w2k3 server across subnets

I have a single domain that for firewalling purposes subnetted a class A
network.

My basic question is HOW do I manage DNS and PDC across the subnets?

1. DNS, PDC, DHCP are all on main subnet mask.
2. Can ping all IP addresses from any subnet.
3. NSLOOKUP points to proper DNS Ips.
4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing for Win
IP Config DNS suffix on remote subnet.
5. Net View //DNSIPADDRESS from remote returns ‘Path Not Found’.
6. Have tried enabling and using LMHOSTS.

Have searched and read articles until cross-eyed and blurred vision. All
indicate that this can be done but no HOW TO. Statements like “Configure
DNS’. Okay, great. Configure what in the DNS? (this is just an example).

So, I am looking for how do I manage DNS and domain control across subnets?

Any suggestions? Thanks in advance.

Since you are using private addresses, it would be easier for us if you
specified what IP addresses and netmasks you are actually using.

How are these subnets connected? What is acting as a router between
them?

A simple diagram of your network (with IP addresses and subnet masks)
would help. eg

server
10.0.0.7/24 dg 10.0.0.1
|
workstations
10.0.0.x/24 dg 10.0.0.1
|
10.0.0.1/24 dg blank
router
10.0.3.1/24 dg blank
|
workstations
10.0.3.x/24 dg 10.0.3.1

If you are not familiar with the 10.0.0.1/24 notation, the /24 just
indicates the number of bits in the netmask used. (24 bit netmask is
255.255.255.0).

"Chappydean" <(E-Mail Removed)> wrote in message
news:9298EAF4-0840-4CB5-B8DC-(E-Mail Removed)...
>I have a single domain that for firewalling purposes subnetted a class A
> network.
>
> My basic question is HOW do I manage DNS and PDC across the subnets?
>
> 1. DNS, PDC, DHCP are all on main subnet mask.
> 2. Can ping all IP addresses from any subnet.
> 3. NSLOOKUP points to proper DNS Ips.
> 4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing for Win
> IP Config DNS suffix on remote subnet.
> 5. Net View //DNSIPADDRESS from remote returns 'Path Not Found'.
> 6. Have tried enabling and using LMHOSTS.
>
> Have searched and read articles until cross-eyed and blurred vision. All
> indicate that this can be done but no HOW TO. Statements like "Configure
> DNS'. Okay, great. Configure what in the DNS? (this is just an example).
>
> So, I am looking for how do I manage DNS and domain control across
> subnets?
>
> Any suggestions? Thanks in advance.
>

Thanks Bill, Here is my layout.

WatchGuard X2500 External: T1

Server: 10.0.1.2/16 dg: 10.0.1.1 WatchGuard Firebox x2500 Trusted I/F
(eth0)
Workstations: 10.0.1.3-xxx/16 dg: 10.0.1.1

Subnet1 - X2500 optional I/F(eth1): 10.10.1.1/24
Workstations: 10.10.1.2-xxx/24 dg: 10.10.1.1

Subnet - X2500expanded I/F(eth2): 10.10.2.1
Workstations: 10.10.2.2-xxx/24 dg: 10.10.2.1

Thanks for the response.

"Bill Grant" wrote:

