Promoting W2K to a DC and VPN 2

[manerch]

Hello all,
I’ve been searching through the forums for a solution to my particular query I’ve seen some close responses but no cigar. So if I could impose upon all of the knowledgeable people out there I might be able to get rid of the night sweats that have been plaguing me. My question involves a brand new Win2K SP4 server that has 5 XP clients. When I set this box up, there were three win98 clients that have since been upgraded. The server is a stand alone server running WINS and DNS connected to the internet via a DSL connection with a single NIC. The network just basically uses MS Office 2K and a SQL based accounting application, no Exchange or anything else. I’m using a Linksys router as my DHCP server. There are also two remote sites that need to access the network. At first this was to be a closed network (one server and 5 clients) but the company is expanding so I want to promote the server to a DC so that it can authenticate the 5 local users (I’ve already created users and set folder permissions) and any remote users. Oh yeah, the client also wants a VPN and one of the two sites isn’t broadband. I’m not sure of the Linksys model, but I know that it’s not one specifically made for VPNs. Oh, my head!!
Hopefully that’s enough background for everyone. Now to my questions. How much trouble will it be to promote the server to a DC? I also want to change names from the abc workgroup to the abcdef domain. Can this be done or am I locked by what the workgroup was originally called? Will there be any issues regarding the IP addresses or the router acting as the DHCP server or will the wizard smooth these problems out for me? Next, I’ve been told by the software people (the whole upgrade from a P2P network to a client/server was prompted by the need for a new accounting application) that a router to router VPN will be a snap. Well not to me. So any information on setting this up would be appreciated. I guess that does it for me, for now. TIA,
Frank Manerchia
fmanerchia@comcast.net

 

[aco636]

I see you like to end the year with a head ache, only mine is alchohol induced!

I run various Win2K servers and VPN's to remote ofices pretty sucessfully.
Promoting the server to a DC is no problem in Win2K. In fact in Win2K they dont really refer to them as DC's any more, this tends to be an old NT label. What you will be doing is making the server an active directory server. You will need the Win2K server disk and use the Wizards in "Configure Your Server" found in server control panel/admin tools. Choose a domain name, preferably a different one to any public name your organisation has already got or one exclusively for internal use. If you cant obtian a registered domain name easily, use yourchoice.local (.local extension is default non public domains)

I note that you have already set up folder permissions. I recommend these are changed to "Global Groups" Create intuative names for each group of privalages, I.E. Accounts, Salary, Management, etc.

Before you begin; any workstation requiring access to this server will not be able to until you have finished your alterations. Best to do this out of hours when you are not under pressure. Each of the five XP workstations will need to be joined to the domain when the server is upgraded.

Some of the other observations I note are that the serv only has one NIC. I hope that your router has a public and a private side. I.E. an I.P. address the internet can see and all the machines on the private private network cannot be seen? (for a test, go to

https://www.grc.com

and find "probe my ports&quot. Standard private IP ranges are 192.168.0.X & 192.168.1.X & 10.0.0.X and 172.16.0.X. I guess you understand your network should be hidden from the internet (especially since there was a pretty nasty SQL server virus a while back (make sure the default "sa" SQL server password is not blank).

I personally am not a fan of sofware VPN solutions. From what you have said, it sounds as though you want this one server to do everything? I.E. File Server, Active Directory Server, DNS, WINS, and possibly VPN.

The router to router VPN could be a snap. I have used products from Netscreen in the past. These are pretty cheap from £400ish each. They have wizards that help set up a secure network using a web browser and also allow you to provide access to home/mobile workers (with a bit of software). THis is good value for a small company with one or two remote offices and will keep your private network secure.

When the server is upgraded to Active Directory, yo will need to join the XP work stations to the domain. Pretty staight forward. Each user on the network should be given a "Domain User" account. Do not give admin rights un necessarily (even yourself). After the XP machines are joined to the domain, log in as a Domain User and check that you still have access to shares, ect.

Be mindful that sharing workstation printers will need to be checked, better still get the printers on to the network directly £120ish print server boxes. You will need to check the permissions on the shared printers.

AS for dialup access, I would recommend a direct dial up method. Either an ISDN router attached to the network with Caller ID (so that it will only communicate to a recognised caller). Otherwise you could do this with a moden attached directly to the server also with caller ID. I hope this has been of some help.
Regards ACO

 

[manerch]

Thanks ACO for such a speedy response.
I'm using Zone Alarm to hide my network from the internet (or at least I hope so!) Since I have a DSL modem attached to a router attached to a switch, I had thought that every node was receiving an IP Address and an Internet connection equally. Can you have two IPs with one NIC or do I need to install another NIC? It won’t be a problem to add another NIC but how do I configure it? Since everyone else on the network needs Internet access, how can I set one of the server's NICs to be seen on the web but not on the network? Would both IPs be in the 198.162.x.x range?
The server already has a modem installed, but if a client dials in, what would they have access to? (Yikes, this sounds like a stupid question. But I don’t want the clients to be on the server at all.) I just need them to access the accounting program.
As far as promoting the server, thanks for setting my mind at ease with your excellent advice. I have a question regarding the domain name as seen on the inside vs. what would be the public domain name. For example, if my workgroup name is jobro and I want to change it to jonesbrothers.com (at least to the outside world, when it comes time for it), can I keep jobro as my domain name when I install AD? This is still internal, isn’t it? When I choose the internal domain name, it should be different from what I want my public domain name to be? If I were to choose jonebrothers.com as the domain name that the outside world would see, would it still need to be registered with InterNic or someone before it could be accessed through the web?
Lastly, (how naive am I?) in order to do a router to router VPN, do the routers need to be special VPN routers?
Thank you all so much,
Frank Manerchia
fmanerchia@comcast.net

 

[aco636]

Hi there

Last first, Router to Router VPN need to be VPN routers, I like Netscreen.com I am sure there are hundreds of other products out there.

THe Jonesbrothers.com could be jonesbrothers.local to the inside world. If you mean a domain/workgroup for older Win9x and NT4, etc. you can set the AD server up in "Mixed Mode" and have both JOBRO and jonesbrotehrs.local.

Yes one NIC can have two IP's but not good practice since dns is expecting one machine name and one ip address, ZONE Alarm is OK but is software. If you go with the router to router, you wont need the ZoneAlarm, else you could try using Wingate fire wall. This will allow you to add another NIC one with the public IP and teh other with the 192.168.x.x. Then the wingate machine can be used as a proxy server keeping the rest of the network internet access safe. Wingate will very cleverly allow anything to happen on the private network and limited access from the internet or dialup accounts. (but you wont need this if yo have a hardware firewall)

RAS on the server, just set up permissions correctly to prevent access to the system folders, etc. You say you just want them to have access to the accounting program? How are you expecting to deliver this. Is it you intention to do this by thin client/RDP/ICA or is the software installed on the client machine and data pulled accross the network, may be a bit slow via 56k dialup.

.local domains do not need to be registrered.

Hope this helps.
Regards ACO

 

[manerch]

ACO,
Again, thanks so much for taking the time to answer my questions. I guess the crux of my dilemma lies in the fact that these remote sites need to enter data into the accounting program’s database. I believe that this application has a web service built into it but since the page that the remote sites need isn’t public…that’s a wash. This is why I was worrying about a VPN and promoting my server to a AD controller.
The easiest solution that I can see is to somehow make the web based portion of the application become accessible to the remote users. And I thought that the way to accomplish that depended upon me promoting the server (for authentication purposes) and establishing a web presence. (If these sound like they’re necessary.) That way, the level of security would be governed by the application alone, as they would not need to get into the network at all. Would I be talking about a separate IIS server?
I still am curious about the whole concept of the internal address and the external address. If I go into the router interface, it has a LAN address and a WAN address. Isn’t this good enough to protect the server and network? If I do install another NIC, will it have the 192.168.x..x range, and do I just prohibit one of the NICs from accessing the internet?

 

[cldboone]

The Router automaticall uses NAT, I use a linksys router and it is pretty safe, the WAN IP is the IP from your ISP and athe Lan IPs are your IPs for your worstations. You can set up terminal services on your Server for your accounting app and manage them with remote access policies. There are web base terminal services as well, for either you just need to open the appropiate port on your router, I can't remember right off hand the port number but if you need it I can get it.

 

[aco636]

Hi there

Cid seems to have answered the router problem. If the linksys router has a builtin firewall I feel a lot more comfortable. WAN = Public and LAN = Private. Only one NIC required.

If you only have one server avaiable, and the number of clients is likely to be a handfull of periodic users, you could forget all about AD, just set up IIS on the same server. Termial Services/RDP or ICA which Cid and I have mentioned is expensive if not required. I use a lot of this and our friend Bill Gates wants his fare share of vital organ parts to pay for it.

Using the VPN, set up the client machines to access to new URL for the accounts package.

However, if the comapny is growing and the number of offices likely to increase, bite the bullet now, Upgarde to AD, set up the VPN's and invest in a new IIS server. OK a few pounds now but "fit and forget" is my motto.

AS for the IP/NIC problem, assuming your network is hidden behind a firewall, you do not need to have two NIC's. I am a little confused why yo use ZoneAlarm if you are behind a fire wall?

The cheapest solution would be to have a stand alone IIS server set up with (Built in software) VPN and issue certificates to the Client Machines. Map a public IP address to this single machine I.E. Public address 123.123.123.123 to 192.168.1.2. Limit TCP Ports as necessary (I.E. Only give them what they need).

How does the Web page authenticate to the Data server? Is this one single account assigned to the Webserver? If so not a problem. Just limit the Traffic between the IIS server and the Data Server to TCP Port 1433. And limit the servers privalages to those needed to read/write to the data. Else, use the built in SQL server authentication. Your software vendor should advise you further on this point.

You may find

http://support.microsoft.com/default.aspx?scid=KB;en-us;316898&

useful.

If not, and no AD installed, You will have to manage accounts on two stand alone machines. THis is very clumsy and leads to loads of support problems with passwords becoming out of sync. SQL server works best in an AD. I speak from experience.

Sorry if this has gone on a bit.
Regards ACO

 

[cldboone]

This is very true, I am sorry I forgot the expense of the terminal services, (not budget minded, not my area thank goodness) I also wonder about the Zone Alarm. The AD is a good idea and makes management, especially for future growth muche easier. With the Linksys router if you go the IIS route ( a good Idea) You can create a DMZ for it, what this does is set the IIS server seperate from your Internal network, so you can make it public. There are security concerns but useing ports and some research these can be worked out. Linksys has good documentation at their site,

http://www.linksys.com.

 

[manerch]

Thank you all for the great information. As far as my router, I'm pretty sure that it doesn't have a firewall built into it. At home I also have a Linksys router which displays a WAN (68.80.x.x) and a LAN (192.168.x.x)address, but I have two NICS at home (well, one NIC and one WAP). The one at the business uses 192.168.x.x LAN and 151.197.x.x WAN. I'm getting confused... my home network runs from the cable coming in to the cable modem to the router and out of the back of the router to a NIC, then a USB WAP is plugged into the computer. The business network has a telephone line coming into the DSL Modem, cat5 from there to the router, back of the router to switch, every other computer to switch, but with no firewall enabled on router. So why is there a LAN address and a WAN address? Is this what NAT is?
On second or third or ninth thought, it seems like a dial-up connection may be the easiest setup to allow remote access.

 

[cldboone]

The Router has it automatically, all that is seen from the Internet is the public IP. NAT is there by default. You can tell if you go to a site that checks your ports for security, there are several but I don't know them right off. Linksys has the documentation at their site. Do a Google search for linksys and NAT. The router also has DHCP functionality that is enabled by default, the same as if you configure a PC to do NAT, (win2k or above) then it automatically starts handing out IPs. Yes NAT means that the router, takes the packet bound for the internet, and strips the PC IP address from it, then replaces it with the public IP before it sends it out. Keep in mind, this is not a 100% protection, but I have never been hit at home. NAT = Network Address Translation. The only IP that the public sees, is what you show on the public IP information on the router. You can open ports for different apps, like terminal services or VPN by going to the advanced tab then the forwarding tab I beleive.

 

[manerch]

Cld,
This makes sense! I'm hoping that a firewall on top of the router's NAT will offer another level of protection. Thanks for your informative reply. You and Aco have been great. I've learned so much from the both of you. Have a happy new year!!

 

[aco636]

Your very welcome. Happy new year to your too. Maybe you will be able to offer help to someone else when you have set up your network. Cid, I dare say we will stumble on each others comments in other threads. Regards ACO

 

[cldboone]

Happy new yeat to you both and good fortune to you. aco I hope we do.