How to use a public IP address when all others are non-routable? 2

[williamlove]

I added a new Windows 2003 R2 server into an existing domain consisting of just one Windows 2000 SP4 server and a few XP clients.

The existing 2000 domain uses private IP addresses of the 192.168.1.xxx subnet. I had to give the new 2003 server one of them to join it to the domain. But now I want to change it to a public IP address so it can be a web server. But I still want it to be part of the domain and be able to share files and printing. And I may make it a backup domain controller.

The public IP address is part of a contiguous block of 8 that we bought from our ISP. One of the others is used in the DSL router. I think the router is what hands out the private IP addresses to the domain PCs. I put some details about this at the bottom.

Can I accomplish my goal (the posted question)? If I have to, I can give the other server, the 2000 box, a public IP address that is in the same subnet as the DSL router and the new 2003 box.

SOME DETAILS ABOUT THE ROUTER:
* Our ISP is Qwest. The 2000 server is connected to a Qwest 2-Wire DSL router.
* Under “Current Settings” it is set up with “Public Proxied Subnet (NAT/Routed).”
* Also under router’s “Current Settings” is “Private Network” and in that configuration area the router IP address is assigned to 192.168.1.1.
* In another configuration area DHCP is enabled. All the XP clients get dynamic IP addresses and they are always 192.168.1.xxx.

 

[PainOfDeath]

Ok there is a lot of stuff going on here. First of all, there are no "backup domain controllers" in Win2K/2K3, they are all peers. So if you make it a DC using dcpromo it will then be housing a copy of Active Directory. This means that you do NOT want to assign it a public IP as you will be exposing your AD to the Internet where the bad people live.

Secondly, you should not be using your ISP's router to do DHCP on your LAN. Set up DHCP on your existing DC and let it assign IPs on your subnet, and disable DHCP on the router. This will permit tight integration of DHCP and DNS.

Your public IPs that were assigned by your ISP are going to appear on the WAN side of your router - usually when an ISP does this on a DSL connection, you have to link routers together to take advantage of them. It's tough to explain without a diagram, but basically you would connect the LAN port of your ISP's router to a switch (say 8-port), and then connect your own router(s)' WAN port to any of the available ports on the switch, and then assign these router(s) one of the static IPs on that particular router's WAN port. You will have to go to your ISP for support on this matter, as they might have to replace/reconfigure your existing router so you can take advantage of all your static IPs.

The last thing you want is to expose any of your servers directly to the internet. I realize that in smaller setups, companies want to consolidate and save money, but at the bare minimum you need a decent SPI-capable firewall/router BEHIND your ISP's router, and that must be configured to forward web traffic to your web server. And if you are going to make the web server a DC, then unless you really know what you are doing you are asking for trouble. Maybe a 3rd-party hosting solution would be better for your company and would allow you to avoid worrying about the website going down, security issues, etc.

Hope that helps.

 

[ADB100]

What you need to configure is a static NAT translation on the router. You need to map the public IP address you want to use to the servers internal IP address (192.168.1.x). You then obviously want to restrict what traffic is allowed to be initiated from the internet to the host; in your case you probably just want to allow inbound connections to TCP port 80 (HTTP).
You don't want to go exposing a server directly to the internet if you can help it, obviously. NAT is the solution you are looking for.

I agree with painofdeaths suggestions regarding DHCP & DNS - you should be handling this internally on your DC and you should disable it on the router. AD is pretty reliant on DNS so you should really have at least one Windows 2000/2003 DC that has DNS enabled.

HTH

Andy

HTH

Andy

 

[williamlove]

Wow, impressive replies, lots of information for me to absorb.

Since you guys went to the trouble, please let me explain a couple things and then ask a follow-up question.

I am learning about servers in my “spare time.” I talked my employer (a small business owner) into buying the 2003 box for me to learn with. I have also been studying a little ASP.net and learning about web servers and this new 2003 box is what I have to work with for that purpose.

Here is the topology:

DSL Router <---> managed switch <---> 2000 based domain, XP clients, new 2003 box

The Quest 2-Wire DSL router (modem) has lots of configuration options (the firewall can be configured for each IP address to allow only selected applications through) and lots of ports. One of the four modem ports is connected to the switch (and the other 3 ports on the modem are unused).

The 2000 server is the domain controller and the file and print server for a few people, and a QuickBooks application server. It is aging and showing signs of trouble, so that is why I put it on the same domain and was thinking of promoting it and getting it ready for the big drill in case the 2000 box dies.

Q. If I put a separate network card in the 2003 box and run it to one of the unused ports on the modem, can this topology—combined with proper configuration—allow the new server to be a domain controller and also be a web server?

 

[PainOfDeath]

You don't necessarily need a separate NIC on the 2003 box to handle web traffic - maybe if you were expecting a lot of traffic, but in that case you would want a dedicated web server anyway. Don't bother plugging anything directly into the modem, just plug the servers into your managed switch and follow ADB100's advice on NAT/port forwarding.

In a nutshell, with port forwarding configured correctly the router will see the HTTP traffic and direct it to your web server. The web server in turn will initiate a session with the requester and they will then communicate through the router. This does NOT require separate NICs or plugging into any particular port on your switches and routers. And again, I want to emphasize that putting your web server on the DC is a bad idea.

My recommendation to you, and I am by no means an expert:
- promote your 2003 box to a DC
- configure it with DNS (required by AD) and DHCP
- migrate your file/print/QuickBooks sharing to the 2003 box
- demote the 2003 box from its DC role
- Wipe your 2000 box clean and do any hardware maintenance on it (new HDDs, fans etc.) and do a clean install of 2000/2003 server
- Configure this machine as a web server and schedule regular backups of both servers so they back up their contents to each other in case one fails. Assuming you don't want to mess around with tape drives, backing up to network shares is the next best thing.

I highly recommend you go to

http://www.trainsignal.com

and check out their extensive collection of videos on AD, DNS, DHCP, etc. They're not cheap but well worth it if you plan to do this as part of your ongoing job duties.

 

[JONxNJxIT]

PainOfDeath had a good recommendation about transitioning existing server roles over to the 2K3 box, HOWEVER, if the 2K3 box is a POS (not all "servers" are created equal), then perhaps this isn't the best idea. And since it sounds like you are a novice, as you admitted, you may want to enlist someone else's help in this anyway. It can be a daunting task if you're not sure what you are doing. We have to keep in mind that this is a production environment that we are talking about.

And since everyone else is giving their to cents, here's mine. Get yourself a real firewall, like a SonicWall (maybe a TZ-180), and have your ISP change convert your DSL modem to "bridge" mode. This essentially removes the NAT (network address translation) burden off of the DSL modem, and the modem is then only used for DSL pass-through. With a decent firewall, you can enable one-to-one NAT... This is where you can match up a free public IP with a particular internal IP address (your 2K3 box), and only opening the ports YOU specify, at that - such as web (80), smtp (25), ftp (21), etc.

It may be easiest for you to just setup port forwarding (as mentioned above) in your DSL modem... The guys were right, you definitely don't want to configure a live public IP on your box because you are then putting it right out there in the open for someone to hack into.