> Since you are using private addresses, it would be easier for us if you
> specified what IP addresses and netmasks you are actually using.
>
> How are these subnets connected? What is acting as a router between
> them?
>
> A simple diagram of your network (with IP addresses and subnet masks)
> would help. eg
>
> server
> 10.0.0.7/24 dg 10.0.0.1
> |
> workstations
> 10.0.0.x/24 dg 10.0.0.1
> |
> 10.0.0.1/24 dg blank
> router
> 10.0.3.1/24 dg blank
> |
> workstations
> 10.0.3.x/24 dg 10.0.3.1
>
> If you are not familiar with the 10.0.0.1/24 notation, the /24 just
> indicates the number of bits in the netmask used. (24 bit netmask is
> 255.255.255.0).
>
> "Chappydean" <(E-Mail Removed)> wrote in message
> news:9298EAF4-0840-4CB5-B8DC-(E-Mail Removed)...
> >I have a single domain that for firewalling purposes subnetted a class A
> > network.
> >
> > My basic question is HOW do I manage DNS and PDC across the subnets?
> >
> > 1. DNS, PDC, DHCP are all on main subnet mask.
> > 2. Can ping all IP addresses from any subnet.
> > 3. NSLOOKUP points to proper DNS Ips.
> > 4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing for Win
> > IP Config DNS suffix on remote subnet.
> > 5. Net View //DNSIPADDRESS from remote returns 'Path Not Found'.
> > 6. Have tried enabling and using LMHOSTS.
> >
> > Have searched and read articles until cross-eyed and blurred vision. All
> > indicate that this can be done but no HOW TO. Statements like "Configure
> > DNS'. Okay, great. Configure what in the DNS? (this is just an example).
> >
> > So, I am looking for how do I manage DNS and domain control across
> > subnets?
> >
> > Any suggestions? Thanks in advance.
> >
>
>
>

Sorry, I am new and not sure if I am posting in the correct area. May belong
in DNS section.

Additional to my last post, I would like to set up a secondary DNS server on
the X2500 I/F 'eth1'. But in order to do so I must be able to transfer zones
from the master which is on the main subnet. Can ping only, not access.

"Chappydean" wrote:

> Thanks Bill, Here is my layout.
>
> WatchGuard X2500 External: T1
>
> Server: 10.0.1.2/16 dg: 10.0.1.1 WatchGuard Firebox x2500 Trusted I/F
> (eth0)
> Workstations: 10.0.1.3-xxx/16 dg: 10.0.1.1
>
> Subnet1 - X2500 optional I/F(eth1): 10.10.1.1/24
> Workstations: 10.10.1.2-xxx/24 dg: 10.10.1.1
>
> Subnet - X2500expanded I/F(eth2): 10.10.2.1
> Workstations: 10.10.2.2-xxx/24 dg: 10.10.2.1
>
> Thanks for the response.
>
> "Bill Grant" wrote:
>
> > Since you are using private addresses, it would be easier for us if you
> > specified what IP addresses and netmasks you are actually using.
> >
> > How are these subnets connected? What is acting as a router between
> > them?
> >
> > A simple diagram of your network (with IP addresses and subnet masks)
> > would help. eg
> >
> > server
> > 10.0.0.7/24 dg 10.0.0.1
> > |
> > workstations
> > 10.0.0.x/24 dg 10.0.0.1
> > |
> > 10.0.0.1/24 dg blank
> > router
> > 10.0.3.1/24 dg blank
> > |
> > workstations
> > 10.0.3.x/24 dg 10.0.3.1
> >
> > If you are not familiar with the 10.0.0.1/24 notation, the /24 just
> > indicates the number of bits in the netmask used. (24 bit netmask is
> > 255.255.255.0).
> >
> > "Chappydean" <(E-Mail Removed)> wrote in message
> > news:9298EAF4-0840-4CB5-B8DC-(E-Mail Removed)...
> > >I have a single domain that for firewalling purposes subnetted a class A
> > > network.
> > >
> > > My basic question is HOW do I manage DNS and PDC across the subnets?
> > >
> > > 1. DNS, PDC, DHCP are all on main subnet mask.
> > > 2. Can ping all IP addresses from any subnet.
> > > 3. NSLOOKUP points to proper DNS Ips.
> > > 4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing for Win
> > > IP Config DNS suffix on remote subnet.
> > > 5. Net View //DNSIPADDRESS from remote returns 'Path Not Found'.
> > > 6. Have tried enabling and using LMHOSTS.
> > >
> > > Have searched and read articles until cross-eyed and blurred vision. All
> > > indicate that this can be done but no HOW TO. Statements like "Configure
> > > DNS'. Okay, great. Configure what in the DNS? (this is just an example).
> > >
> > > So, I am looking for how do I manage DNS and domain control across
> > > subnets?
> > >
> > > Any suggestions? Thanks in advance.
> > >
> >
> >
> >

That looks OK. DHCP will not issue the network config to machines on the
/24 subnets unless you set up scopes for them in DHCP. You will probably
also need to change some setting on the WatchGuard (DHCP relay, DHCP helper
or similar) for it to forward the DHCP requests to the server on the /16
subnet. The WatchGuard has interfaces in the /24 subnets, but the DHCP
server doesn't (so it cannot get these requests directly). The WatchGuard
must forward the DHCP messages it receives to the DHCP server. (They come as
LAN broadcasts, which don't cross routers).

