DNS and Server 2003

Friends,

Consider this one computer tech who's head is about to
explode. :-) I apologize for the length of this message,
but I want to make sure I put forth all the info. you'll
need to know.

I'm new to Windows Server 2003 -- Windows server software
at all, really -- and now I'm in the position of having to
move the network of the school I work for to that platform
before the new school year starts. I've got a wonderful
book, and I've learned alot, but DNS is confounding me to
a point, and I hope I can get some help.

Here's the scenario: We are a small school. To this point,
we have been running a Novell NetWare 3.12 (yes, that old)
server that did only file and print sharing for the
intranet. No DNS, no web site, no e-mail. Just a LAN
server. Now, in one fell swoop, we've dumped the old
server, bought a new machine and a copy of Windows Server
2003 Standard, and want to have a web site and e-mail (for
employees only, not students) through our own domain.

So, as I said, we have one (count 'em, one) server running
Windows Server 2003 Standard. At the moment, it's the
server that's going to do everything for us. That includes
file services for the local network users, being the
primary (well, only) domain controller, handling Active
Directory, being our (again, only) DNS server, and
handling our web site and e-mail. Alot for a single server
to do, I know, and not exactly the recommended setup, but
it's what we've got. Like I said, we're a small school.

Should we need a second server, like one to do secondary
DNS or to host our web site and e-mail seperately, I could
put up a second machine to act as a seperate server for
some of this. I could come up with the hardware. But as we
don't have the money for another Server 2003 license, it
would have to run Linux. I like that idea, but I'm also
not keen on the idea of having to learn Linux and Server
2003 at the same time -and- try to get them to play nice
with each other. I know how much Linux and Windows love
each other, after all.

So, here's where we stand: I'm an experienced Windows guy,
but not a Windows Server guy. But, with the help of my
book (Mastering Windows Server 2003 by Mark Minasi, if
you're interested) and a bit of good luck, I've managed to
install the server, set it up as a primary domain
controller, get Active Directory up and running, and set
it up as a DNS server that successfully handles our
internal network (and only our internal network). In other
words, a computer on our network can boot up, find the
server, create a computer account for itself, and login to
the server. But right now that's all it can do. No access
to the outside Internet, and no server setup for web and e-
mail purposes.

I should also mention at this point how our Internet setup
works. We have a T1 connection from here to a pseudo-
government organization that supplies Internet access to
local area schools. They give us a bunch of IP addresses
in a non-routable range (10.x.x.x) and the address of
their DNS server. We have a Cisco 1600 series router which
tosses all our Internet traffic over to them, and their
systems get everything where it needs to go. They also
filter our Internet traffic, BTW, so that students can't
get to anything, well, inappropriate.

In special cases where we need incoming traffic, such as
our server, they "unfilter" one of our non-routable
internal IP addresses and tie it to a real, routable
external IP address. So, essentially, our server has two
IP addresses: one internal that's non-routable on the
Internet, and one external that's a real live IP address.

And that's where my knowledge hits a brick wall. I need to
figure out how to get all of the computers inside our
network to be able to go out onto the Internet, do DNS
queries, find sites, etc. and also figure out how to get
traffic on the outside Internet able to access our soon-to-
be-created web and e-mail addresses. And I need opinions.

What is the best way to handle this? Can it be reasonably
done on a single server? Do we need a seperate box running
Linux to handle some of this? Should we keep the default
gateway for the local computers as the router or switch it
to the server, because if we switch it to the server,
which has an unfiltered IP, students can get to
everything? Does any of this make any sense at all?

If someone could start to point me in the right direction,
I would be greatly appreciative.

Thanks!

=Tom=

Windows DNS is designed as such that you simply stay away from it and it
keeps working fine. It is required for having a Domain, so make sure DNS is
installed (but unconfigured) before you make the Server a domain controller.
It will install automatically if it is not there, but I think things are
"smoother" if it is already there. The process of making the machine a DC
will automatically configure DNS the way it should be and you can just "stay
away" from it and it will work fine.

Do *not* make your Domain Name the same as any publicly registered Internet
Domain Name,...these are not the same thing,..do no treat them as the same
thing,...keep the names different. Just use a three letter ending that is
not ever on the Internet (like "loc" instead of com, net, edu, etc..). I
like to use *.loc (loc = "Local"), but you can pick whatever you like.

Once in place *all* machines (and I mean *ALL* machines) use the Domain's
DNS for their DNS, even the DC itself. The DC can point to itself using
127.0.0.1 for it's DNS setting. I use 127.0.0.1 because it will always be
available when somtime things can happen to cause the regular IP to not
work.

