DNS and DMZ zone problem

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Hi

I have an Windows 2000 server that is a DC in my DMZ zone. I have now
installed a new server in the same DMZ zone (windows 2003 server) that
joined my domain.

That worked fine, exept that when am trying to connect to the internet my
2003 server cant find any sites.

I dont haft to install a DNS server on my 2003 server when it allready is
installed on my DC (win2000)?

I can ping my DC, and my Default Gateway, but not on the internett.

what can I do?

-regards

-AA-
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Arne And wrote:
> Hi
>
> I have an Windows 2000 server that is a DC in my DMZ zone. I have now
> installed a new server in the same DMZ zone (windows 2003 server) that
> joined my domain.

Why do you have DCs in your DMZ?

>
> That worked fine, exept that when am trying to connect to the
> internet my 2003 server cant find any sites.
>
> I dont haft to install a DNS server on my 2003 server when it
> allready is installed on my DC (win2000)?

No - as long as you point to the correct DNS server in that new server's IP
config. As in, the DC's IP. Can you ping anything on the Internet by IP? As
in, a public DNS server?
>
> I can ping my DC, and my Default Gateway, but not on the internett.
>
> what can I do?
>
> -regards
>
> -AA-
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

we have a lot of users that get stuff from us from our ftp site.

When we have just a server that is in a workgroup, its much harder too
restore users or have a failover contra a dc

-aa-


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i melding
news:OPpjWAaCFHA.3436@TK2MSFTNGP12.phx.gbl...
> Arne And wrote:
> > Hi
> >
> > I have an Windows 2000 server that is a DC in my DMZ zone. I have now
> > installed a new server in the same DMZ zone (windows 2003 server) that
> > joined my domain.
>
> Why do you have DCs in your DMZ?
>
> >
> > That worked fine, exept that when am trying to connect to the
> > internet my 2003 server cant find any sites.
> >
> > I dont haft to install a DNS server on my 2003 server when it
> > allready is installed on my DC (win2000)?
>
> No - as long as you point to the correct DNS server in that new server's
IP
> config. As in, the DC's IP. Can you ping anything on the Internet by IP?
As
> in, a public DNS server?
> >
> > I can ping my DC, and my Default Gateway, but not on the internett.
> >
> > what can I do?
> >
> > -regards
> >
> > -AA-
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Arne And wrote:
> we have a lot of users that get stuff from us from our ftp site.

Dangerous. Don't put DCs in your DMZ, and don't host a public FTP site on
your LAN, whether on a DC or member server or standalone server. Keep your
domain controllers entirely within your LAN, and stick a separate FTP server
in your DMZ (doesn't have to be a Windows box at all), and don't open up any
ports inbound from your DMZ to LAN (although opening up FTP the other way
around is fine, so your users can transfer files to the FTP server from
machines within the LAN).
>
> When we have just a server that is in a workgroup, its much harder too
> restore users or have a failover contra a dc

You're asking for major trouble with your existing config from a security
standpoint


>
> -aa-
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i
> melding news:OPpjWAaCFHA.3436@TK2MSFTNGP12.phx.gbl...
>> Arne And wrote:
>>> Hi
>>>
>>> I have an Windows 2000 server that is a DC in my DMZ zone. I have
>>> now installed a new server in the same DMZ zone (windows 2003
>>> server) that joined my domain.
>>
>> Why do you have DCs in your DMZ?
>>
>>>
>>> That worked fine, exept that when am trying to connect to the
>>> internet my 2003 server cant find any sites.
>>>
>>> I dont haft to install a DNS server on my 2003 server when it
>>> allready is installed on my DC (win2000)?
>>
>> No - as long as you point to the correct DNS server in that new
>> server's IP config. As in, the DC's IP. Can you ping anything on the
>> Internet by IP? As in, a public DNS server?
>>>
>>> I can ping my DC, and my Default Gateway, but not on the internett.
>>>
>>> what can I do?
>>>
>>> -regards
>>>
>>> -AA-
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Hmmm well, if i have just a ftp server in my DMZ, and its packed with 100
users that have there one username and password and there own folder in my
ftp site. Its a hell of a admin work too manage all this, when the server is
only a mebmerserver.

Lets say that I have a server crach, and I haft to restore.. It would bee
easyer too have a DC there, then it would have all the useraccount on the
second DC. While on the memberserver I would have too punch them in all
manually....

or am I way off here....