You should be able to set up a DNS secondary zone on a server in one of
these subnets. Remember that you need to modify the setting on the original
DNS server to allow this to happen. From memory it is not allowed by default
in W2k3.

"Chappydean" <(E-Mail Removed)> wrote in message
news:E85C32A9-567D-487C-BB89-(E-Mail Removed)...
> Sorry, I am new and not sure if I am posting in the correct area. May
> belong
> in DNS section.
>
> Additional to my last post, I would like to set up a secondary DNS server
> on
> the X2500 I/F 'eth1'. But in order to do so I must be able to transfer
> zones
> from the master which is on the main subnet. Can ping only, not access.
>
> "Chappydean" wrote:
>
>> Thanks Bill, Here is my layout.
>>
>> WatchGuard X2500 External: T1
>>
>> Server: 10.0.1.2/16 dg: 10.0.1.1 WatchGuard Firebox x2500 Trusted
>> I/F
>> (eth0)
>> Workstations: 10.0.1.3-xxx/16 dg: 10.0.1.1
>>
>> Subnet1 - X2500 optional I/F(eth1): 10.10.1.1/24
>> Workstations: 10.10.1.2-xxx/24 dg: 10.10.1.1
>>
>> Subnet - X2500expanded I/F(eth2): 10.10.2.1
>> Workstations: 10.10.2.2-xxx/24 dg: 10.10.2.1
>>
>> Thanks for the response.
>>
>> "Bill Grant" wrote:
>>
>> > Since you are using private addresses, it would be easier for us if
>> > you
>> > specified what IP addresses and netmasks you are actually using.
>> >
>> > How are these subnets connected? What is acting as a router between
>> > them?
>> >
>> > A simple diagram of your network (with IP addresses and subnet
>> > masks)
>> > would help. eg
>> >
>> > server
>> > 10.0.0.7/24 dg 10.0.0.1
>> > |
>> > workstations
>> > 10.0.0.x/24 dg 10.0.0.1
>> > |
>> > 10.0.0.1/24 dg blank
>> > router
>> > 10.0.3.1/24 dg blank
>> > |
>> > workstations
>> > 10.0.3.x/24 dg 10.0.3.1
>> >
>> > If you are not familiar with the 10.0.0.1/24 notation, the /24
>> > just
>> > indicates the number of bits in the netmask used. (24 bit netmask is
>> > 255.255.255.0).
>> >
>> > "Chappydean" <(E-Mail Removed)> wrote in message
>> > news:9298EAF4-0840-4CB5-B8DC-(E-Mail Removed)...
>> > >I have a single domain that for firewalling purposes subnetted a class
>> > >A
>> > > network.
>> > >
>> > > My basic question is HOW do I manage DNS and PDC across the subnets?
>> > >
>> > > 1. DNS, PDC, DHCP are all on main subnet mask.
>> > > 2. Can ping all IP addresses from any subnet.
>> > > 3. NSLOOKUP points to proper DNS Ips.
>> > > 4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing
>> > > for Win
>> > > IP Config DNS suffix on remote subnet.
>> > > 5. Net View //DNSIPADDRESS from remote returns 'Path Not Found'.
>> > > 6. Have tried enabling and using LMHOSTS.
>> > >
>> > > Have searched and read articles until cross-eyed and blurred vision.
>> > > All
>> > > indicate that this can be done but no HOW TO. Statements like
>> > > "Configure
>> > > DNS'. Okay, great. Configure what in the DNS? (this is just an
>> > > example).
>> > >
>> > > So, I am looking for how do I manage DNS and domain control across
>> > > subnets?
>> > >
>> > > Any suggestions? Thanks in advance.
>> > >
>> >
>> >
>> >

Thanks Bill. Makes logical sense. Will take a look at your suggested areas.
Will post results.