For internet name resolution you simply add the ISP's DNS Servers to the
Forwarder's List within the config of your DNS Server(s). So the clients
look to you DNS first, if it can't resolve it is passed on to the DNS listed
in the Forwarder's List. It's pretty simple and everything works right.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"CoveTom" <(E-Mail Removed)> wrote in message
news:237a301c45ead$cb1d1350$(E-Mail Removed)...
> Friends,
>
> Consider this one computer tech who's head is about to
> explode. :-) I apologize for the length of this message,
> but I want to make sure I put forth all the info. you'll
> need to know.
>
> I'm new to Windows Server 2003 -- Windows server software
> at all, really -- and now I'm in the position of having to
> move the network of the school I work for to that platform
> before the new school year starts. I've got a wonderful
> book, and I've learned alot, but DNS is confounding me to
> a point, and I hope I can get some help.
>
> Here's the scenario: We are a small school. To this point,
> we have been running a Novell NetWare 3.12 (yes, that old)
> server that did only file and print sharing for the
> intranet. No DNS, no web site, no e-mail. Just a LAN
> server. Now, in one fell swoop, we've dumped the old
> server, bought a new machine and a copy of Windows Server
> 2003 Standard, and want to have a web site and e-mail (for
> employees only, not students) through our own domain.
>
> So, as I said, we have one (count 'em, one) server running
> Windows Server 2003 Standard. At the moment, it's the
> server that's going to do everything for us. That includes
> file services for the local network users, being the
> primary (well, only) domain controller, handling Active
> Directory, being our (again, only) DNS server, and
> handling our web site and e-mail. Alot for a single server
> to do, I know, and not exactly the recommended setup, but
> it's what we've got. Like I said, we're a small school.
>
> Should we need a second server, like one to do secondary
> DNS or to host our web site and e-mail seperately, I could
> put up a second machine to act as a seperate server for
> some of this. I could come up with the hardware. But as we
> don't have the money for another Server 2003 license, it
> would have to run Linux. I like that idea, but I'm also
> not keen on the idea of having to learn Linux and Server
> 2003 at the same time -and- try to get them to play nice
> with each other. I know how much Linux and Windows love
> each other, after all.
>
> So, here's where we stand: I'm an experienced Windows guy,
> but not a Windows Server guy. But, with the help of my
> book (Mastering Windows Server 2003 by Mark Minasi, if
> you're interested) and a bit of good luck, I've managed to
> install the server, set it up as a primary domain
> controller, get Active Directory up and running, and set
> it up as a DNS server that successfully handles our
> internal network (and only our internal network). In other
> words, a computer on our network can boot up, find the
> server, create a computer account for itself, and login to
> the server. But right now that's all it can do. No access
> to the outside Internet, and no server setup for web and e-
> mail purposes.
>
> I should also mention at this point how our Internet setup
> works. We have a T1 connection from here to a pseudo-
> government organization that supplies Internet access to
> local area schools. They give us a bunch of IP addresses
> in a non-routable range (10.x.x.x) and the address of
> their DNS server. We have a Cisco 1600 series router which
> tosses all our Internet traffic over to them, and their
> systems get everything where it needs to go. They also
> filter our Internet traffic, BTW, so that students can't
> get to anything, well, inappropriate.
>
> In special cases where we need incoming traffic, such as
> our server, they "unfilter" one of our non-routable
> internal IP addresses and tie it to a real, routable
> external IP address. So, essentially, our server has two
> IP addresses: one internal that's non-routable on the
> Internet, and one external that's a real live IP address.
>
> And that's where my knowledge hits a brick wall. I need to
> figure out how to get all of the computers inside our
> network to be able to go out onto the Internet, do DNS
> queries, find sites, etc. and also figure out how to get
> traffic on the outside Internet able to access our soon-to-
> be-created web and e-mail addresses. And I need opinions.
>
> What is the best way to handle this? Can it be reasonably
> done on a single server? Do we need a seperate box running
> Linux to handle some of this? Should we keep the default
> gateway for the local computers as the router or switch it
> to the server, because if we switch it to the server,
> which has an unfiltered IP, students can get to
> everything? Does any of this make any sense at all?
>
> If someone could start to point me in the right direction,
> I would be greatly appreciative.
>
> Thanks!
>
> =Tom=

Another message is comming...hang on,...I can't type and think that fast...


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> Windows DNS is designed as such that you simply stay away from it and it
> keeps working fine. It is required for having a Domain, so make sure DNS
is
> installed (but unconfigured) before you make the Server a domain
controller.
> It will install automatically if it is not there, but I think things are
> "smoother" if it is already there. The process of making the machine a DC
> will automatically configure DNS the way it should be and you can just
"stay
> away" from it and it will work fine.
>
> Do *not* make your Domain Name the same as any publicly registered
Internet
> Domain Name,...these are not the same thing,..do no treat them as the same
> thing,...keep the names different. Just use a three letter ending that is
> not ever on the Internet (like "loc" instead of com, net, edu, etc..). I
> like to use *.loc (loc = "Local"), but you can pick whatever you like.
>
> Once in place *all* machines (and I mean *ALL* machines) use the Domain's
> DNS for their DNS, even the DC itself. The DC can point to itself using
> 127.0.0.1 for it's DNS setting. I use 127.0.0.1 because it will always be
> available when somtime things can happen to cause the regular IP to not
> work.
>
> For internet name resolution you simply add the ISP's DNS Servers to the
> Forwarder's List within the config of your DNS Server(s). So the clients
> look to you DNS first, if it can't resolve it is passed on to the DNS
listed
> in the Forwarder's List. It's pretty simple and everything works right.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "CoveTom" <(E-Mail Removed)> wrote in message
> news:237a301c45ead$cb1d1350$(E-Mail Removed)...
> > Friends,
> >
> > Consider this one computer tech who's head is about to
> > explode. :-) I apologize for the length of this message,
> > but I want to make sure I put forth all the info. you'll
> > need to know.
> >
> > I'm new to Windows Server 2003 -- Windows server software
> > at all, really -- and now I'm in the position of having to
> > move the network of the school I work for to that platform
> > before the new school year starts. I've got a wonderful
> > book, and I've learned alot, but DNS is confounding me to
> > a point, and I hope I can get some help.
> >
> > Here's the scenario: We are a small school. To this point,
> > we have been running a Novell NetWare 3.12 (yes, that old)
> > server that did only file and print sharing for the
> > intranet. No DNS, no web site, no e-mail. Just a LAN
> > server. Now, in one fell swoop, we've dumped the old
> > server, bought a new machine and a copy of Windows Server
> > 2003 Standard, and want to have a web site and e-mail (for
> > employees only, not students) through our own domain.
> >
> > So, as I said, we have one (count 'em, one) server running
> > Windows Server 2003 Standard. At the moment, it's the
> > server that's going to do everything for us. That includes
> > file services for the local network users, being the
> > primary (well, only) domain controller, handling Active
> > Directory, being our (again, only) DNS server, and
> > handling our web site and e-mail. Alot for a single server
> > to do, I know, and not exactly the recommended setup, but
> > it's what we've got. Like I said, we're a small school.
> >
> > Should we need a second server, like one to do secondary
> > DNS or to host our web site and e-mail seperately, I could
> > put up a second machine to act as a seperate server for
> > some of this. I could come up with the hardware. But as we
> > don't have the money for another Server 2003 license, it
> > would have to run Linux. I like that idea, but I'm also
> > not keen on the idea of having to learn Linux and Server
> > 2003 at the same time -and- try to get them to play nice
> > with each other. I know how much Linux and Windows love
> > each other, after all.
> >
> > So, here's where we stand: I'm an experienced Windows guy,
> > but not a Windows Server guy. But, with the help of my
> > book (Mastering Windows Server 2003 by Mark Minasi, if
> > you're interested) and a bit of good luck, I've managed to
> > install the server, set it up as a primary domain
> > controller, get Active Directory up and running, and set
> > it up as a DNS server that successfully handles our
> > internal network (and only our internal network). In other
> > words, a computer on our network can boot up, find the
> > server, create a computer account for itself, and login to
> > the server. But right now that's all it can do. No access
> > to the outside Internet, and no server setup for web and e-
> > mail purposes.
> >
> > I should also mention at this point how our Internet setup
> > works. We have a T1 connection from here to a pseudo-
> > government organization that supplies Internet access to
> > local area schools. They give us a bunch of IP addresses
> > in a non-routable range (10.x.x.x) and the address of
> > their DNS server. We have a Cisco 1600 series router which
> > tosses all our Internet traffic over to them, and their
> > systems get everything where it needs to go. They also
> > filter our Internet traffic, BTW, so that students can't
> > get to anything, well, inappropriate.
> >
> > In special cases where we need incoming traffic, such as
> > our server, they "unfilter" one of our non-routable
> > internal IP addresses and tie it to a real, routable
> > external IP address. So, essentially, our server has two
> > IP addresses: one internal that's non-routable on the
> > Internet, and one external that's a real live IP address.
> >
> > And that's where my knowledge hits a brick wall. I need to
> > figure out how to get all of the computers inside our
> > network to be able to go out onto the Internet, do DNS
> > queries, find sites, etc. and also figure out how to get
> > traffic on the outside Internet able to access our soon-to-
> > be-created web and e-mail addresses. And I need opinions.
> >
> > What is the best way to handle this? Can it be reasonably
> > done on a single server? Do we need a seperate box running
> > Linux to handle some of this? Should we keep the default
> > gateway for the local computers as the router or switch it
> > to the server, because if we switch it to the server,
> > which has an unfiltered IP, students can get to
> > everything? Does any of this make any sense at all?
> >
> > If someone could start to point me in the right direction,
> > I would be greatly appreciative.
> >
> > Thanks!
> >
> > =Tom=
>
>

