newbie lost in trying to setup NAT

Discussion in 'Server Networking' started by vvu, Sep 2, 2004.

  1. vvu

    vvu Guest

    Hi im a newbie here and any suggestion would help as i am
    confused with setting up a NAT for my home AD network.
    I have a cable connection which provides a dynamic ip. i
    have a 2003 server acting as a DNS,DHCP for the AD network
    and 2 client pc's.
    the server has 2 NIC's in which 1 is for the internal
    network(static ip) and the other connected to the cable
    modem(dynamic ip). im not too sure on how to setup a NAT
    and foward DNS queries(is that theory correct) but i have
    info on it. i am confused as to how would i redirect
    queries to the NIC connected to the modem if the NIC
    connected has a dynamic ip.
    can anyone assist please?
    thanks in advanced.
     
    vvu, Sep 2, 2004
    #1
    1. Advertisements

  2. vvu

    Bill Grant Guest

    You do not redirect DNS queries to one of your NICs. You redirect them to
    a DNS server in the public domain (such as the one at your ISP).

    When you have AD set up, your clients must use the local DNS service to
    find AD services. To access Internet sites they need to be able to resolve
    names which your local DNS server does not know about. So your local DNS
    must know how to forward these requests.

    Without AD, the usual system is to use the NAT router as a DNS relay.
    The client sends DNS requests to the NAT router. The router forwards the
    DNS requests to a remote DNS server. This won't work with AD because the AD
    clients must use the local DNS server, not the server at your ISP.
     
    Bill Grant, Sep 2, 2004
    #2
    1. Advertisements

  3. vvu

    vvu Guest

    Thanks for the quick reply.
    just a little confused. i understand that the server can't
    resolve internet queries. how would i be able to get the
    server to resolve dns queries for the client pc's?
    the NIC(connected to the modem) TCP/IP info is all on
    dynamic(IP & DNS),client pc's are confugured to to the
    servers dns.
    do i need to configure the NIC(connected to internal
    network) for the ISP's DNS? if so how because there is no
    DNS IP specified on the NIC(connected to the modem).

    thanks again.
     
    vvu, Sep 2, 2004
    #3
  4. If you enable Internet Connection Sharing (ICS) on the NIC that is
    connected to the cable modem, you have enabled NAT. ICS has a built-in DHCP
    and DNS server, so you don't want to deploy DNS and DHCP as well as ICS. If
    you do, nothing will work correctly.

    I don't recall if you can disable DHCP and DNS in ICS, you will need to
    read the Help. Otherwise you will need to disable or uninstall the DHCP and
    DNS services on the server.



    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    James McIllece [MS], Sep 2, 2004
    #4
  5. vvu

    vvu Guest

    Oh ok, so if I uninstall or disable DNS and DHCP will I
    still be able to run an Active Directory Network without
    any issues?
     
    vvu, Sep 3, 2004
    #5
  6. Talked to a couple of people over here and changed my mind about your best
    course of action.

    Instead of using ICS for NAT, you can use NAT in Routing and Remote Access
    Service (RRAS) without disabling DNS and DHCP on the server. See the Help
    topic called "Deploying network address translation" in Windows Server 2003
    Help and Support Center on your PC, or on the Web at
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
    proddocs/en-
    us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/prodd
    ocs/en-us/sag_rras-ch3_06d.asp.

    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    James McIllece [MS], Sep 3, 2004
    #6
  7. vvu

    vvu Guest

    i have looked at that document and have attempted it but i
    am still having trouble connecting clients to the internet.
    i think the problem is that i dont know the ip for the
    isp's dns server. when i go into tcp/ip properties of the
    NIC(connected to the modem) it is all on automatic(IP and
    DNS settings). if i did an 'ipconfig /all' i get 2 dns
    server ip's but when i add them in it wont work.
    if my isp provides me with automatic settings does that
    mean i cant setup a NAT?
    by the way thanks for all your help James.
     