"Bill Grant" wrote:

> That looks OK. DHCP will not issue the network config to machines on the
> /24 subnets unless you set up scopes for them in DHCP. You will probably
> also need to change some setting on the WatchGuard (DHCP relay, DHCP helper
> or similar) for it to forward the DHCP requests to the server on the /16
> subnet. The WatchGuard has interfaces in the /24 subnets, but the DHCP
> server doesn't (so it cannot get these requests directly). The WatchGuard
> must forward the DHCP messages it receives to the DHCP server. (They come as
> LAN broadcasts, which don't cross routers).
>
> You should be able to set up a DNS secondary zone on a server in one of
> these subnets. Remember that you need to modify the setting on the original
> DNS server to allow this to happen. From memory it is not allowed by default
> in W2k3.
>
> "Chappydean" <(E-Mail Removed)> wrote in message
> news:E85C32A9-567D-487C-BB89-(E-Mail Removed)...
> > Sorry, I am new and not sure if I am posting in the correct area. May
> > belong
> > in DNS section.
> >
> > Additional to my last post, I would like to set up a secondary DNS server
> > on
> > the X2500 I/F 'eth1'. But in order to do so I must be able to transfer
> > zones
> > from the master which is on the main subnet. Can ping only, not access.
> >
> > "Chappydean" wrote:
> >
> >> Thanks Bill, Here is my layout.
> >>
> >> WatchGuard X2500 External: T1
> >>
> >> Server: 10.0.1.2/16 dg: 10.0.1.1 WatchGuard Firebox x2500 Trusted
> >> I/F
> >> (eth0)
> >> Workstations: 10.0.1.3-xxx/16 dg: 10.0.1.1
> >>
> >> Subnet1 - X2500 optional I/F(eth1): 10.10.1.1/24
> >> Workstations: 10.10.1.2-xxx/24 dg: 10.10.1.1
> >>
> >> Subnet - X2500expanded I/F(eth2): 10.10.2.1
> >> Workstations: 10.10.2.2-xxx/24 dg: 10.10.2.1
> >>
> >> Thanks for the response.
> >>
> >> "Bill Grant" wrote:
> >>
> >> > Since you are using private addresses, it would be easier for us if
> >> > you
> >> > specified what IP addresses and netmasks you are actually using.
> >> >
> >> > How are these subnets connected? What is acting as a router between
> >> > them?
> >> >
> >> > A simple diagram of your network (with IP addresses and subnet
> >> > masks)
> >> > would help. eg
> >> >
> >> > server
> >> > 10.0.0.7/24 dg 10.0.0.1
> >> > |
> >> > workstations
> >> > 10.0.0.x/24 dg 10.0.0.1
> >> > |
> >> > 10.0.0.1/24 dg blank
> >> > router
> >> > 10.0.3.1/24 dg blank
> >> > |
> >> > workstations
> >> > 10.0.3.x/24 dg 10.0.3.1
> >> >
> >> > If you are not familiar with the 10.0.0.1/24 notation, the /24
> >> > just
> >> > indicates the number of bits in the netmask used. (24 bit netmask is
> >> > 255.255.255.0).
> >> >
> >> > "Chappydean" <(E-Mail Removed)> wrote in message
> >> > news:9298EAF4-0840-4CB5-B8DC-(E-Mail Removed)...
> >> > >I have a single domain that for firewalling purposes subnetted a class
> >> > >A
> >> > > network.
> >> > >
> >> > > My basic question is HOW do I manage DNS and PDC across the subnets?
> >> > >
> >> > > 1. DNS, PDC, DHCP are all on main subnet mask.
> >> > > 2. Can ping all IP addresses from any subnet.
> >> > > 3. NSLOOKUP points to proper DNS Ips.
> >> > > 4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing
> >> > > for Win
> >> > > IP Config DNS suffix on remote subnet.
> >> > > 5. Net View //DNSIPADDRESS from remote returns 'Path Not Found'.
> >> > > 6. Have tried enabling and using LMHOSTS.
> >> > >
> >> > > Have searched and read articles until cross-eyed and blurred vision.
> >> > > All
> >> > > indicate that this can be done but no HOW TO. Statements like
> >> > > "Configure
> >> > > DNS'. Okay, great. Configure what in the DNS? (this is just an
> >> > > example).
> >> > >
> >> > > So, I am looking for how do I manage DNS and domain control across
> >> > > subnets?
> >> > >
> >> > > Any suggestions? Thanks in advance.
> >> > >
> >> >
> >> >
> >> >
>
>
>

