I am trying to install an Exchange server in the DMZ, but Exchange setup can't see the AD (on the ISA server). I can ping to and from the DMZ, but nothing else. I have an IP packet filter that allows all from the DMZ to all remote computers.
Do I have to stop and restart the firewall service if I change a packet filter?

The DNS server is also on the ISA server. Where should it be? I get the feeling I should have another server on the LAN with AD and DNS on it... ?

Thanks, Neal

If you have all of your Internet traffic coming into the ISA box, then don't put anything else on it. Not DNS Server, not WINS server, NOT ADS, not ANYTHING! The reason for this is in the event that someone does break into that box there is NOTHING there.

For your internal network I would start by istalling Active Directory Services(ADS)on a server in your INTERNAL network. When you do this make sure you choose a Fully Qualified Domain Name(FQDN) for the active directory domain name that is NOT registered with InterNIC. For instance, if your name is Bob Barker and you own the domain barker.com you DONT want to use barker.com for your Active Directory Domain name. Use something like home.barker.com or headquarters.barker.com. This way there won't be any conflict between your INTERNAL DNS server and your ISPs public DNS server(s).

***Make sure that you DON'T have a DNS Server installed on this machine before you install Active Directory Services (ADS). This way, the ADS intallation wizard will prompt you to AUTOMAGICALLY install AND configure it for you. Although BEWARE, you should have your Windows 2000 Server or Advanced Server disc in the drive otherwise the DNS installation will time out when it goes to copy needed files and DNS won't be configured correctly***

Once ADS is installed on your internal server, configure every (internal) adapter on every computer in your network to use that address for the DNS server in the TCP/IP settings. For instance, if the adapter on your DNS server is 192.0.0.1, then go into the TCP/IP settings on every computer and enter 192.0.0.1 for the Primary DNS server. Remember only the INTERNAL adapters. Don't change your external adapter on the ISA server.

Next, I would install RIP on a server in each subnet. In a three homed scenario you would install RIP on the ISA server, the internal server, and the DMS server. Make sure that RIP is enable for EACH adapter on the server that it is installed on. For instance RIP should be enabled for all three adapters on your three homed server. RIP can be configured from the 'Routing and Remote Access' application and is found in the Administrative Tools window. Once you open the Routing and Remote Access program refer to the help on RIP. The configuration is very straight forward and simple. Once you have RIP and DNS installed on a server in all three subnets you should have connectivity across your network in terms on PINGing each machine.

My next step would be to install ADS on the DMZ server. You'll need ADS on this server in case you want to use some of the advanced features of programs such as SQL Server 2000, or Exchange 2000. Installing ADS as a Child Domain of the first AD domain you created allows you to do two things. First, you can browse the directory from any machine and benefit from a unified Active Directory. Second, you can control security by giving the Parent Domain control over the Child Domain. i.e. You can have a user in the Parent Domain manage both domains, while have users and objects in the child domain can have NO access to the Parent Domain. This time when you install ADS pick a Fully Qualified Domain name that exists within the Parent Domain. For instance, if you used home.barker.com in your parent domain then use something like dmz.home.barker.com for your Child Domain. This will benefit you in the next step... WINS.

Lastly, I would install a WINS Server on one of the Windows 2000 server machines on your internal network. Remember, DNS resolved an IP address to a Fully Qualified Domain Name (FQDN) and WINS resolves an IP address to a NETBIOS name. These names are very different. In order to browse your network or use applications that rely on NETBIOS naming you will need WINS in addition to DNS. If you only have one server on your internal network you can install a WINS Server on the same box you installed your DNS Server. Intallation and configuration are pretty straight forward. Just make sure to point all of your clients to use that machine as the WINS Server the same way you pointed them to the DNS Server. Basically you have to modify the TCP/IP settings for each INTERNAL adapter to point to that address for the WINS server. For instance, if you installed your WINS Server at 192.0.0.1 the you must enter 192.0.0.1 for the WINS on every INTERNAL adapter on every machine across the network.

After you have ADS, DNS, RIP, and WINS installed correctly, you should be able to browse from any machine to any other machine as long as you have the correct user rights.

Hope this is helpful...

------------------
Thanks,

Vince

Reading what you have said, and what Tom put in to another post of mine, I guess I am going to struggle until I can get another server to be the AD and DNS (and DHCP etc) server for the LAN. Then I can remove AD from the ISA machine.

Tom, I appreciate what you are saying about a back to back configuration being superior, but there is no way the boss will let me go that way, especially as that would require another server, and another copy of ISA. The question then becomes, can I have private IP addresses on my servers on the DMZ (three homed ISA server)? I thought I could have only one real public IP, and all the servers on the DMZ could be private and that by 'publishing?' the servers in ISA, they could be seen.

Thanks, Neal Blackie.

You can have two internal NICs, one for the private network and one for the publicly available servers. However, this isn't really a DMZ because the traffic between the two internal networks is not partitioned by the ISA Server. You would have to use other methods, such as IPSec, to control access between the two *internal* networks, if that is a priority for you

HTH<
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!