Dns for Advanced Server 2000 running IIS in workgroup

[Guest]

I am new to doing web stuff. I am taking my companies old web server off
line. It has alot of issues. I have talked with microsoft reps before and
they have informed me that a web server should be in a workgroup not on a
domain. Thats how the old server was setup and thats how im configuring the
new one. The only problem is when i installed dns I get a 414 error about the
single label host name. So im wondering If Im doing it right, if there is
something else i can do. Or do I just ignore the error. Because our old
server gets the same error, it has since i started working here a year and a
half ago. Thanks in advance .........ART

 

[Herb Martin]

I am new to doing web stuff. I am taking my companies old web server off
line. It has alot of issues. I have talked with microsoft reps before and
they have informed me that a web server should be in a workgroup not on a
domain.

That is not always correct information, and in fact there
is no strong reason for the recommendation in most cases.

As a general rule it is bad advice but might be correct in
specific cases.

Thats how the old server was setup and thats how im configuring the
new one. The only problem is when i installed dns I get a 414 error about the
single label host name.

Single label DNS names are bad anyway and not directly
related to the workgroup problem if you give the machine
a DNS name with at least a two-label base (there is a button
there) and CLEAR the check box that says the DNS name
should follow the domain membership just in case it follows
the workgroup name.

So im wondering If Im doing it right, if there is
something else i can do. Or do I just ignore the error. Because our old
server gets the same error, it has since i started working here a year and a
half ago. Thanks in advance .........ART

No, fix the error by giving the machine a 3 lable name,
e.g., machine plus at least a two label domain name.

DNS servers don't like to use single label zone names.
[/QUOTE]

 

[Guest]

thanks herb. Is it ok for me to leave it in a workgroup ? I know like on a ad
machine the machine name is like server.us.domain.com or whatever. How would
i fix if i wanted to leave it in a workgroup. Do i change thw actual machine
name or do i change the workgroup and could you give me an example to base
off of.

That is not always correct information, and in fact there
is no strong reason for the recommendation in most cases.

As a general rule it is bad advice but might be correct in
specific cases.


Single label DNS names are bad anyway and not directly
related to the workgroup problem if you give the machine
a DNS name with at least a two-label base (there is a button
there) and CLEAR the check box that says the DNS name
should follow the domain membership just in case it follows
the workgroup name.


No, fix the error by giving the machine a 3 lable name,
e.g., machine plus at least a two label domain name.

DNS servers don't like to use single label zone names.

[/QUOTE]

 

[Herb Martin]

thanks herb. Is it ok for me to leave it in a workgroup ?

Yes.

IF that fits your needs.

Mostly domains are about making it easy to grant/deny access
to (domain) users AND to manage and control the machine in
a centralized manner.

If you have a 100 web servers (like an Amazon or some such)
then being able to apply standard group policy or other settings
might be a big issue.

I know like on a ad
machine the machine name is like server.us.domain.com or whatever. How would
i fix if i wanted to leave it in a workgroup. Do i change thw actual machine
name or do i change the workgroup and could you give me an example to base
off of.

No, you make the machine name something like: server, www, web378,
but the DOMAIN name (the MORE button under the machine name) to
something like: yourdomain.com

This may be slightly different dialog wording on Win2000 -- I
looked at the System Control panel Computer Name tab for
my Win2003 server -- but they are similar.

The workgroup name can still be: workgroup, web, whatever

Workgroup names are restricted by NetBIOS rules so you cannot
have multipart names but you can still give the machine a DNS
name.

BTW, this is usually only an issue for a DNS server -- why are
you running DNS server on this machine?

It is best to leave your DNS (servers) with the REGISTRAR
in almost all cases.
[/QUOTE][/QUOTE]

 

[Leythos]

That is not always correct information, and in fact there
is no strong reason for the recommendation in most cases.

As a general rule it is bad advice but might be correct in
specific cases.

I hate to say this, but we've got lots of IIS servers and NEVER put them
in the company domain or any other domain for that matter. Since access
from the web servers to the SQL or Oracle servers can be done through
ports and with passing a user/password through the port, there is NO
reason to use a domain authentication model in most cases.

Imagine linking just the web servers in the same AD group, when one gets
compromised they all get exposed.

I have 12 servers in this location, each one has the Administrator
account renamed and each one has a different name than the others. There
are no two accounts between the systems that share a common name or
password.

They are all in the DMZ and very easy to manage, and it's done from the
LAN using firewall rules that permit traffic by port to the one
management station's IPort to their IPorts and the software does not
expose any of the standard MS ports.

With this method we've NEVER had our servers or our customers servers
compromised, even when running IIS 4, and the SQL servers have never
been hacked either.

