Windows 2003 Tricky question in regards to DNS and ISP DNS

  • Thread starter Thread starter antiparadox@gmail.com
  • Start date Start date
A

antiparadox@gmail.com

Hiya all,

I am gonna build a network and this is what its gonna look like(I
hope),

http://i16.tinypic.com/4rafpn7.jpg

PC1 : Windows XP Professional
PC2 : Windows 2003 Server
PC3 : Windows XP Professional

the big question I have now is the following, people here have already
told me I should set up forwarders in my Windows 2003 DNS section, or
just forget about using them and just stick with the root hints
already in there.

But my big issue with this is, my PC2 isn't supposed to be online all
the time, its actually a fileserver that I occasionaly boot so I can
transfer my files to. But the way people here suggested I set it
up(like you can see in the picture), implies that I have PC2 running
at all times.

Every PC on that screenshot has two NIC's, so I can use two UTP cables
on each, so my question really is, is there some way that I can set up
my network in such a way that I still have a properly functioning
domain whilst also having the ability of having PC2 offline and the
rest of the PC's(PC1 and PC3)being able to surf the internet?

I already asked if I could not just do it like this,

http://i10.tinypic.com/4p29gk1.jpg

so to use an alternate DNS for both these clients, and they said this
would cause huge problems and my clients not knowing to what they
should resolve DNS.

So how do I make this work the way I would like?
 
hello,

it's ok to have a secondary dns that is your FAI. What is bad is that if
your PC2 is nearly never online, you may experience slow dns resolution
(always trying that offline pc2 before the working one).
If you put the FAI dns primary, then you will always surf great, but will
never have a good domain/dns config.

If this server is always down, you would prefer a simple workgroup instead
of an active directory domain.

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


<antiparadox@gmail.com> wrote in message
news:1187721571.424464.304890@a39g2000hsc.googlegroups.com...
> Hiya all,
>
> I am gonna build a network and this is what its gonna look like(I
> hope),
>
> http://i16.tinypic.com/4rafpn7.jpg
>
> PC1 : Windows XP Professional
> PC2 : Windows 2003 Server
> PC3 : Windows XP Professional
>
> the big question I have now is the following, people here have already
> told me I should set up forwarders in my Windows 2003 DNS section, or
> just forget about using them and just stick with the root hints
> already in there.
>
> But my big issue with this is, my PC2 isn't supposed to be online all
> the time, its actually a fileserver that I occasionaly boot so I can
> transfer my files to. But the way people here suggested I set it
> up(like you can see in the picture), implies that I have PC2 running
> at all times.
>
> Every PC on that screenshot has two NIC's, so I can use two UTP cables
> on each, so my question really is, is there some way that I can set up
> my network in such a way that I still have a properly functioning
> domain whilst also having the ability of having PC2 offline and the
> rest of the PC's(PC1 and PC3)being able to surf the internet?
>
> I already asked if I could not just do it like this,
>
> http://i10.tinypic.com/4p29gk1.jpg
>
> so to use an alternate DNS for both these clients, and they said this
> would cause huge problems and my clients not knowing to what they
> should resolve DNS.
>
> So how do I make this work the way I would like?
>
 
Well hello there again Mathieu,

Well its not allways offline, but then again it really isn't supposed
to be online all the time, so thats why I was struggling with this
little matter and the suggestions offered here.

But you'r saying there's no way I can take advantage of the two nic's
I have on each PC, maybe in such a way that I set it up like this,

http://i16.tinypic.com/4rafpn7.jpg

but sneakingly also have a second NIC set up that I use for when I
wanna connect to the internet. Then this way I'll only bring online my
LAN nics when I need them and vice versa. So if I wanna use my domain
I disable my internet NIC and activate my LAN nic, and vice versa.
 
Hello antiparadox@gmail.com,

Sorry but it's me also again, why will you make so much difficulties? I think
you are very afraid that somebody will break in your network. A lot of routers
has built in firewalls, in the workstations you can install free software
firewalls. Why will you make all this additional work what is not really
necessary. Just have control about your event logs, services you are running
and it will work like a charm without preparing all this additional work
of configuring NIC's and stopping and starting NIC's.