Some straight forward answers to some of your questions in no particular
order:

1. Student Internet access: Presumably student machines access the
Internet by setting their default gateway to the IP address of the Cisco
router. This will give them Internet connectivity, but they also need name
resolution. Student machines should be configured to point to the server IP
for DNS. Now you need to configure Forwarders on the server so that local
DNS clients can resolve Internet names. On the server - Go to
Administrative Tools and open the DNS console. Right click the server and
select properties. Click the Forwarders tab and enter/add the IP address
of the 'pseudo government's DNS server. If the Forwarders tab entries are
grayed out, delete the '.' zone. You may have to restart the service or
reboot the server. All internal machines should then be able to get
whatever Internet access is available through your provider.

2. Configuring the Win 2003 machine as a web server is extremely easy.
Just click on the Configure My Server wizard in Administrative Tools. To
allow your internal users to connect to the server is also easy. If you
create a web site that uses your Active Directory domain name - eg.
www.ADdomaniname.com, then all you need to do is add a host record called
www in the ADdomainname.com zone through the DNS console. If you create a
web site with a different DNS name, then use the DNS console to add a
standard primary zone with the new name - eg. newzone.com - again add a
host record called www to this zone.

Providing External access to your web sites - ie. enabling outside Internet
users to view your web site, requires your provider to set things up. They
will have to assign you a public IP address and map it or port 80 to the
10.x.x.x IP address of your server. There also has to be an external or
public DNS server to resolve the public DNS name, and this means the public
DNS name needs to be registered. None of this can be configured on your
internal network. So the short answer is that you need to consult with the
provider in order to allow public access to your server.

3. Win 2003 has a builtin mail server - use the Configure My Server
wizard - which may meet your needs. Again its easy to provide mail services
to the internal LAN users. However, if you want to provide mail services to
external Internet users, you have issues similar to those for providing
external web access.

4. Ideally, everyone wants to use a separate server for every server
function and have a back-up box for each one as well. However, tthere is no
theoretcal reason why you can't provide the desired services from a single
machine. Whether there is a practical reason depends on hardware
performance, bandwidth availability and demands, etc. MS makes a product
called Small Business Server 2003 which is designed to provide all your
server needs plus several others all on one box. So I would try to do what
you want with what you have. If the platform proves to be inadequate -
that's your best argument for more hardware. You won't get very far with
the powers-that-be by telling them that some guy in a newsgroup told you you
need MS Exchange Server and a second Windows Server 2003 box.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"CoveTom" <(E-Mail Removed)> wrote in message
news:237a301c45ead$cb1d1350$(E-Mail Removed)...
> Friends,
>
> Consider this one computer tech who's head is about to
> explode. :-) I apologize for the length of this message,
> but I want to make sure I put forth all the info. you'll
> need to know.
>
> I'm new to Windows Server 2003 -- Windows server software
> at all, really -- and now I'm in the position of having to
> move the network of the school I work for to that platform
> before the new school year starts. I've got a wonderful
> book, and I've learned alot, but DNS is confounding me to
> a point, and I hope I can get some help.
>
> Here's the scenario: We are a small school. To this point,
> we have been running a Novell NetWare 3.12 (yes, that old)
> server that did only file and print sharing for the
> intranet. No DNS, no web site, no e-mail. Just a LAN
> server. Now, in one fell swoop, we've dumped the old
> server, bought a new machine and a copy of Windows Server
> 2003 Standard, and want to have a web site and e-mail (for
> employees only, not students) through our own domain.
>
> So, as I said, we have one (count 'em, one) server running
> Windows Server 2003 Standard. At the moment, it's the
> server that's going to do everything for us. That includes
> file services for the local network users, being the
> primary (well, only) domain controller, handling Active
> Directory, being our (again, only) DNS server, and
> handling our web site and e-mail. Alot for a single server
> to do, I know, and not exactly the recommended setup, but
> it's what we've got. Like I said, we're a small school.
>
> Should we need a second server, like one to do secondary
> DNS or to host our web site and e-mail seperately, I could
> put up a second machine to act as a seperate server for
> some of this. I could come up with the hardware. But as we
> don't have the money for another Server 2003 license, it
> would have to run Linux. I like that idea, but I'm also
> not keen on the idea of having to learn Linux and Server
> 2003 at the same time -and- try to get them to play nice
> with each other. I know how much Linux and Windows love
> each other, after all.
>
> So, here's where we stand: I'm an experienced Windows guy,
> but not a Windows Server guy. But, with the help of my
> book (Mastering Windows Server 2003 by Mark Minasi, if
> you're interested) and a bit of good luck, I've managed to
> install the server, set it up as a primary domain
> controller, get Active Directory up and running, and set
> it up as a DNS server that successfully handles our
> internal network (and only our internal network). In other
> words, a computer on our network can boot up, find the
> server, create a computer account for itself, and login to
> the server. But right now that's all it can do. No access
> to the outside Internet, and no server setup for web and e-
> mail purposes.
>
> I should also mention at this point how our Internet setup
> works. We have a T1 connection from here to a pseudo-
> government organization that supplies Internet access to
> local area schools. They give us a bunch of IP addresses
> in a non-routable range (10.x.x.x) and the address of
> their DNS server. We have a Cisco 1600 series router which
> tosses all our Internet traffic over to them, and their
> systems get everything where it needs to go. They also
> filter our Internet traffic, BTW, so that students can't
> get to anything, well, inappropriate.
>
> In special cases where we need incoming traffic, such as
> our server, they "unfilter" one of our non-routable
> internal IP addresses and tie it to a real, routable
> external IP address. So, essentially, our server has two
> IP addresses: one internal that's non-routable on the
> Internet, and one external that's a real live IP address.
>
> And that's where my knowledge hits a brick wall. I need to
> figure out how to get all of the computers inside our
> network to be able to go out onto the Internet, do DNS
> queries, find sites, etc. and also figure out how to get
> traffic on the outside Internet able to access our soon-to-
> be-created web and e-mail addresses. And I need opinions.
>
> What is the best way to handle this? Can it be reasonably
> done on a single server? Do we need a seperate box running
> Linux to handle some of this? Should we keep the default
> gateway for the local computers as the router or switch it
> to the server, because if we switch it to the server,
> which has an unfiltered IP, students can get to
> everything? Does any of this make any sense at all?
>
> If someone could start to point me in the right direction,
> I would be greatly appreciative.
>
> Thanks!
>
> =Tom=

"CoveTom" <(E-Mail Removed)> wrote in message
news:237a301c45ead$cb1d1350$(E-Mail Removed)...
> Should we need a second server, like one to do secondary
> DNS or to host our web site and e-mail seperately, I could

You can get things working on the one box for now and see how it behaves.
Add others only when you know you need them. So don't try to solve problems
that you don't even have yet.

> I should also mention at this point how our Internet setup
> works. We have a T1 connection from here to a pseudo-
> government organization that supplies Internet access to
> local area schools. They give us a bunch of IP addresses
> in a non-routable range (10.x.x.x) and the address of
> their DNS server. We have a Cisco 1600 series router which
> tosses all our Internet traffic over to them, and their
> systems get everything where it needs to go. They also
> filter our Internet traffic, BTW, so that students can't
> get to anything, well, inappropriate.

I've heard of these situations in schools. I don't think they are "pretty".
If they give you enough 10.* addresses to cover all your needs, then you
simply use them on all your machines and the Cisco 1600's 10.* address
becomes the Default Gateway of the machines. This "pseudo-gov organization"
will be the ones "firewalling" and protecting your network.

If you don't have enough 10.* addresses then *ask for more* from the *same*
subnet, ..it is still the simplest model to follow. But if they won't give
more you will require a NAT Device. The Server could do it, but I don't
recommend duel-homing a DC/DNS machine, nor do I recommend adding that much
more responsibility to a Server that may already be overworked. The best bet
is to use a Hardware based Firewall for this. You could also build one with
Linux & IP Tables.

When doing this you need to wisely pick a private address range that won't
cause future problems with other private systems you may have to deal with.
These would be your "internal" addresses, while the 10.* addresses would
become your "external" address which are in the same role that a Public
Address Range would be in a "normal" network. Now the clients would use the
internal IP# of the "NAT Device" as their Default Gateway. This "pseudo-gov
organization" will *still* be the ones "firewalling" and protecting your
network, but you will be able to do additional filtering yourself, but you
will *not* be able to allow what they don't allow because it will never get
to (or from) you.

> In special cases where we need incoming traffic, such as
> our server, they "unfilter" one of our non-routable
> internal IP addresses and tie it to a real, routable
> external IP address. So, essentially, our server has two
> IP addresses: one internal that's non-routable on the
> Internet, and one external that's a real live IP address.

This is called Static NAT or One-toOne NAT depending on the filtering model.

If you have enought 10.* addresses and follow that simpler method, they will
continue to do this in this manner. But if you have to add another NAT
Device and another Address Range, this will become nearly impossible or at
least difficult. They can only Static or One-to-One NAT to the 10.* address
which are now *external* to your private system and cannot communicate
directly with your machines. You can probably Static or One-to-One NAT
betwen the 10.* address they used and one of your own internal addresses,
but things can get really complicated when things don't work and be very
hair-pulling to sort out where the problem *really* is.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

In the book that I've been using as a reference, the
author uses the same domain name as both the internal,
Windows Active Directory domain name and the external
Internet-accessible domain. In other words, something.com
is everything, both internal and external. Thus, that's
the model I've been following in setting things up. Are
you saying that's a bad idea and, if so, why?


>-----Original Message-----
>Do *not* make your Domain Name the same as any publicly
>registered Internet Domain Name,...these are not the same
>thing,..do no treat them as the same thing,...keep the
>names different. Just use a three letter ending that is
>not ever on the Internet (like "loc" instead of com, net,
>edu, etc..). I like to use *.loc (loc = "Local"), but
>you can pick whatever you like.

So, to boil this down to the essentials, it sounds to me
like what you're saying is that for internal access, we
just need to use the router as our gateway and the Server
2003 box, with a forwarder to our ISP's DNS, as our DNS
server. And for our web site, we just need to have a real,
outside IP address forwarded by our ISP to their
appropriate internal IP and either the ISP's DNS server or
some other external DNS server set up to resolve DNS
queries for our domain to that external IP. Is that
correct?

Thanks!