Take the advice of MS, don't put your Web Servers or the MS SQL servers
being access by the web servers in the same forest/domain as your local
computers. As a side note, you can access MS SQL resources by user/pwd
without being a member of the domain that the MS SQL servers are in.

 

[Herb Martin]

As a general rule it is bad advice but might be correct in

I hate to say this, but we've got lots of IIS servers and NEVER put them
in the company domain or any other domain for that matter. Since access

Perfectly fine but someone had told him he needed to
do it this way -- as a general, flat rule it is worthless
advice.

from the web servers to the SQL or Oracle servers can be done through
ports and with passing a user/password through the port, there is NO
reason to use a domain authentication model in most cases.

If you have no reason for domain authentication then
you are right. This is not true for many people.

Imagine linking just the web servers in the same AD group, when one gets
compromised they all get exposed.

This would just be bad admin practices, the compromise
of one Web server (or any workstation or server in a
domain) should neve lead directly to the compromise
of others.

I have 12 servers in this location, each one has the Administrator
account renamed and each one has a different name than the others. There

I do that too, but it is practically irrelevent to rename the
admin account.

are no two accounts between the systems that share a common name or
password.

Now your talking. It is so common for people to
use the same password, especially for workgroup
machines then when one is compromised they all
are.

 

[Guest]

thanks for the info. The other server had dns running. I didn't really know
if it neede it or not. If it doesn't i have no problem removing it. The
original server is the only machine on the network it has a full t1 to
itself. There are 3 computers that connect to it through a hub only for file
transfers, occasionally. Im going to add this second one to be a web server
only. Our original server was running iis and imail and i guess that smtp
would not work on the machine because imail was using it or something like
that. So we are going to use the old server for imail only and the new server
for web only.

 

[Leythos]

thanks for the info. The other server had dns running. I didn't really know
if it neede it or not. If it doesn't i have no problem removing it. The
original server is the only machine on the network it has a full t1 to
itself. There are 3 computers that connect to it through a hub only for file
transfers, occasionally. Im going to add this second one to be a web server
only. Our original server was running iis and imail and i guess that smtp
would not work on the machine because imail was using it or something like
that. So we are going to use the old server for imail only and the new server
for web only.

I'm kind of confused about your post, but here's my $0.02

The public access systems need to be in a proper firewall DMZ area with
only the necessary public access service ports forwarded to them. This
means 80/443 to the web servers, and 25 to the email server (and
possibly 443 for SSL based web mail).

From the protected network area (where your workstations are) you would
allow things like FTP, HTTP, HTTPS, SMTP, POP/IMAP (if needed) and a
couple others through to the DMZ area. This would let you browse the
servers web sites, send/fetch email, and fetch/put files using FTP on
those servers.

I would run FileZilla Server FTP on the servers in the DMZ, but don't
provide public access to them for FTP, only provide LAN > FTP > DMZ
access - the FileZilla Server is a much better FTP service than MS's and
it's very robust and easy to setup.

If you had a DNS server accessible vial the public, then you may be
hosting your own DNS information - you need to make sure before you yank
that server.

If you set things up in a proper secure manner, you will need a internal
DNS server so that you can browse your own sites while behind the
firewall, for instance: When behind the firewall you want your
www.mycompany.com site to resolve to the internal DMZ IP of 192.168.x.Y,
not the public IP, you can't route through, out, and back in using the
public IP like that. So, you setup an internal DNS server and create
matching entries, but they point to your internal IP addresses for those
systems.

Oh, when making a reply, it's best to reply at the bottom of the thread,
clipping what you don't need to reply too.

 

[Guest]

leythos. thanks for all your input. I myself am a little confused as far as
the wewb stuff goes here. I know that things are not setup right or secure.
My background is a simple technician. So for the past year I have been trying
to figure this place out. This company I work for hosts for like 45 websites.
They have a full t1 line to one web server. One cisco router running nat and
they are doing all of their port mapping on that cisco router. Our company is
located inside of a warehouse of a machinery company that my boos knows the
owner. Any ways all the computers are on their network which uses a dsl line.
The two networks are totally seperate. Except for 3 computers. The two web
guys were wining of slow ftp speeds from the dsl to the web server. So I
added an extra nic to the 3 pc's and plugged them into a small hub that the
web server was on all by itself. I added the address to those machines
statically and did not give them the gateway address for the t1 one line i
would not create a loop or anything. So thats how their network is setup
here. Each domain that is hosted is parked with its registrar and points to
our outside addreses that we have from our provider and the router forwards
them to the right internal address. And they let some of their clients do
their own web stuff so they give them access to ftp. It doesnt seem al that
secure to me but i dont really know much about web stuff to put my own $0.02
in. Any ideas would be much appreciated.