    vvu, Sep 4, 2004
    #7
  8. vvu

    vvu Guest

    i have now confirmed that the isp's DNS ip addresses are
    correct. but they still are not working.
    does it matter that the tcp/ip properties of the NIC
    (connected to the modem) are all on automatic?
    do i need to configure anything on the clients?
    the clients NIC settings are currently on auto for IP
    addressing and DNS.
    when i try to access an internet address i get an ie6
    error 'cannot find server or dns error'

    thanks again.
     
    vvu, Sep 4, 2004
    #8
  9. vvu

    Bill Grant Guest

    If you are using Active Directory, you cannot have your clients using the
    default DHCP settings of your router. An Internet NAT router gives its
    clients a default gateway setting of itself (which is fine) and a DNS
    address of itself (which is not OK for AD).

    If you want to use the NAT router as your DHCP server, you will have to
    modify it to give out your DC's IP address for DNS, not it's own IP.

    To test this, set up a client manually to have the router as its default
    gateway but your DC as its DNS address.

    Can your server now access the Internet?
     
    Bill Grant, Sep 4, 2004
    #9
  10. vvu

    vvu Guest

    sorry im not too sure what you mean by.. "you cannot have
    your clients using the default DHCP settings of your
    router."

    at the moment the clients are using dynamic ip and
    automatic dns settings.
    so do you mean i should set the clients dns to point to
    the DC(which runs as NAT,DHCP,DNS)?

    this is what i have done so far with no sucess.
    i have installed a NAT with the "Routing and Remote Access
    Server Setup Wizard".
    I selected "Create a new demand dial interface to the
    internet" option and selected the NIC that will connect to
    the internet.
    then i went into 'administrative tools-Routing and Remote
    Access',expanded 'my server-IP Routing' and there are 3
    interfaces. there is the one that i created with the
    wizard and an 'internal' and 'external' one. should i
    confugure all of these? or should i just configure the one
    that i created?

    then i configured forwarders. in 'administrative tools-
    DNS' i right click the server then in the 'fowarders' tab
    i click on 'new' then type in the ISPs DNS IPs and
    click 'add'.

    sory if i seem a little slow in still new at this and im
    really eager to get this working!
    thanks for all your help guys.
     
    vvu, Sep 6, 2004
    #10
  11. vvu

    Bill Grant Guest

    I think you had better start again and tell us exactly how your network
    is configured and what you are trying to achieve. A simple diagram would
    help. I was under the impression that you had a router connected to the
    Internet and two NICs in the server. Now you say you using a dialup
    connection through a modem.
     
    Bill Grant, Sep 7, 2004
    #11
  12. vvu

    Bill Grant Guest

    OK, that makes sense. That is a valid way to set up Internet access for a
    home network (without AD). It really depends on how your ISP handles things.

    Creating a demand-dial interface and using that as your Internet
    connection is the normal situation if you use dialup or if the cable modem
    is directly connected to the server. If you connect to the Internet from a
    second NIC, you do not normally need to use this method. You can use the NIC
    as your Internet interface.

    So the first thing to work out is exactly how your Internet connection
    works. Can your server connect to and browse the Internet without setting
    up a demand-dial interface? If it can, you do not need to set up a
    demand-dial interface. You can use the second NIC as your public interface
    for NAT.

    The other complication is Active Directory. The normal setup for NAT is
    to use NAT to allocate addresses and other settings to LAN clients (NAT has
    a built in allocator or mini-DHCP server) . NAT also acts as a DNS relay to
    send DNS requests on the your ISP. This fails for AD because the clients
    must use local DNS to find AD services.

    To use your server as an AD server running its own DNS and DHCP, you
    have to disable both of these options. You disable the allocator by not
    giving it any addresses to allocate. You disable DNS relay by not ticking
    the name resolution box in NAT.

    When you have stopped NAT from trying to do these things, you have to
    allow them to happen on your server. You have to configure DNS to forward
    requests to a public DNS service (such as your ISP). You need to configure
    DHCP to give clients the correct IP address and nemask, default gateway and
    DNS address. You then must authorise your DHCP server in AD so that it will
    operate.

    If you decide this is all too much, run dcpromo again to remove AD. You
    can then use NAT to give Internet access to your LAN machines, using its
    built in allocator and DNS proxy.
     
    Bill Grant, Sep 8, 2004
    #12
  13. vvu

    Guest Guest

    ok so let me see if i get it.
    my server can connect and browse the internet ok so i dont
    have to create a dmeand dial.
    i really want to use AD and AD cannot exist with out DNS
    so i'd have to...
    disable NAT from allocating IPs and stop the NATs DNS to
    relay queries?
    -so to disable NATs DNS i untick the name resolution box
    in NAT. with this do you mean the properties for internal
    or external interface in the 'Routing and Remote Access'
    mmc?
    -and how do i disable NAT to allocate IPs?
    -to configure fowarding DNS was i doing it correctly?
    i go into DNS via admin tools, go into properties of my
    server, then 'forwarders' tab and in the 'selected
    domain's forwareder IP address' box type in the IPs DNS IP
    and click add?

    -when you say 'need to configure DHCP to give clients the
    correct IP address and nemask, default gateway and
    DNS address'
    can't i have my DHCP server allocate any IP address to the
    clients as long as they are all in the same subnet?(for
    example my servers IP is 192.168.1.1 and subnet
    255.255.255.0 i configure the DHCP to distribute IPs in
    the range of 192.168.1.5-192.168.1.10 with subnet
    255.255.255.0)
    with the default gateway, how do i set that up on the
    clients? because if i have the clients setup for obtain IP
    automatically i cant put in a gateway in the TCP/IP
    properties. I'd have to provide them with static IPs. does
    that make sense? because in the TCP/IP properties its
    either one or the other option.
    also do i have to setup client pcs to direct queries to my
    server?
    so if my server's IP is 192.168.1.1 i have to add that to
    the clients TCP/IP-DNS properties?
    -and when you say 'must authorise your DHCP server in AD
    so that it will operate.'
    my 2003 server runs as a DHCP,DNS,AD so isnt it already
    authorized when i set it up? because my AD network works
    fine just not the internet connection.

    thanks again for all your help.
     
    Guest, Sep 9, 2004
    #13
  14. vvu

    vvu Guest

    ok so let me see if i get it.
    my server can connect and browse the internet ok so i dont
    have to create a dmeand dial.
    i really want to use AD and AD cannot exist with out DNS
    so i'd have to...
    disable NAT from allocating IPs and stop the NATs DNS to
    relay queries?
    -so to disable NATs DNS i untick the name resolution box
    in NAT. with this do you mean the properties for internal
    or external interface in the 'Routing and Remote Access'
    mmc?
    -and how do i disable NAT to allocate IPs?
    -to configure fowarding DNS was i doing it correctly?
    i go into DNS via admin tools, go into properties of my
    server, then 'forwarders' tab and in the 'selected
    domain's forwareder IP address' box type in the IPs DNS IP
    and click add?

    -when you say 'need to configure DHCP to give clients the
    correct IP address and nemask, default gateway and
    DNS address'
    can't i have my DHCP server allocate any IP address to the
    clients as long as they are all in the same subnet?(for
    example my servers IP is 192.168.1.1 and subnet
    255.255.255.0 i configure the DHCP to distribute IPs in
    the range of 192.168.1.5-192.168.1.10 with subnet
    255.255.255.0)
    with the default gateway, how do i set that up on the
    clients? because if i have the clients setup for obtain IP
    automatically i cant put in a gateway in the TCP/IP
    properties. I'd have to provide them with static IPs. does
    that make sense? because in the TCP/IP properties its
    either one or the other option.
    also do i have to setup client pcs to direct queries to my
    server?
    so if my server's IP is 192.168.1.1 i have to add that to
    the clients TCP/IP-DNS properties?
    -and when you say 'must authorise your DHCP server in AD
    so that it will operate.'
    my 2003 server runs as a DHCP,DNS,AD so isnt it already
    authorized when i set it up? because my AD network works
    fine just not the internet connection.

    thanks again for all your help.
     
    vvu, Sep 9, 2004
    #14
  15. vvu

    Bill Grant Guest

    The settings in 2003 NAT are slightly different from 2000. I note you are
    running 2003.


    1. In the RRAS console, go to the NAT/Basic Firewall section. Your internal
    NIC should have the "private interface connected to private network" button
    set on. Your external NIC should have the "public interface connected to the
    Internet" button set, and the "enable NAT on this interface" and the "enable
    a basic firewall .. " boxes checked. On the Address Pool tab, there should
    be no addresses displayed ( so that NAT cannot try to act as a mini-DHCP
    server). So NAT is active, but not doing the DHCP bit itself.

    2. Yes, that sounds correct for the DNS forwarding. Your clients should now
    be able to resolve both local and Internet names from this server.

    3. When you configure your DHCP server, you need to make sure that it gives
    the clients the correct gateway and DNS addresses. If your server is the
    gateway and DNS server, then use its private LAN IP as the gateway and DNS
    address (192.168.1.1 in your case).

    4. The DHCP server must be registered with Acive Directory before it can
    operate. The setup wizard may have done that for you if it already working.

    After you have the server configured, check the settings on your client.
    They should be set to obtain IP and DNS from DHCP. Then do an ipconfig
    /release to release the current settings and allow them to get a new config
    from DHCP. Then do an ipconfig /all to check that they have received to
    correct settings for default gateway and DNS from your DHCP server.
     
    Bill Grant, Sep 10, 2004
    #15
  16. vvu

    Bill Grant Guest

    Also make sure you have not configured a default gateway on the private
    NIC. This should be blank. The only default gateway on this machine shold be
    to the Internet via the public NIC.
     
    Bill Grant, Sep 12, 2004
    #16
  17. vvu

    vvu Guest

    i still cant get it to work,i've done everything stated in
    previous posts.
    on the xp client i have put in the default gateway under
    the dns tab to point to the server(192.168.1.1). it looked
    promising as previously when typing in an internet address
    in ie6 it would go straight to 'page cannot be displayed
    dns or server error' but now it at least looks like it
    searches for it but in the end recieves the same error.

    the NIC connected to the internet on the server has all
    settings on auto which works fine when browsing and
    things. i have the DNS IPs of my ISP, so should i be
    putting them in instead of having them on auto?
     
    vvu, Sep 13, 2004
    #17
  18. vvu

    Bill Grant Guest

    Why do you have your ISP DNS server address configured on your server? If
    you are using AD it should be pointing to its own loal DNS server. And why
    are you configuring your clients manually if you are using DHCP?

    If you are using your AD server as an Internet router, it is best to
    keep things as simple as possible. It is best if the server's public IP does
    not register at all with DNS (and also disable Netbios over TCP/IP on it).
    The only entry in DNS for your server should be its private IP. And the only
    DNS server it should know about is your local DNS server.
     
    Bill Grant, Sep 13, 2004
    #18
  19. vvu

    vvu Guest

    sorry about this but im still new to this and im confused
    now.
    i dont have my ISPs DNS configured on my server. the NIC
    connected to the internet has its TCP/IPs properties all
    set to auto.(is that ok?)
    so do you mean the NIC connected to my internal network
    should have the DNS server as itself(192.168.1.1)? i
    already have done this, so is there anything else i need
    to configure on this NIC?
    so the only place where the ISPs DNS IP is configured is
    in the fowarding in DNS console?

    so with the clients, i should leave all their settings to
    automatic?
    so you're saying i dont need to configure any gateways or
    DNS settings on the clients?
    dont i have to add my DNS server(192.168.1.1) for the
    client pcs?

    sorry about this but im a little confused.
     
    vvu, Sep 14, 2004
    #19
  20. vvu

    Bill Grant Guest

    No ,you do not need to configure all the settings manually on your
    clients. That is what you have DHCP for. You set the clients to obtain an IP
    address automatically and to obtain their DNS server automatically. You
    configure your DHCP server to give your clients the information they
    require. The clients will get this info from the DHCP server by broadcasting
    on the LAN when they boot up.
     
    Bill Grant, Sep 15, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.