>-----Original Message-----
>Some straight forward answers to some of your questions
in no particular
>order:
>
>1. Student Internet access: Presumably student machines
access the
>Internet by setting their default gateway to the IP
address of the Cisco
>router. This will give them Internet connectivity, but
they also need name
>resolution. Student machines should be configured to
point to the server IP
>for DNS. Now you need to configure Forwarders on the
server so that local
>DNS clients can resolve Internet names. On the server -
Go to
>Administrative Tools and open the DNS console. Right
click the server and
>select properties. Click the Forwarders tab and
enter/add the IP address
>of the 'pseudo government's DNS server. If the
Forwarders tab entries are
>grayed out, delete the '.' zone. You may have to restart
the service or
>reboot the server. All internal machines should then be
able to get
>whatever Internet access is available through your
provider.
>
>2. Configuring the Win 2003 machine as a web server is
extremely easy.
>Just click on the Configure My Server wizard in
Administrative Tools. To
>allow your internal users to connect to the server is
also easy. If you
>create a web site that uses your Active Directory domain
name - eg.
>www.ADdomaniname.com, then all you need to do is add a
host record called
>www in the ADdomainname.com zone through the DNS
console. If you create a
>web site with a different DNS name, then use the DNS
console to add a
>standard primary zone with the new name - eg.
newzone.com - again add a
>host record called www to this zone.
>
>Providing External access to your web sites - ie.
enabling outside Internet
>users to view your web site, requires your provider to
set things up. They
>will have to assign you a public IP address and map it or
port 80 to the
>10.x.x.x IP address of your server. There also has to be
an external or
>public DNS server to resolve the public DNS name, and
this means the public
>DNS name needs to be registered. None of this can be
configured on your
>internal network. So the short answer is that you need
to consult with the
>provider in order to allow public access to your server.
>
>3. Win 2003 has a builtin mail server - use the
Configure My Server
>wizard - which may meet your needs. Again its easy to
provide mail services
>to the internal LAN users. However, if you want to
provide mail services to
>external Internet users, you have issues similar to those
for providing
>external web access.
>
>4. Ideally, everyone wants to use a separate server for
every server
>function and have a back-up box for each one as well.
However, tthere is no
>theoretcal reason why you can't provide the desired
services from a single
>machine. Whether there is a practical reason depends on
hardware
>performance, bandwidth availability and demands, etc. MS
makes a product
>called Small Business Server 2003 which is designed to
provide all your
>server needs plus several others all on one box. So I
would try to do what
>you want with what you have. If the platform proves to
be inadequate -
>that's your best argument for more hardware. You won't
get very far with
>the powers-that-be by telling them that some guy in a
newsgroup told you you
>need MS Exchange Server and a second Windows Server 2003
box.
>
>Doug Sherman
>MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
>"CoveTom" <(E-Mail Removed)> wrote in
message
>news:237a301c45ead$cb1d1350$(E-Mail Removed)...
>> Friends,
>>
>> Consider this one computer tech who's head is about to
>> explode. :-) I apologize for the length of this message,
>> but I want to make sure I put forth all the info. you'll
>> need to know.
>>
>> I'm new to Windows Server 2003 -- Windows server
software
>> at all, really -- and now I'm in the position of having
to
>> move the network of the school I work for to that
platform
>> before the new school year starts. I've got a wonderful
>> book, and I've learned alot, but DNS is confounding me
to
>> a point, and I hope I can get some help.
>>
>> Here's the scenario: We are a small school. To this
point,
>> we have been running a Novell NetWare 3.12 (yes, that
old)
>> server that did only file and print sharing for the
>> intranet. No DNS, no web site, no e-mail. Just a LAN
>> server. Now, in one fell swoop, we've dumped the old
>> server, bought a new machine and a copy of Windows
Server
>> 2003 Standard, and want to have a web site and e-mail
(for
>> employees only, not students) through our own domain.
>>
>> So, as I said, we have one (count 'em, one) server
running
>> Windows Server 2003 Standard. At the moment, it's the
>> server that's going to do everything for us. That
includes
>> file services for the local network users, being the
>> primary (well, only) domain controller, handling Active
>> Directory, being our (again, only) DNS server, and
>> handling our web site and e-mail. Alot for a single
server
>> to do, I know, and not exactly the recommended setup,
but
>> it's what we've got. Like I said, we're a small school.
>>
>> Should we need a second server, like one to do secondary
>> DNS or to host our web site and e-mail seperately, I
could
>> put up a second machine to act as a seperate server for
>> some of this. I could come up with the hardware. But as
we
>> don't have the money for another Server 2003 license, it
>> would have to run Linux. I like that idea, but I'm also
>> not keen on the idea of having to learn Linux and Server
>> 2003 at the same time -and- try to get them to play nice
>> with each other. I know how much Linux and Windows love
>> each other, after all.
>>
>> So, here's where we stand: I'm an experienced Windows
guy,
>> but not a Windows Server guy. But, with the help of my
>> book (Mastering Windows Server 2003 by Mark Minasi, if
>> you're interested) and a bit of good luck, I've managed
to
>> install the server, set it up as a primary domain
>> controller, get Active Directory up and running, and set
>> it up as a DNS server that successfully handles our
>> internal network (and only our internal network). In
other
>> words, a computer on our network can boot up, find the
>> server, create a computer account for itself, and login
to
>> the server. But right now that's all it can do. No
access
>> to the outside Internet, and no server setup for web
and e-
>> mail purposes.
>>
>> I should also mention at this point how our Internet
setup
>> works. We have a T1 connection from here to a pseudo-
>> government organization that supplies Internet access to
>> local area schools. They give us a bunch of IP addresses
>> in a non-routable range (10.x.x.x) and the address of
>> their DNS server. We have a Cisco 1600 series router
which
>> tosses all our Internet traffic over to them, and their
>> systems get everything where it needs to go. They also
>> filter our Internet traffic, BTW, so that students can't
>> get to anything, well, inappropriate.
>>
>> In special cases where we need incoming traffic, such as
>> our server, they "unfilter" one of our non-routable
>> internal IP addresses and tie it to a real, routable
>> external IP address. So, essentially, our server has two
>> IP addresses: one internal that's non-routable on the
>> Internet, and one external that's a real live IP
address.
>>
>> And that's where my knowledge hits a brick wall. I need
to
>> figure out how to get all of the computers inside our
>> network to be able to go out onto the Internet, do DNS
>> queries, find sites, etc. and also figure out how to get
>> traffic on the outside Internet able to access our soon-
to-
>> be-created web and e-mail addresses. And I need
opinions.
>>
>> What is the best way to handle this? Can it be
reasonably
>> done on a single server? Do we need a seperate box
running
>> Linux to handle some of this? Should we keep the default
>> gateway for the local computers as the router or switch
it
>> to the server, because if we switch it to the server,
>> which has an unfiltered IP, students can get to
>> everything? Does any of this make any sense at all?
>>
>> If someone could start to point me in the right
direction,
>> I would be greatly appreciative.
>>
>> Thanks!
>>
>> =Tom=
>
>
>.
>

That's about it. I made some assumptions about your network infrastructure,
but the description would make little sense unless it works they way I
assume it does - possibly the ISP has a proxy server requirement, but they
should have told you that. The good news is that providing access to
external users does not require any additional resources or configuration on
your internal network. As to how much help your ISP is willing to provide
........ who knows? But presumably they have done this for other schools.
They are the only ones who can control the routing from a public IP to your
internal network, but they might require you to pay for name registration
and use a third party for external DNS.

Also, many networks use the same DNS name for the Active Directory domain
and the external or public DNS name space. There are both advantages and
disadvantages to doing this, but it is a common practice.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:23c2b01c45ebc$7ed24ab0$(E-Mail Removed)...
> So, to boil this down to the essentials, it sounds to me
> like what you're saying is that for internal access, we
> just need to use the router as our gateway and the Server
> 2003 box, with a forwarder to our ISP's DNS, as our DNS
> server. And for our web site, we just need to have a real,
> outside IP address forwarded by our ISP to their
> appropriate internal IP and either the ISP's DNS server or
> some other external DNS server set up to resolve DNS
> queries for our domain to that external IP. Is that
> correct?
>
> Thanks!
>
> >-----Original Message-----
> >Some straight forward answers to some of your questions
> in no particular
> >order:
> >
> >1. Student Internet access: Presumably student machines
> access the
> >Internet by setting their default gateway to the IP
> address of the Cisco
> >router. This will give them Internet connectivity, but
> they also need name
> >resolution. Student machines should be configured to
> point to the server IP
> >for DNS. Now you need to configure Forwarders on the
> server so that local
> >DNS clients can resolve Internet names. On the server -
> Go to
> >Administrative Tools and open the DNS console. Right
> click the server and
> >select properties. Click the Forwarders tab and
> enter/add the IP address
> >of the 'pseudo government's DNS server. If the
> Forwarders tab entries are
> >grayed out, delete the '.' zone. You may have to restart
> the service or
> >reboot the server. All internal machines should then be
> able to get
> >whatever Internet access is available through your
> provider.
> >
> >2. Configuring the Win 2003 machine as a web server is
> extremely easy.
> >Just click on the Configure My Server wizard in
> Administrative Tools. To
> >allow your internal users to connect to the server is
> also easy. If you
> >create a web site that uses your Active Directory domain
> name - eg.
> >www.ADdomaniname.com, then all you need to do is add a
> host record called
> >www in the ADdomainname.com zone through the DNS
> console. If you create a
> >web site with a different DNS name, then use the DNS
> console to add a
> >standard primary zone with the new name - eg.
> newzone.com - again add a
> >host record called www to this zone.
> >
> >Providing External access to your web sites - ie.
> enabling outside Internet
> >users to view your web site, requires your provider to
> set things up. They
> >will have to assign you a public IP address and map it or
> port 80 to the
> >10.x.x.x IP address of your server. There also has to be
> an external or
> >public DNS server to resolve the public DNS name, and
> this means the public
> >DNS name needs to be registered. None of this can be
> configured on your
> >internal network. So the short answer is that you need
> to consult with the
> >provider in order to allow public access to your server.
> >
> >3. Win 2003 has a builtin mail server - use the
> Configure My Server
> >wizard - which may meet your needs. Again its easy to
> provide mail services
> >to the internal LAN users. However, if you want to
> provide mail services to
> >external Internet users, you have issues similar to those
> for providing
> >external web access.
> >
> >4. Ideally, everyone wants to use a separate server for
> every server
> >function and have a back-up box for each one as well.
> However, tthere is no
> >theoretcal reason why you can't provide the desired
> services from a single
> >machine. Whether there is a practical reason depends on
> hardware
> >performance, bandwidth availability and demands, etc. MS
> makes a product
> >called Small Business Server 2003 which is designed to
> provide all your
> >server needs plus several others all on one box. So I
> would try to do what
> >you want with what you have. If the platform proves to
> be inadequate -
> >that's your best argument for more hardware. You won't
> get very far with
> >the powers-that-be by telling them that some guy in a
> newsgroup told you you
> >need MS Exchange Server and a second Windows Server 2003
> box.
> >
> >Doug Sherman
> >MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >
> >"CoveTom" <(E-Mail Removed)> wrote in
> message
> >news:237a301c45ead$cb1d1350$(E-Mail Removed)...
> >> Friends,
> >>
> >> Consider this one computer tech who's head is about to
> >> explode. :-) I apologize for the length of this message,
> >> but I want to make sure I put forth all the info. you'll
> >> need to know.
> >>
> >> I'm new to Windows Server 2003 -- Windows server
> software
> >> at all, really -- and now I'm in the position of having
> to
> >> move the network of the school I work for to that
> platform
> >> before the new school year starts. I've got a wonderful
> >> book, and I've learned alot, but DNS is confounding me
> to
> >> a point, and I hope I can get some help.
> >>
> >> Here's the scenario: We are a small school. To this
> point,
> >> we have been running a Novell NetWare 3.12 (yes, that
> old)
> >> server that did only file and print sharing for the
> >> intranet. No DNS, no web site, no e-mail. Just a LAN
> >> server. Now, in one fell swoop, we've dumped the old
> >> server, bought a new machine and a copy of Windows
> Server
> >> 2003 Standard, and want to have a web site and e-mail
> (for
> >> employees only, not students) through our own domain.
> >>
> >> So, as I said, we have one (count 'em, one) server
> running
> >> Windows Server 2003 Standard. At the moment, it's the
> >> server that's going to do everything for us. That
> includes
> >> file services for the local network users, being the
> >> primary (well, only) domain controller, handling Active
> >> Directory, being our (again, only) DNS server, and
> >> handling our web site and e-mail. Alot for a single
> server
> >> to do, I know, and not exactly the recommended setup,
> but
> >> it's what we've got. Like I said, we're a small school.
> >>
> >> Should we need a second server, like one to do secondary
> >> DNS or to host our web site and e-mail seperately, I
> could
> >> put up a second machine to act as a seperate server for
> >> some of this. I could come up with the hardware. But as
> we
> >> don't have the money for another Server 2003 license, it
> >> would have to run Linux. I like that idea, but I'm also
> >> not keen on the idea of having to learn Linux and Server
> >> 2003 at the same time -and- try to get them to play nice
> >> with each other. I know how much Linux and Windows love
> >> each other, after all.
> >>
> >> So, here's where we stand: I'm an experienced Windows
> guy,
> >> but not a Windows Server guy. But, with the help of my
> >> book (Mastering Windows Server 2003 by Mark Minasi, if
> >> you're interested) and a bit of good luck, I've managed
> to
> >> install the server, set it up as a primary domain
> >> controller, get Active Directory up and running, and set
> >> it up as a DNS server that successfully handles our
> >> internal network (and only our internal network). In
> other
> >> words, a computer on our network can boot up, find the
> >> server, create a computer account for itself, and login
> to
> >> the server. But right now that's all it can do. No
> access
> >> to the outside Internet, and no server setup for web
> and e-
> >> mail purposes.
> >>
> >> I should also mention at this point how our Internet
> setup
> >> works. We have a T1 connection from here to a pseudo-
> >> government organization that supplies Internet access to
> >> local area schools. They give us a bunch of IP addresses
> >> in a non-routable range (10.x.x.x) and the address of
> >> their DNS server. We have a Cisco 1600 series router
> which
> >> tosses all our Internet traffic over to them, and their
> >> systems get everything where it needs to go. They also
> >> filter our Internet traffic, BTW, so that students can't
> >> get to anything, well, inappropriate.
> >>
> >> In special cases where we need incoming traffic, such as
> >> our server, they "unfilter" one of our non-routable
> >> internal IP addresses and tie it to a real, routable
> >> external IP address. So, essentially, our server has two
> >> IP addresses: one internal that's non-routable on the
> >> Internet, and one external that's a real live IP
> address.
> >>
> >> And that's where my knowledge hits a brick wall. I need
> to
> >> figure out how to get all of the computers inside our
> >> network to be able to go out onto the Internet, do DNS
> >> queries, find sites, etc. and also figure out how to get
> >> traffic on the outside Internet able to access our soon-
> to-
> >> be-created web and e-mail addresses. And I need
> opinions.
> >>
> >> What is the best way to handle this? Can it be
> reasonably
> >> done on a single server? Do we need a seperate box
> running
> >> Linux to handle some of this? Should we keep the default
> >> gateway for the local computers as the router or switch
> it
> >> to the server, because if we switch it to the server,
> >> which has an unfiltered IP, students can get to
> >> everything? Does any of this make any sense at all?
> >>
> >> If someone could start to point me in the right
> direction,
> >> I would be greatly appreciative.
> >>
> >> Thanks!
> >>
> >> =Tom=
> >
> >
> >.
> >

"CoveTom" <(E-Mail Removed)> wrote in message
news:2393301c45ebc$1f8d6800$(E-Mail Removed)...
> is everything, both internal and external. Thus, that's
> the model I've been following in setting things up. Are
> you saying that's a bad idea and, if so, why?

Yes it is a bad idea and the guy the wrote the book should be slapped.

It would probably take a chapter or two of writing to explain that. I'm
afraid it is one of those things that is very simple yet very hard to
explain. It like defining the word "the".

Here are some articles that display the depth of problems created by this.
These are centered around the use of ISA Server, but the priniciples apply
to any situation.

[Those are underscores, not spaces between the words]
14120 Errors; Discussion and Solution
http://www.isaserver.org/articles/14..._Solution.html

[Those are underscores, not spaces between the words]
You Need to Create a Split DNS!
http://www.isaserver.org/tutorials/Y...Split_DNS.html


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Well, as you can tell if you've been reading the other
replies in this thread, I've already gotten one reply
insisting that I should not use the same domain name as
our Internet domain and our internal Windows domain.
OTOH, the book I'm using doesn't seem to have a problem
with the practice. He uses "bigfirm.biz" as his example
domain, and uses that as both the Internet domain and the
internal Windows domain throughout his examples.

I am very early on in the game of setting up the server,
so switching domain names wouldn't be too big a pain in
the neck if I needed to, but I want to make sure what I
need before I go setting things up yet again. What would -
you- recommend?

BTW, we do have to use a proxy server on the filtered IP
addresses, yes. But on the unfiltered addresses like the
server, no proxy is necessary.

