climb.

 

[Kenneth Porter]

(e-mail address removed) (Google Mike) wrote in

* They have some weird medical billing application that requires all
workstations have static IP addresses.

Use DHCP reservations. All the advantages of DHCP (central configuration)
but each workstation gets a fixed address. Only assign reservations for
workstations that run this app. The rest can use dynamic addresses.

 

[Herb Martin]

True, for 25 clients. But note that the server OS is a grand on top of
that. The hardware is cheap in comparison, assuming fairly low-end
hardware. Add a high-capacity tape drive and RAID controller with multiple
disks and the price begins to climb.

He's talking about a company that won't spend another $200 to $500
on a "server" -- the OS cost is less than half a day of my consulting rate
and I am helping him for free.

It's a false argument for all but the "two node" network.

 

[William Stacey]

Sorry, I did mean login to the domain to use resources - local login usually
does not help much if your using a server to share
resources/databases/files. I also guess it depends what is on the server.
If you can't get a Medical billing app because the server is down, that is
probably an issue for them (maybe not?) I 100% agree about the backup. One
day of down time could probably pay for it multiple times over.