AD, DNS, and Firewall/NAT/PAT

[chbrules]

I have an active directory and exchange 2003 setup on my windows server 2003 standard box just fine. I can resolve my domain and all that goodness inside my network. Problem is, I also want to host my website on the internet for that domain on my box too. I can do it seperately by configuring IIS and the DNS properly, but when I have AD running, it keeps messing up my DNS settings.

I'm behind a little wired linksys home router. I have port 53 and 80 forwarded to my server, and it works just fine without active directory on, but AD just messed up the WAN IPs I setup for the name server and host entries. It sets them back to my local network's class C IP automatically.

I was wondering if there's a way I can have the hosts resolve as the WAN IP by default, or if I can assign one of the NIC ports to resolve to the WAN IP and the other to the LAN IP? Problem is, I don't want to share the internet connection through that server, simply just have it be used as a dedicated DNS/WEB/AD server so the rest of the network can function independently.

My guess would be to setup DHCP on the box and have the clients pickup the DNS server as the primary DNS and the gateway as the secondary DNS? But I still have to figure out how to have the server send the proper resolved IP to the proper party requesting it.

I hope that sounds understandable, I'm kinda muttering right now. Thank you!

Edit: Another issue, even when I don't have AD installed and the DNS is done correctly, it takes a very long time for the IP to be resolved. I mean 20+ seconds here. Is there any reason why it's so slow? My server is a dual 1.7GHz Xeon w/ 768MB pc800 and a fresh install of server 2003, shouldn't be that slow.

Edited March 22, 2006 by chbrules

[jondercik]

The best way to do this is to have 2 separate DNS zones. 1 for outside clients, 1 for inside. Traffic coming in from the outside should NEVER have access to Active Directory. Clients on the inside should be pointed at the DC for their DNS settings.

Jim

[chbrules]

The best way to do this is to have 2 separate DNS zones. 1 for outside clients, 1 for inside. Traffic coming in from the outside should NEVER have access to Active Directory. Clients on the inside should be pointed at the DC for their DNS settings.

Jim

I understand AD should not be accessed from outside the LAN/VLAN, but what about the web and mail servers? I want the LAN people to be able to receive email from the internet as well as a public website for the domain.

So this will be the setup. I have one WAN IP, a NAT/PAT router, and a couple servers (all running win server 2k3 standard). I want to have a DNS and web server on one machine that I will have forwarded port 53 and 80 too. People will be able to resolve the domain and view the website publicly. That's not a problem for me right now.

The problem comes in with AD and exchange server 2003. I'll have AD on another server and a dedicated mail server on yet another server box. Through AD, should I setup some sort of secondary domain zone so that AD can manage a cloned version of the DNS on its own DNS for inside the LAN? Then on the main web DNS I would create an MX record for mail on that same IP and forward port 25 and 110 to it?

I've never set up an MX record manually before, let alone for Exchange (if it's any different?), are there any simple steps or guides I could follow? Or is it as simple as just making an MX record and pointing to the server like a Host record?

Thanks again!

Edit: Again, would there be any reason that the IP is being resolved so slowly? 20+ sec here.

Edited March 22, 2006 by chbrules