AD, DNS and DHCP question

I've got a few questions that I'd like to get help with.

First: This is my setup
AD -|
C1 -|
C2 -|---> Stand Alone ISA Firewall (With DNS and DHCP server) --> Internet
C3 -|

The reason the DHCP and DNS is on a different machine than the AD is because
I need to be able to move the AD from time to time, and the ppl remaining
still needs the firewall+dhcp, not the AD since they dont use it.

Recently, I tried to join the firewall to the domain because I needed them
to share user-lists. however that was not possible since the DHCP went down
and clicking Authorize only gave me errors like there already being a DHCP
with higher priority, even thou I had removed all references to the old one.
Is it even possible to join a Stand-alone DHCP to the existing domain as a
client machine?

Then I got the brilliant idea to set up a secondary Domain Controller on the
firewall, which could handle loginrequests and such in the absence of the
standard.

Here the second question kicks in, when I ping the FQN/Short name of my
domain from within the network, I get the right IP, if I nslookup the short
name, I get the FQN.
The firewall/dns machine however cannot ping/nslookup the FQN/sort name at
all, it gives the internet ip, not the ip of the internal AD. I believe this
to be because the firewall does not use the internal DNS as its default
DNS-server, but instead uses the WAN one. how to change the priority/order
windows uses for dns lookup?


//Regards.

Howdie!

Roze wrote:
> I've got a few questions that I'd like to get help with.
>
> First: This is my setup
> AD -|
> C1 -|
> C2 -|---> Stand Alone ISA Firewall (With DNS and DHCP server) --> Internet
> C3 -|
>
> The reason the DHCP and DNS is on a different machine than the AD is because
> I need to be able to move the AD from time to time, and the ppl remaining
> still needs the firewall+dhcp, not the AD since they dont use it.

You move AD around? Between servers?

> Then I got the brilliant idea to set up a secondary Domain Controller on the
> firewall, which could handle loginrequests and such in the absence of the
> standard.

That idea has nothing of something brilliant. You simply don't put your
AD on the internet. You don't pair it with ISA on a machine either.

> Here the second question kicks in, when I ping the FQN/Short name of my
> domain from within the network, I get the right IP, if I nslookup the short
> name, I get the FQN.
> The firewall/dns machine however cannot ping/nslookup the FQN/sort name at
> all, it gives the internet ip, not the ip of the internal AD. I believe this
> to be because the firewall does not use the internal DNS as its default
> DNS-server, but instead uses the WAN one. how to change the priority/order
> windows uses for dns lookup?

You probably want to change the binding order of the protocols on those
NICs. Other than that, I'd remove the DNS server from that ISA server
and have it refer to the domain controller. The domain controller,
having DNS installed, needs to be configured to forward requests to your
ISP/a different authoritative DNS source.

Cheers,
Florian

> Howdie!
>
> Roze wrote:
>> I've got a few questions that I'd like to get help with.
>>
>> First: This is my setup
>> AD -|
>> C1 -|
>> C2 -|---> Stand Alone ISA Firewall (With DNS and DHCP server) -->
>> Internet
>> C3 -|
>> The reason the DHCP and DNS is on a different machine than the AD is
>> because I need to be able to move the AD from time to time, and the
>> ppl remaining still needs the firewall+dhcp, not the AD since they
>> dont use it.
>
> You move AD around? Between servers?

Well, I go to LAN-parties, and I need my domain to be working there as
well. And since clients is configured to sync the entire user-profile
against the AD (not MyDocuments, its mapped directly), transferring ~5GB
of data takes way to long time. Thus I came with the idea of creating
two identical firewall/dns/dhcp-machines, one for lan-use and one for
home use. As I mentioned the firewall at home needs to remain, since my
family uses it for internet access, not domain access.

I know this is complicated, unprofessional and probably stupid. But it
gives me what I want as long as it works.

>
>> Then I got the brilliant idea to set up a secondary Domain Controller
>> on the firewall, which could handle loginrequests and such in the
>> absence of the standard.
>
> That idea has nothing of something brilliant. You simply don't put your
> AD on the internet. You don't pair it with ISA on a machine either.

I needed the firewall to share accounts with the domain so that VPN
sould work as I wanted it and to be firewalled.

Also, this method seems to be working right now, however, I yet have to
witness if the system will work when the two current AD-servers is
separated. And I wont turn the LAN one into a Domain Server, since that
one have no use for domain-access.


>> Here the second question kicks in, when I ping the FQN/Short name of
>> my domain from within the network, I get the right IP, if I nslookup
>> the short name, I get the FQN.
>> The firewall/dns machine however cannot ping/nslookup the FQN/sort
>> name at all, it gives the internet ip, not the ip of the internal AD.
>> I believe this to be because the firewall does not use the internal
>> DNS as its default DNS-server, but instead uses the WAN one. how to
>> change the priority/order windows uses for dns lookup?
>
> You probably want to change the binding order of the protocols on those
> NICs. Other than that, I'd remove the DNS server from that ISA server
> and have it refer to the domain controller. The domain controller,
> having DNS installed, needs to be configured to forward requests to your
> ISP/a different authoritative DNS source.
>
> Cheers,
> Florian