NAT/RD install quirkiness. Server seems to work fine, but why?

Disclosure: I'm not an admin by trade, but a teacher who wears too many
hats. So, pardon my lack of knowledge about server administration.

I've recently reinstalled 2003 Server from scratch for my classroom's
computer lab.

Initially, I had DHCP, DNS, AD, and NAT/RD (defaults when configuring 2003
for the first time) installed and the outgoing and DCHP served traffic and
the actual internet connection split between two seperate cards.

Although the server could connect to the Internet (DN forwarding enabled in
the DNS server), the workstations could not ping the server or the router.

It started working immediately, however, after I stopped the NAT/RD service
and deleted the record for my server. They obatained an IP address and
began fuctioning normally.

I later learned that having a domain controller with two NICs isn't wise.
So, I disabled one of the NICs, uninstalled all servers and reinstalled with
the default server install group (this time DNS, AD, DHCP...no NAT/RD) and
all
traffic was directed to pass through the sole NIC that is assigned a static
IP address by my router.

This didn't work at first, either. So, remembering the NAT/Remote Desktop
service from the first install, I relaunched the wizard and configured it
with the new settings, but to no avail.

The instant I disabled it, however, I was able to release/renew the IP
addresses on my test work stations. Later, all machines were able to get an
IP address.

What gives?

I'm not complaining as it works. For now, at least...

However, I am curious as to why I had to start and stop NAT/Remote Desktop
to get it to work. There's also the thought in the back of my mind that I've
somehow made my server vulnerable by disabling the firewall (as instructed
duing the RD
setup process). And will I have any issues when I set up accounts in AD and
when I connect a second server to the network for SUS/back-up purposes?

Anyone care to explain what's going on and what, if any, next steps I should
take?

If it's relevant, I've also installed WINS and SP2.

Thanks!



Dave Smith

You have left out a very important bit of information. What is between
your router and the Internet? Does it connect directly yo the Internet, or
is it connected to a network? Is it a private or public network?If it
connects to a private network, a firewall is probably not required on your
server. You are probably already behind a firewall.

Your original setup should have worked, even though it is not a
recommended config. (The clients should have been able to access the server
and the Internet. The warnings about two NICs relates to other problems).
Since it didn't work, you probably had NAT misconfigured.

I am still worried about your current setup. If the server has only one
NIC it should not be the gateway for your LAN clients. They should be using
the router as their default gateway, but using the DC for DNS and DHCP.

Here is the basic problem. Using DHCP from the router will give your
machines Internet access. It does this by setting its own address for the
default gateway. It gives the clients an external DNS address to use, or it
gives them its own address and relays the DNS requests to an external DNS
service. This works fine, but is incompatible with Active Directory.

Active Directory requires the AD machines to use a local AD-integrated
DNS server for AD resources. So DHCP from the router can't be used unless
you can modify it to hand out the DC's IP address for the DNS address. The
usual method in a case like this is to disable DHCP on the router and run
DHCP on the server. Give the server a static IP, the router as its default
gateway and itself as DNS server. Modify the DNS server to forward to a
public DNS service. You do not need RRAS or NAT or the Windows firewall
running on the server. It is not your Internet gateway. The router is.

Set up DHCP to issue the router's IP as default gateway and the DC's IP
address for DNS.

The network config would look like this.

router
192.168.0.1
|
server
192.168.0.n dg 192.168.0.1
| dns 192.168.0.n
workstations
192.168.0.x dg 192.168.0.1
dns 192.168.0.n

"Dave Smith" <(E-Mail Removed)> wrote in message
news:7EA5CC49-55BE-4470-B6E2-(E-Mail Removed)...
> Disclosure: I'm not an admin by trade, but a teacher who wears too many
> hats. So, pardon my lack of knowledge about server administration.
>
> I've recently reinstalled 2003 Server from scratch for my classroom's
> computer lab.
>
> Initially, I had DHCP, DNS, AD, and NAT/RD (defaults when configuring 2003
> for the first time) installed and the outgoing and DCHP served traffic and
> the actual internet connection split between two seperate cards.
>
> Although the server could connect to the Internet (DN forwarding enabled
> in
> the DNS server), the workstations could not ping the server or the router.
>
> It started working immediately, however, after I stopped the NAT/RD
> service
> and deleted the record for my server. They obatained an IP address and
> began fuctioning normally.
>
> I later learned that having a domain controller with two NICs isn't wise.
> So, I disabled one of the NICs, uninstalled all servers and reinstalled
> with
> the default server install group (this time DNS, AD, DHCP...no NAT/RD) and
> all
> traffic was directed to pass through the sole NIC that is assigned a
> static
> IP address by my router.
>
> This didn't work at first, either. So, remembering the NAT/Remote Desktop
> service from the first install, I relaunched the wizard and configured it
> with the new settings, but to no avail.
>
> The instant I disabled it, however, I was able to release/renew the IP
> addresses on my test work stations. Later, all machines were able to get
> an
> IP address.
>
> What gives?
>
> I'm not complaining as it works. For now, at least...
>
> However, I am curious as to why I had to start and stop NAT/Remote Desktop
> to get it to work. There's also the thought in the back of my mind that
> I've
> somehow made my server vulnerable by disabling the firewall (as instructed
> duing the RD
> setup process). And will I have any issues when I set up accounts in AD
> and
> when I connect a second server to the network for SUS/back-up purposes?
>
> Anyone care to explain what's going on and what, if any, next steps I
> should
> take?
>
> If it's relevant, I've also installed WINS and SP2.
>
> Thanks!
>

Thank you for the post.