Best regards

Meinolf Weber (Myweb)
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Well hello there again Mathieu,
>
> Well its not allways offline, but then again it really isn't supposed
> to be online all the time, so thats why I was struggling with this
> little matter and the suggestions offered here.
>
> But you'r saying there's no way I can take advantage of the two nic's
> I have on each PC, maybe in such a way that I set it up like this,
>
> http://i16.tinypic.com/4rafpn7.jpg
>
> but sneakingly also have a second NIC set up that I use for when I
> wanna connect to the internet. Then this way I'll only bring online my
> LAN nics when I need them and vice versa. So if I wanna use my domain
> I disable my internet NIC and activate my LAN nic, and vice versa.
>
 
Well Meinolf, you hit the nail on the head there, I am indeed
extremely paranoid, and I don't just have any router, I have a
professional company router, it cost me about 1000 euro's but thats a
price I gladly payed for good security. In 10 years time I haven't had
a single virus or penetration(nasty word I know but ya know what I
mean), my security knowledge and awareness of things out of the
ordinary is far better than my networking skills, so thats why I was
asking this. Since this is the first time I am using windows 2003
server, I am still on unfamiliar ground in regards to its security,
and one extra PC behind the internet for me is one extra thing to
worry about.
 
good security when you don't have time/knowledge:

-Windows update every second tuesday of the month (install them!)
-Antivirus up to date / windows defender once a month
-Firewall up on workstation
-use a non administrator account for daily tasks
-Antiphising on IE 7 may help

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


<antiparadox@gmail.com> wrote in message
news:1187731135.627675.324600@r34g2000hsd.googlegroups.com...
> Well Meinolf, you hit the nail on the head there, I am indeed
> extremely paranoid, and I don't just have any router, I have a
> professional company router, it cost me about 1000 euro's but thats a
> price I gladly payed for good security. In 10 years time I haven't had
> a single virus or penetration(nasty word I know but ya know what I
> mean), my security knowledge and awareness of things out of the
> ordinary is far better than my networking skills, so thats why I was
> asking this. Since this is the first time I am using windows 2003
> server, I am still on unfamiliar ground in regards to its security,
> and one extra PC behind the internet for me is one extra thing to
> worry about.
>
>
>
>
 
Hello antiparadox@gmail.com,

Ok, I am not a security guy, but if you have configured you're router on
a proper way for security and do not use the server or workstations for browsing,
theire must really be someone outside who is interested to find a way to
break your router first then prepare packets to communicate to your machines,
because the router uses NAT for workstation traffic and so on. Maybe you
can post to the microsoft.public.windows.server.security ng with a question
about configuring security for your network. That can be the better ng for
this kind of question then the sever.general ng.

Best regards

Meinolf Weber (Myweb)
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Well Meinolf, you hit the nail on the head there, I am indeed
> extremely paranoid, and I don't just have any router, I have a
> professional company router, it cost me about 1000 euro's but thats a
> price I gladly payed for good security. In 10 years time I haven't had
> a single virus or penetration(nasty word I know but ya know what I
> mean), my security knowledge and awareness of things out of the
> ordinary is far better than my networking skills, so thats why I was
> asking this. Since this is the first time I am using windows 2003
> server, I am still on unfamiliar ground in regards to its security,
> and one extra PC behind the internet for me is one extra thing to
> worry about.
>
 
I know all about setting up good ingress egress rules for my router,
every PC has its own rules what it can and can't do, I guess I'll just
have to set up my windows 2003 server in such a way that it can only
use the DNS ports and thats as far as it goes.

And i'll check out that NG you proposed, maybe they have some good
policies I can test.

Thnx again guys
 
I am waiting for you on the security ng :)
lol

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


<antiparadox@gmail.com> wrote in message
news:1187733032.378270.281250@d55g2000hsg.googlegroups.com...
>I know all about setting up good ingress egress rules for my router,
> every PC has its own rules what it can and can't do, I guess I'll just
> have to set up my windows 2003 server in such a way that it can only
> use the DNS ports and thats as far as it goes.
>
> And i'll check out that NG you proposed, maybe they have some good
> policies I can test.
>
> Thnx again guys
>
>
 
Yeah see you there, as soon as this damn switch arrives in the mail:
( Cuz I'm gonna start from scratch and reinstall my windows 2003, I do
not believe in fixing an already corrupted setup, better start fresh,
too many errors in event log hehehe.

So see you there in a couple of days.
 
Back
Top