"Chappydean" <(E-Mail Removed)> wrote in message
news:280E9A58-BF9F-4E47-A82D-(E-Mail Removed)...

You guys ran off and left the original post in the dust,...and I think you
forgot something critical there. you said:

> I have a single domain and for firewalling purposes, ...

What does that mean?

What is used as the "routing device" between the subnets?....I never saw
that stated.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Chappydean" <(E-Mail Removed)> wrote in message
news:E85C32A9-567D-487C-BB89-(E-Mail Removed)...
> Additional to my last post, I would like to set up a secondary DNS server
on
> the X2500 I/F 'eth1'. But in order to do so I must be able to transfer
zones
> from the master which is on the main subnet. Can ping only, not access.

Why are you making it 10 times harder and more complicated than it needs to
be? the Watchgaurd box should not have anything to do with your DNS and how
the DNS works.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The X2500 I/F's are routed I/Fs.

Secondly, the DNS server on eth1 will be setup as a public web server and
will be firewall isolated from the trusted network.

The DNS now is working on the eth1 subnet. Still working with the domain
controller issues.

"Phillip Windell" wrote:

>
> "Chappydean" <(E-Mail Removed)> wrote in message
> news:E85C32A9-567D-487C-BB89-(E-Mail Removed)...
> > Additional to my last post, I would like to set up a secondary DNS server
> on
> > the X2500 I/F 'eth1'. But in order to do so I must be able to transfer
> zones
> > from the master which is on the main subnet. Can ping only, not access.
>
> Why are you making it 10 times harder and more complicated than it needs to
> be? the Watchgaurd box should not have anything to do with your DNS and how
> the DNS works.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

Phillip,

Another comment about WatchGuard Firebox.

The I/Fs are a data flow layered protocol that is derived from 'Trusted'
being the center. All I/Fs have to be a subnet. Data flows as follows:

Incoming - external (T1) - eth4 - eth3 - eth2 - eth1 - eth0(trusted) -
outgoing - eth0 - eth1 - eth2 - eth3 - eth4 - external.

By default, the Firebox will NOT allow any data flow incoming. Only
outgoing. The users must add a service to allow any incoming data and specify
'Any' to allow all traffic or customize to specific data flow.

I still have not been able to achieve a secondary domain controller across
the subnets. For those considering WatchGuard, consider these issues and
their support group closely.

Any having any suggestions as to HOW to work across this firewall. Please
advise. Thanks.

"Chappydean" wrote:

> The X2500 I/F's are routed I/Fs.
>
> Secondly, the DNS server on eth1 will be setup as a public web server and
> will be firewall isolated from the trusted network.
>
> The DNS now is working on the eth1 subnet. Still working with the domain
> controller issues.
>
> "Phillip Windell" wrote:
>
> >
> > "Chappydean" <(E-Mail Removed)> wrote in message
> > news:E85C32A9-567D-487C-BB89-(E-Mail Removed)...
> > > Additional to my last post, I would like to set up a secondary DNS server
> > on
> > > the X2500 I/F 'eth1'. But in order to do so I must be able to transfer
> > zones
> > > from the master which is on the main subnet. Can ping only, not access.
> >
> > Why are you making it 10 times harder and more complicated than it needs to
> > be? the Watchgaurd box should not have anything to do with your DNS and how
> > the DNS works.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >