w2k3 server across subnets

Discussion in 'Server Networking' started by Chappydean, Mar 8, 2005.

  1. Chappydean

    Chappydean Guest

    I have a single domain that for firewalling purposes subnetted a class A
    network.

    My basic question is HOW do I manage DNS and PDC across the subnets?

    1. DNS, PDC, DHCP are all on main subnet mask.
    2. Can ping all IP addresses from any subnet.
    3. NSLOOKUP points to proper DNS Ips.
    4. IPCONFIG /ALL shows proper DNS suffix for NIC cards but nothing for Win
    IP Config DNS suffix on remote subnet.
    5. Net View //DNSIPADDRESS from remote returns ‘Path Not Found’.
    6. Have tried enabling and using LMHOSTS.

    Have searched and read articles until cross-eyed and blurred vision. All
    indicate that this can be done but no HOW TO. Statements like “Configure
    DNS’. Okay, great. Configure what in the DNS? (this is just an example).

    So, I am looking for how do I manage DNS and domain control across subnets?

    Any suggestions? Thanks in advance.
     
    Chappydean, Mar 8, 2005
    #1
    1. Advertisements

  2. Chappydean

    Bill Grant Guest

    Since you are using private addresses, it would be easier for us if you
    specified what IP addresses and netmasks you are actually using.

    How are these subnets connected? What is acting as a router between
    them?

    A simple diagram of your network (with IP addresses and subnet masks)
    would help. eg

    server
    10.0.0.7/24 dg 10.0.0.1
    |
    workstations
    10.0.0.x/24 dg 10.0.0.1
    |
    10.0.0.1/24 dg blank
    router
    10.0.3.1/24 dg blank
    |
    workstations
    10.0.3.x/24 dg 10.0.3.1

    If you are not familiar with the 10.0.0.1/24 notation, the /24 just
    indicates the number of bits in the netmask used. (24 bit netmask is
    255.255.255.0).
     
    Bill Grant, Mar 9, 2005
    #2
    1. Advertisements

  3. Chappydean

    Chappydean Guest

    Thanks Bill, Here is my layout.

    WatchGuard X2500 External: T1

    Server: 10.0.1.2/16 dg: 10.0.1.1 WatchGuard Firebox x2500 Trusted I/F
    (eth0)
    Workstations: 10.0.1.3-xxx/16 dg: 10.0.1.1

    Subnet1 - X2500 optional I/F(eth1): 10.10.1.1/24
    Workstations: 10.10.1.2-xxx/24 dg: 10.10.1.1

    Subnet - X2500expanded I/F(eth2): 10.10.2.1
    Workstations: 10.10.2.2-xxx/24 dg: 10.10.2.1

    Thanks for the response.
     
    Chappydean, Mar 9, 2005
    #3
  4. Chappydean

    Chappydean Guest

    Sorry, I am new and not sure if I am posting in the correct area. May belong
    in DNS section.

    Additional to my last post, I would like to set up a secondary DNS server on
    the X2500 I/F 'eth1'. But in order to do so I must be able to transfer zones
    from the master which is on the main subnet. Can ping only, not access.
     
    Chappydean, Mar 9, 2005
    #4
  5. Chappydean

    Bill Grant Guest

    That looks OK. DHCP will not issue the network config to machines on the
    /24 subnets unless you set up scopes for them in DHCP. You will probably
    also need to change some setting on the WatchGuard (DHCP relay, DHCP helper
    or similar) for it to forward the DHCP requests to the server on the /16
    subnet. The WatchGuard has interfaces in the /24 subnets, but the DHCP
    server doesn't (so it cannot get these requests directly). The WatchGuard
    must forward the DHCP messages it receives to the DHCP server. (They come as
    LAN broadcasts, which don't cross routers).

    You should be able to set up a DNS secondary zone on a server in one of
    these subnets. Remember that you need to modify the setting on the original
    DNS server to allow this to happen. From memory it is not allowed by default
    in W2k3.
     
    Bill Grant, Mar 9, 2005
    #5
  6. Chappydean

    Chappydean Guest

    Thanks Bill. Makes logical sense. Will take a look at your suggested areas.
    Will post results.
     
    Chappydean, Mar 9, 2005
    #6
  7. You guys ran off and left the original post in the dust,...and I think you
    forgot something critical there. you said:
    What does that mean?

    What is used as the "routing device" between the subnets?....I never saw
    that stated.
     
    Phillip Windell, Mar 9, 2005
    #7
  8. Why are you making it 10 times harder and more complicated than it needs to
    be? the Watchgaurd box should not have anything to do with your DNS and how
    the DNS works.
     
    Phillip Windell, Mar 9, 2005
    #8
  9. Chappydean

    Chappydean Guest

    The X2500 I/F's are routed I/Fs.

    Secondly, the DNS server on eth1 will be setup as a public web server and
    will be firewall isolated from the trusted network.

    The DNS now is working on the eth1 subnet. Still working with the domain
    controller issues.
     
    Chappydean, Mar 9, 2005
    #9
  10. Chappydean

    Chappydean Guest

    Phillip,

    Another comment about WatchGuard Firebox.

    The I/Fs are a data flow layered protocol that is derived from 'Trusted'
    being the center. All I/Fs have to be a subnet. Data flows as follows:

    Incoming - external (T1) - eth4 - eth3 - eth2 - eth1 - eth0(trusted) -
    outgoing - eth0 - eth1 - eth2 - eth3 - eth4 - external.

    By default, the Firebox will NOT allow any data flow incoming. Only
    outgoing. The users must add a service to allow any incoming data and specify
    'Any' to allow all traffic or customize to specific data flow.

    I still have not been able to achieve a secondary domain controller across
    the subnets. For those considering WatchGuard, consider these issues and
    their support group closely.

    Any having any suggestions as to HOW to work across this firewall. Please
    advise. Thanks.
     
    Chappydean, Mar 14, 2005
    #10
  11. Chappydean

    Chappydean Guest

    Final post here. Finally got to tier one support for WatchGuard. The Firebox
    product will not allow 'broadcasts" across the interfaces. Therefore the
    secondary domain controller must reside on the 'trusted- network subnet.

    Thanks to all input.
     
    Chappydean, Mar 15, 2005
    #11
  12. And it should never be any other way. Anything else is just a bad network
    design.
     
    Phillip Windell, Mar 15, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.