Regards

-AA-



"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i melding
news:%23RV3oBhCFHA.1264@TK2MSFTNGP12.phx.gbl...
> Arne And wrote:
>> we have a lot of users that get stuff from us from our ftp site.
>
> Dangerous. Don't put DCs in your DMZ, and don't host a public FTP site on
> your LAN, whether on a DC or member server or standalone server. Keep your
> domain controllers entirely within your LAN, and stick a separate FTP
> server
> in your DMZ (doesn't have to be a Windows box at all), and don't open up
> any
> ports inbound from your DMZ to LAN (although opening up FTP the other way
> around is fine, so your users can transfer files to the FTP server from
> machines within the LAN).
>>
>> When we have just a server that is in a workgroup, its much harder too
>> restore users or have a failover contra a dc
>
> You're asking for major trouble with your existing config from a security
> standpoint
>
>
>>
>> -aa-
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i
>> melding news:OPpjWAaCFHA.3436@TK2MSFTNGP12.phx.gbl...
>>> Arne And wrote:
>>>> Hi
>>>>
>>>> I have an Windows 2000 server that is a DC in my DMZ zone. I have
>>>> now installed a new server in the same DMZ zone (windows 2003
>>>> server) that joined my domain.
>>>
>>> Why do you have DCs in your DMZ?
>>>
>>>>
>>>> That worked fine, exept that when am trying to connect to the
>>>> internet my 2003 server cant find any sites.
>>>>
>>>> I dont haft to install a DNS server on my 2003 server when it
>>>> allready is installed on my DC (win2000)?
>>>
>>> No - as long as you point to the correct DNS server in that new
>>> server's IP config. As in, the DC's IP. Can you ping anything on the
>>> Internet by IP? As in, a public DNS server?
>>>>
>>>> I can ping my DC, and my Default Gateway, but not on the internett.
>>>>
>>>> what can I do?
>>>>
>>>> -regards
>>>>
>>>> -AA-
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Arne And wrote:
> Hmmm well, if i have just a ftp server in my DMZ, and its packed with
> 100 users that have there one username and password and there own
> folder in my ftp site. Its a hell of a admin work too manage all
> this, when the server is only a mebmerserver.

It shouldn't be a member server, either. Many would say it shouldn't even be
a Windows server - I tend to agree.

>
> Lets say that I have a server crach, and I haft to restore.. It would
> bee easyer too have a DC there, then it would have all the
> useraccount on the second DC. While on the memberserver I would have
> too punch them in all manually....
>
> or am I way off here....

Wait. Why do these external FTP users need to be users in your domain? It is
*your* domain - connected to the domain you use on the LAN side, right?
What's open between DMZ and LAN, and between WAN and DMZ, etc? I'm presuming
the DMZ is between your Internet connection and LAN, and not between two
trusted networks...correct me if I'm wrong.

I'm not sure why you can't just do regular full backups of whatever
standalone FTP server you run (OS, account database, data and everything)
and do any needed restores that way...even if you want a Windows FTP server,
you can make it totally standalone, make sure that nobody can get to your
LAN from the Internet even via the DMZ, etc. and do your backups of that
server separately.

This sounds like a bad setup to me. Unless I've completely misunderstood
you, and this domain exists solely for the purpose of supporting this FTP
server, and does not touch your internal domain/network at all. In which
case I still have to say I think it's overkill...

>
> Regards
>
> -AA-
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i
> melding news:%23RV3oBhCFHA.1264@TK2MSFTNGP12.phx.gbl...
>> Arne And wrote:
>>> we have a lot of users that get stuff from us from our ftp site.
>>
>> Dangerous. Don't put DCs in your DMZ, and don't host a public FTP
>> site on your LAN, whether on a DC or member server or standalone
>> server. Keep your domain controllers entirely within your LAN, and
>> stick a separate FTP server
>> in your DMZ (doesn't have to be a Windows box at all), and don't
>> open up any
>> ports inbound from your DMZ to LAN (although opening up FTP the
>> other way around is fine, so your users can transfer files to the
>> FTP server from machines within the LAN).
>>>
>>> When we have just a server that is in a workgroup, its much harder
>>> too restore users or have a failover contra a dc
>>
>> You're asking for major trouble with your existing config from a
>> security standpoint
>>
>>
>>>
>>> -aa-
>>>
>>>
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> skrev i
>>> melding news:OPpjWAaCFHA.3436@TK2MSFTNGP12.phx.gbl...
>>>> Arne And wrote:
>>>>> Hi
>>>>>
>>>>> I have an Windows 2000 server that is a DC in my DMZ zone. I have
>>>>> now installed a new server in the same DMZ zone (windows 2003
>>>>> server) that joined my domain.
>>>>
>>>> Why do you have DCs in your DMZ?
>>>>
>>>>>
>>>>> That worked fine, exept that when am trying to connect to the
>>>>> internet my 2003 server cant find any sites.
>>>>>
>>>>> I dont haft to install a DNS server on my 2003 server when it
>>>>> allready is installed on my DC (win2000)?
>>>>
>>>> No - as long as you point to the correct DNS server in that new
>>>> server's IP config. As in, the DC's IP. Can you ping anything on
>>>> the Internet by IP? As in, a public DNS server?
>>>>>
>>>>> I can ping my DC, and my Default Gateway, but not on the
>>>>> internett.
>>>>>
>>>>> what can I do?
>>>>>
>>>>> -regards
>>>>>
>>>>> -AA-
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:yovMd.7164$Sl3.172968@news4.e.nsc.no,
Arne And <kjellhoy@start.no> commented
Then Kevin replied below:
> Hmmm well, if i have just a ftp server in my DMZ, and its
> packed with 100 users that have there one username and
> password and there own folder in my ftp site. Its a hell
> of a admin work too manage all this, when the server is
> only a mebmerserver.