>-----Original Message-----
>That's about it. I made some assumptions about your
network infrastructure,
>but the description would make little sense unless it
works they way I
>assume it does - possibly the ISP has a proxy server
requirement, but they
>should have told you that. The good news is that
providing access to
>external users does not require any additional resources
or configuration on
>your internal network. As to how much help your ISP is
willing to provide
>........ who knows? But presumably they have done this
for other schools.
>They are the only ones who can control the routing from
a public IP to your
>internal network, but they might require you to pay for
name registration
>and use a third party for external DNS.
>
>Also, many networks use the same DNS name for the Active
Directory domain
>and the external or public DNS name space. There are
both advantages and
>disadvantages to doing this, but it is a common practice.
>
>Doug Sherman
>MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
><(E-Mail Removed)> wrote in message
>news:23c2b01c45ebc$7ed24ab0$(E-Mail Removed)...
>> So, to boil this down to the essentials, it sounds to
me
>> like what you're saying is that for internal access, we
>> just need to use the router as our gateway and the
Server
>> 2003 box, with a forwarder to our ISP's DNS, as our DNS
>> server. And for our web site, we just need to have a
real,
>> outside IP address forwarded by our ISP to their
>> appropriate internal IP and either the ISP's DNS
server or
>> some other external DNS server set up to resolve DNS
>> queries for our domain to that external IP. Is that
>> correct?
>>
>> Thanks!
>>
>> >-----Original Message-----
>> >Some straight forward answers to some of your
questions
>> in no particular
>> >order:
>> >
>> >1. Student Internet access: Presumably student
machines
>> access the
>> >Internet by setting their default gateway to the IP
>> address of the Cisco
>> >router. This will give them Internet connectivity,
but
>> they also need name
>> >resolution. Student machines should be configured to
>> point to the server IP
>> >for DNS. Now you need to configure Forwarders on the
>> server so that local
>> >DNS clients can resolve Internet names. On the
server -
>> Go to
>> >Administrative Tools and open the DNS console. Right
>> click the server and
>> >select properties. Click the Forwarders tab and
>> enter/add the IP address
>> >of the 'pseudo government's DNS server. If the
>> Forwarders tab entries are
>> >grayed out, delete the '.' zone. You may have to
restart
>> the service or
>> >reboot the server. All internal machines should then
be
>> able to get
>> >whatever Internet access is available through your
>> provider.
>> >
>> >2. Configuring the Win 2003 machine as a web server
is
>> extremely easy.
>> >Just click on the Configure My Server wizard in
>> Administrative Tools. To
>> >allow your internal users to connect to the server is
>> also easy. If you
>> >create a web site that uses your Active Directory
domain
>> name - eg.
>> >www.ADdomaniname.com, then all you need to do is add a
>> host record called
>> >www in the ADdomainname.com zone through the DNS
>> console. If you create a
>> >web site with a different DNS name, then use the DNS
>> console to add a
>> >standard primary zone with the new name - eg.
>> newzone.com - again add a
>> >host record called www to this zone.
>> >
>> >Providing External access to your web sites - ie.
>> enabling outside Internet
>> >users to view your web site, requires your provider to
>> set things up. They
>> >will have to assign you a public IP address and map
it or
>> port 80 to the
>> >10.x.x.x IP address of your server. There also has
to be
>> an external or
>> >public DNS server to resolve the public DNS name, and
>> this means the public
>> >DNS name needs to be registered. None of this can be
>> configured on your
>> >internal network. So the short answer is that you
need
>> to consult with the
>> >provider in order to allow public access to your
server.
>> >
>> >3. Win 2003 has a builtin mail server - use the
>> Configure My Server
>> >wizard - which may meet your needs. Again its easy to
>> provide mail services
>> >to the internal LAN users. However, if you want to
>> provide mail services to
>> >external Internet users, you have issues similar to
those
>> for providing
>> >external web access.
>> >
>> >4. Ideally, everyone wants to use a separate server
for
>> every server
>> >function and have a back-up box for each one as well.
>> However, tthere is no
>> >theoretcal reason why you can't provide the desired
>> services from a single
>> >machine. Whether there is a practical reason depends
on
>> hardware
>> >performance, bandwidth availability and demands,
etc. MS
>> makes a product
>> >called Small Business Server 2003 which is designed to
>> provide all your
>> >server needs plus several others all on one box. So I
>> would try to do what
>> >you want with what you have. If the platform proves
to
>> be inadequate -
>> >that's your best argument for more hardware. You
won't
>> get very far with
>> >the powers-that-be by telling them that some guy in a
>> newsgroup told you you
>> >need MS Exchange Server and a second Windows Server
2003
>> box.
>> >
>> >Doug Sherman
>> >MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>> >
>> >"CoveTom" <(E-Mail Removed)> wrote
in
>> message
>> >news:237a301c45ead$cb1d1350$(E-Mail Removed)...
>> >> Friends,
>> >>
>> >> Consider this one computer tech who's head is about
to
>> >> explode. :-) I apologize for the length of this
message,
>> >> but I want to make sure I put forth all the info.
you'll
>> >> need to know.
>> >>
>> >> I'm new to Windows Server 2003 -- Windows server
>> software
>> >> at all, really -- and now I'm in the position of
having
>> to
>> >> move the network of the school I work for to that
>> platform
>> >> before the new school year starts. I've got a
wonderful
>> >> book, and I've learned alot, but DNS is confounding
me
>> to
>> >> a point, and I hope I can get some help.
>> >>
>> >> Here's the scenario: We are a small school. To this
>> point,
>> >> we have been running a Novell NetWare 3.12 (yes,
that
>> old)
>> >> server that did only file and print sharing for the
>> >> intranet. No DNS, no web site, no e-mail. Just a LAN
>> >> server. Now, in one fell swoop, we've dumped the old
>> >> server, bought a new machine and a copy of Windows
>> Server
>> >> 2003 Standard, and want to have a web site and e-
mail
>> (for
>> >> employees only, not students) through our own
domain.
>> >>
>> >> So, as I said, we have one (count 'em, one) server
>> running
>> >> Windows Server 2003 Standard. At the moment, it's
the
>> >> server that's going to do everything for us. That
>> includes
>> >> file services for the local network users, being the
>> >> primary (well, only) domain controller, handling
Active
>> >> Directory, being our (again, only) DNS server, and
>> >> handling our web site and e-mail. Alot for a single
>> server
>> >> to do, I know, and not exactly the recommended
setup,
>> but
>> >> it's what we've got. Like I said, we're a small
school.
>> >>
>> >> Should we need a second server, like one to do
secondary
>> >> DNS or to host our web site and e-mail seperately, I
>> could
>> >> put up a second machine to act as a seperate server
for
>> >> some of this. I could come up with the hardware.
But as
>> we
>> >> don't have the money for another Server 2003
license, it
>> >> would have to run Linux. I like that idea, but I'm
also
>> >> not keen on the idea of having to learn Linux and
Server
>> >> 2003 at the same time -and- try to get them to play
nice
>> >> with each other. I know how much Linux and Windows
love
>> >> each other, after all.
>> >>
>> >> So, here's where we stand: I'm an experienced
Windows
>> guy,
>> >> but not a Windows Server guy. But, with the help of
my
>> >> book (Mastering Windows Server 2003 by Mark Minasi,
if
>> >> you're interested) and a bit of good luck, I've
managed
>> to
>> >> install the server, set it up as a primary domain
>> >> controller, get Active Directory up and running,
and set
>> >> it up as a DNS server that successfully handles our
>> >> internal network (and only our internal network). In
>> other
>> >> words, a computer on our network can boot up, find
the
>> >> server, create a computer account for itself, and
login
>> to
>> >> the server. But right now that's all it can do. No
>> access
>> >> to the outside Internet, and no server setup for web
>> and e-
>> >> mail purposes.
>> >>
>> >> I should also mention at this point how our Internet
>> setup
>> >> works. We have a T1 connection from here to a
pseudo-
>> >> government organization that supplies Internet
access to
>> >> local area schools. They give us a bunch of IP
addresses
>> >> in a non-routable range (10.x.x.x) and the address
of
>> >> their DNS server. We have a Cisco 1600 series router
>> which
>> >> tosses all our Internet traffic over to them, and
their
>> >> systems get everything where it needs to go. They
also
>> >> filter our Internet traffic, BTW, so that students
can't
>> >> get to anything, well, inappropriate.
>> >>
>> >> In special cases where we need incoming traffic,
such as
>> >> our server, they "unfilter" one of our non-routable
>> >> internal IP addresses and tie it to a real, routable
>> >> external IP address. So, essentially, our server
has two
>> >> IP addresses: one internal that's non-routable on
the
>> >> Internet, and one external that's a real live IP
>> address.
>> >>
>> >> And that's where my knowledge hits a brick wall. I
need
>> to
>> >> figure out how to get all of the computers inside
our
>> >> network to be able to go out onto the Internet, do
DNS
>> >> queries, find sites, etc. and also figure out how
to get
>> >> traffic on the outside Internet able to access our
soon-
>> to-
>> >> be-created web and e-mail addresses. And I need
>> opinions.
>> >>
>> >> What is the best way to handle this? Can it be
>> reasonably
>> >> done on a single server? Do we need a seperate box
>> running
>> >> Linux to handle some of this? Should we keep the
default
>> >> gateway for the local computers as the router or
switch
>> it
>> >> to the server, because if we switch it to the
server,
>> >> which has an unfiltered IP, students can get to
>> >> everything? Does any of this make any sense at all?
>> >>
>> >> If someone could start to point me in the right
>> direction,
>> >> I would be greatly appreciative.
>> >>
>> >> Thanks!
>> >>
>> >> =Tom=
>> >
>> >
>> >.
>> >
>
>
>.
>