hardcoding DC IP address for network setting.

hello there

I am in the process of putting couple of server behind an internal firewall
and I am wondering if I can make win 2000/3 server point to a specific
domain controler instead of broadcasting ?

thANKS

Domain computers do not "broadcast" but instead use dns to lookup domain
controllers and will attempt to first authenticate with domain controllers
in their site if you have more than one site configured for your forest.
What you could try to do is to use something like ipsec "filtering" policy
on the server to block access to all but domain controllers you want it to
use. --- Steve

http://www.securityfocus.com/infocus/1559 --- primer on ipsec filtering.

"Simo Sentissi" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hello there
>
> I am in the process of putting couple of server behind an internal
> firewall and I am wondering if I can make win 2000/3 server point to a
> specific domain controler instead of broadcasting ?
>
> thANKS
>

What kind of traffic are you talking about? You can basically ignore any
broadcast traffic. Other traffic is important, and you'll need to
incorporate firewall rules to allow the DCs to communicate with clients and
other DCs.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Well our security officer said that the firewall will not let any broadcast
go trough So does it mean that I can ignore that and let win2k/03 try to
broadcast first, then let let get ot from DNS ?

"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What kind of traffic are you talking about? You can basically ignore any
> broadcast traffic. Other traffic is important, and you'll need to
> incorporate firewall rules to allow the DCs to communicate with clients
> and
> other DCs.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

In news:Ow9%(E-Mail Removed),
Simo Sentissi <(E-Mail Removed)> posted this:
> Well our security officer said that the firewall will not let any
> broadcast go trough So does it mean that I can ignore that and let
> win2k/03 try to broadcast first, then let let get ot from DNS ?

Win2k3 does not use NetBIOS broadcasts for DC location, all DC locating is
done in DNS.



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Windows will try DNS before broadcasting. The only broadcast traffic that
springs to mind is Browser; but even that will go via WINS for replication,
etc.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Simo Sentissi schrieb:
> Well our security officer said that the firewall will not let any broadcast
> go trough So does it mean that I can ignore that and let win2k/03 try to
> broadcast first, then let let get ot from DNS ?


Windows server 2003 does not use broadcast for locating services, it
uses dns. The only broadcast involved with a 2003 server. Would be if
you have it configured as a dhcp server. This would be a problem
however. The router is likely to be RFC 1542 compliant in which case
you can "route" the broadcast, as the router will do a dhcp relay. The
only other time it might use broadcast is if you use netbios and don't
have a wins server configured. But you might want to look at the ports
that AD uses
you can have a look at the following page
http://support.microsoft.com/default...b;en-us;832017

Build a new site in AD linked to a subnet.
Subnet is the IP adres of your win2003 server, subnet is 255.255.255.255
Afterwards verify on server with nltest /dsgetsite to determine
communication
--
Kurt Roggen
http://www.blogontheweb.com/roggenk


"Simo Sentissi" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hello there
>
> I am in the process of putting couple of server behind an internal
> firewall and I am wondering if I can make win 2000/3 server point to a
> specific domain controler instead of broadcasting ?
>
> thANKS
>

I agree with Kurt, but make sure that the IP does not already belong to
another AD site if you choose a 32bit masked single IP.
But he is right as the client (ie: server) will use it's site membership
based on an AD Site IP boundaries, then if it cannot determine it's site
will then revert to DNS using the DNS server's wieght and priority on the
srv records.

Richard Glenn
(E-Mail Removed)


"Kurt Roggen" <(E-Mail Removed)> wrote in message
news:uG%(E-Mail Removed)...
> Build a new site in AD linked to a subnet.
> Subnet is the IP adres of your win2003 server, subnet is 255.255.255.255
> Afterwards verify on server with nltest /dsgetsite to determine
> communication
> --
> Kurt Roggen
> http://www.blogontheweb.com/roggenk
>
>
> "Simo Sentissi" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> hello there
>>
>> I am in the process of putting couple of server behind an internal
>> firewall and I am wondering if I can make win 2000/3 server point to a
>> specific domain controler instead of broadcasting ?
>>
>> thANKS
>>
>
>

You are right that MS Browse is the only broadcasting that will
happen - if a WINS server is configured in Tcp/Ip settings.
However MS Browse traffic does not "go via WINS" and is
distinct from but related to WINS name registration and resolution.
Use of WINS only preempts the NetBIOS name announcements
and inquiries.

--
Roger Abell
Microsoft MVP (Windows Security)

"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Windows will try DNS before broadcasting. The only broadcast traffic that
> springs to mind is Browser; but even that will go via WINS for
replication,
> etc.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>