Yes, there is a router for the network and it is the default gateway for
*everything*. DHCP is disabled and only a range of static IP addresses are
reserved. One of which is the server.

Although I don't have the DNS settings in front of me, the logic behind my
setup matches yours.

One question, though. The DHCP server points to the DNS which points to the
router as the gateway. I trust that DHCP addresses doled out are also
passing on the gateway info and will continue to do so once the current lease
expires and is renewed? This isn't a one off fluke that will have me pulling
at what's left of my hair?

Danka.

"Bill Grant" wrote:

> You have left out a very important bit of information. What is between
> your router and the Internet? Does it connect directly yo the Internet, or
> is it connected to a network? Is it a private or public network?If it
> connects to a private network, a firewall is probably not required on your
> server. You are probably already behind a firewall.
>
> Your original setup should have worked, even though it is not a
> recommended config. (The clients should have been able to access the server
> and the Internet. The warnings about two NICs relates to other problems).
> Since it didn't work, you probably had NAT misconfigured.
>
> I am still worried about your current setup. If the server has only one
> NIC it should not be the gateway for your LAN clients. They should be using
> the router as their default gateway, but using the DC for DNS and DHCP.
>
> Here is the basic problem. Using DHCP from the router will give your
> machines Internet access. It does this by setting its own address for the
> default gateway. It gives the clients an external DNS address to use, or it
> gives them its own address and relays the DNS requests to an external DNS
> service. This works fine, but is incompatible with Active Directory.
>
> Active Directory requires the AD machines to use a local AD-integrated
> DNS server for AD resources. So DHCP from the router can't be used unless
> you can modify it to hand out the DC's IP address for the DNS address. The
> usual method in a case like this is to disable DHCP on the router and run
> DHCP on the server. Give the server a static IP, the router as its default
> gateway and itself as DNS server. Modify the DNS server to forward to a
> public DNS service. You do not need RRAS or NAT or the Windows firewall
> running on the server. It is not your Internet gateway. The router is.
>
> Set up DHCP to issue the router's IP as default gateway and the DC's IP
> address for DNS.
>
> The network config would look like this.
>
> router
> 192.168.0.1
> |
> server
> 192.168.0.n dg 192.168.0.1
> | dns 192.168.0.n
> workstations
> 192.168.0.x dg 192.168.0.1
> dns 192.168.0.n
>
> "Dave Smith" <(E-Mail Removed)> wrote in message
> news:7EA5CC49-55BE-4470-B6E2-(E-Mail Removed)...
> > Disclosure: I'm not an admin by trade, but a teacher who wears too many
> > hats. So, pardon my lack of knowledge about server administration.
> >
> > I've recently reinstalled 2003 Server from scratch for my classroom's
> > computer lab.
> >
> > Initially, I had DHCP, DNS, AD, and NAT/RD (defaults when configuring 2003
> > for the first time) installed and the outgoing and DCHP served traffic and
> > the actual internet connection split between two seperate cards.
> >
> > Although the server could connect to the Internet (DN forwarding enabled
> > in
> > the DNS server), the workstations could not ping the server or the router.
> >
> > It started working immediately, however, after I stopped the NAT/RD
> > service
> > and deleted the record for my server. They obatained an IP address and
> > began fuctioning normally.
> >
> > I later learned that having a domain controller with two NICs isn't wise.
> > So, I disabled one of the NICs, uninstalled all servers and reinstalled
> > with
> > the default server install group (this time DNS, AD, DHCP...no NAT/RD) and
> > all
> > traffic was directed to pass through the sole NIC that is assigned a
> > static
> > IP address by my router.
> >
> > This didn't work at first, either. So, remembering the NAT/Remote Desktop
> > service from the first install, I relaunched the wizard and configured it
> > with the new settings, but to no avail.
> >
> > The instant I disabled it, however, I was able to release/renew the IP
> > addresses on my test work stations. Later, all machines were able to get
> > an
> > IP address.
> >
> > What gives?
> >
> > I'm not complaining as it works. For now, at least...
> >
> > However, I am curious as to why I had to start and stop NAT/Remote Desktop
> > to get it to work. There's also the thought in the back of my mind that
> > I've
> > somehow made my server vulnerable by disabling the firewall (as instructed
> > duing the RD
> > setup process). And will I have any issues when I set up accounts in AD
> > and
> > when I connect a second server to the network for SUS/back-up purposes?
> >
> > Anyone care to explain what's going on and what, if any, next steps I
> > should
> > take?
> >
> > If it's relevant, I've also installed WINS and SP2.
> >
> > Thanks!
> >
>
>
>