You need to rethink this, a member server gets its ACL accounts from its
Domain Controller. You can also use local accounts but it is not required to
use local accounts.

> Lets say that I have a server crach, and I haft to
> restore.. It would bee easyer too have a DC there, then
> it would have all the useraccount on the second DC. While
> on the memberserver I would have too punch them in all
> manually....
>

If the member server crashes and dies, it is a whole lot simpler and easier
to revive it from the dead, even on brand new hardware. If a DC crashes and
dies you'll have to remove all traces of it from AD before you can re-use
its name, unless you have a current upto date backup of the dead DC. If any
of the backup data is more than sixty days old don't even attempt to
restore from your backup.
I went through that this past week with someone who restored one DC from a
three month old backup. The two DCs totally refused to replicate with each
other because the data on the restored DC was older than the sixty day
tombstone life. The only way out was to do a force removal of AD on the
restored DC, do a metadata cleanup on the other DC, then DCPromo it restored
from backup DC back into the domain. This was a six hour process by itself.

> or am I way off here....
You are.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

I have 2 domains in my LAN. One is where all the users that works in the
corporation. And I have a different domain in my DMZ.



The DMZ is between your Internet connection and LAN, and not between two

trusted networks



Have only gained access too send ftp from my internal domain to the domain
in the DMZ. From DMZ I have not open up for anything.



Well, my intension was failover and easy backup of users for my domain in
the DMZ. If I had 2 servers in there (2 DC) and I have replicated everything
on my web/ftp server too the second one. If the original server went down,
the other one could take over. Just route everything too the 2 server.



The users that are in my DMZ zone don't have anything with my domain on the
inside.



If I just have a windows 2003 server with IIS installed etc. I haft to use
local users and groups too set up my 100 external users. If that server went
down, too rebuild it, would take a lot of time.



But is there a better way too have 2 Win2003 server then, that is configured
exactly the same. But one is not plugged in too my DMZ. If the original
webserver should go down, then I could just boot up the "cold" one. But it
would bee much more work to keep those servers alike (one online and the
other not")



So that you recommend is just one standalone server, and backup systemstate,
and IIS, and use that too restore the server?



Regards



-AA-










"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> skrev i melding
news:%23fIcShqCFHA.3528@TK2MSFTNGP10.phx.gbl...
> In news:yovMd.7164$Sl3.172968@news4.e.nsc.no,
> Arne And <kjellhoy@start.no> commented
> Then Kevin replied below:
>> Hmmm well, if i have just a ftp server in my DMZ, and its
>> packed with 100 users that have there one username and
>> password and there own folder in my ftp site. Its a hell
>> of a admin work too manage all this, when the server is
>> only a mebmerserver.
>
> You need to rethink this, a member server gets its ACL accounts from its
> Domain Controller. You can also use local accounts but it is not required
> to
> use local accounts.
>
>> Lets say that I have a server crach, and I haft to
>> restore.. It would bee easyer too have a DC there, then
>> it would have all the useraccount on the second DC. While
>> on the memberserver I would have too punch them in all
>> manually....
>>
>
> If the member server crashes and dies, it is a whole lot simpler and
> easier
> to revive it from the dead, even on brand new hardware. If a DC crashes
> and
> dies you'll have to remove all traces of it from AD before you can re-use
> its name, unless you have a current upto date backup of the dead DC. If
> any
> of the backup data is more than sixty days old don't even attempt to
> restore from your backup.
> I went through that this past week with someone who restored one DC from a
> three month old backup. The two DCs totally refused to replicate with each
> other because the data on the restored DC was older than the sixty day
> tombstone life. The only way out was to do a force removal of AD on the
> restored DC, do a metadata cleanup on the other DC, then DCPromo it
> restored
> from backup DC back into the domain. This was a six hour process by
> itself.
>
>> or am I way off here....
> You are.
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Arne And wrote:
> I have 2 domains in my LAN. One is where all the users that works in
> the corporation. And I have a different domain in my DMZ.
>
>
>
> The DMZ is between your Internet connection and LAN, and not between
> two
>
> trusted networks
>
>
>
> Have only gained access too send ftp from my internal domain to the
> domain in the DMZ. From DMZ I have not open up for anything.
>
>
>
> Well, my intension was failover and easy backup of users for my
> domain in the DMZ. If I had 2 servers in there (2 DC) and I have
> replicated everything on my web/ftp server too the second one. If the
> original server went down, the other one could take over. Just route
> everything too the 2 server.
>
>
>
> The users that are in my DMZ zone don't have anything with my domain
> on the inside.
>
>
>
> If I just have a windows 2003 server with IIS installed etc. I haft
> to use local users and groups too set up my 100 external users. If
> that server went down, too rebuild it, would take a lot of time.
>
>
>
> But is there a better way too have 2 Win2003 server then, that is
> configured exactly the same. But one is not plugged in too my DMZ. If
> the original webserver should go down, then I could just boot up the
> "cold" one. But it would bee much more work to keep those servers
> alike (one online and the other not")
>
>
>
> So that you recommend is just one standalone server, and backup
> systemstate, and IIS, and use that too restore the server?

That's what I'd do, if this indeed had to be a Windows server in the first
place, which it doesn't need to be. If someone hacks your DMZ, all your DCs
are probably toast anyway - and although I do now understand your setup
(which you didn't explain clearly in your first post, hence my erroneous
assumptions), I still think it sounds like it isn't optimal. Also, it sounds
expensive. Do you have CALs for each of these 100 users in your DMZ domain?
You need them. I probably wouldn't use Windows/IIS for this server at all.
>
>
>
> Regards
>
>
>
> -AA-
>
>
>
>
>
>
>
>
>
>
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> skrev i melding
> news:%23fIcShqCFHA.3528@TK2MSFTNGP10.phx.gbl...
>> In news:yovMd.7164$Sl3.172968@news4.e.nsc.no,
>> Arne And <kjellhoy@start.no> commented
>> Then Kevin replied below:
>>> Hmmm well, if i have just a ftp server in my DMZ, and its
>>> packed with 100 users that have there one username and
>>> password and there own folder in my ftp site. Its a hell
>>> of a admin work too manage all this, when the server is
>>> only a mebmerserver.
>>
>> You need to rethink this, a member server gets its ACL accounts from
>> its Domain Controller. You can also use local accounts but it is not
>> required to
>> use local accounts.
>>
>>> Lets say that I have a server crach, and I haft to
>>> restore.. It would bee easyer too have a DC there, then
>>> it would have all the useraccount on the second DC. While
>>> on the memberserver I would have too punch them in all
>>> manually....
>>>
>>
>> If the member server crashes and dies, it is a whole lot simpler and
>> easier
>> to revive it from the dead, even on brand new hardware. If a DC
>> crashes and
>> dies you'll have to remove all traces of it from AD before you can
>> re-use its name, unless you have a current upto date backup of the
>> dead DC. If any
>> of the backup data is more than sixty days old don't even attempt to
>> restore from your backup.
>> I went through that this past week with someone who restored one DC
>> from a three month old backup. The two DCs totally refused to
>> replicate with each other because the data on the restored DC was
>> older than the sixty day tombstone life. The only way out was to do
>> a force removal of AD on the restored DC, do a metadata cleanup on
>> the other DC, then DCPromo it restored
>> from backup DC back into the domain. This was a six hour process by
>> itself.
>>
>>> or am I way off here....
>> You are.
>>
>> --
>> Best regards,
>> Kevin D4 Dad Goodknecht Sr. [MVP]
>> Hope This Helps
>> ===================================
>> When responding to posts, please "Reply to Group"
>> via your newsreader so that others may learn and
>> benefit from your issue, to respond directly to
>> me remove the nospam. from my email address.
>> ===================================
>> http://www.lonestaramerica.com/
>> ===================================
>> Use Outlook Express?... Get OE_Quotefix:
>> It will strip signature out and more
>> http://home.in.tum.de/~jain/software/oe-quotefix/
>> ===================================
>> Keep a back up of your OE settings and folders
>> with OEBackup:
>> http://www.oehelp.com/OEBackup/Default.aspx
>> ===================================
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom