Boris, Apologies for top-posting, but I can't see how to respond piecemeal.
I run SBS2003 behind a LEAF bering firewall but my setup is different: Two NICs on the SBS server and the SBS manages an interior "Windoze" network (for example 192.168.0.0) to which it serves DHCPD, DNS - everything configured using the SBS wizards as if the upstream interface were connected directly to the public Internet. SBS works best when you use it's wizards and don't tinker around with individual service configurations. Otherwise you really need to understand how things interoperate with AD, Remote Access, etc. The SBS upstream interface is on a seperate private network (192.168.1.0 for example) that is managed by the LEAF bering firewall (two NICS). The bering upstream is a public IP from my ISP. The bering box serves dhcpd and dns to the intermediate network. The SBS upstream has a static address on this network and the gateway and DNS point to the bering box. SBS is configured to forward all DNS queries not resolved internally to the bering box just as you might do to an ISP's DNS server if the bering firewall and intervening network weren't in the path. There are a few internal linux servers and workstations on the .1 network (inside the bering firewall but outside of the SBS network) and various other things which don't affect the topology. Yes, there are two layers of NAT for clients connecting to external sites from inside the SBS network. I've never had any problems resulting from this for over 5 years now. It's an office network which I designed and continue to manage and it has been extremely stable and trouble free. The main benefit of this design is that both the LEAF bering firewall and the SBS 2003 begin life with very simple "stock" configurations. It is easy to tweak to get something like SBS "Remote Web Workplace" (a very useful feature, IMO) or Remote Access (RAS, a VPN server) working from the Internet by configuring DNAT rules (I use shorewall) for the various ports and protocols (all are documented and easily found). The SBS server need not be bogged down running advanced or third party firewall solutions and there is less exposure to various Micro$oft security risks. The SBS environment (and M$ server stuff generally) has extensions and dependencies among DHCPD, AD, DNS, RAS. The best way I've found to avoid these pitfalls is to isolate the Windows environment. [Internet]--firewall--["dmz" net]--SBS--[Windows net] Hope this is helpful, ~Bob > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Boris > Sent: Thursday, September 04, 2008 1:25 PM > To: leaf-user@lists.sourceforge.net > Subject: [leaf-user] [OT] Windows 2003 SBS behind leaf router > > Hej all, > > > I'm sorry to annoy you with that off-topic theme, but I'm quite sure > there is somebody with the right knowledge on this list because the > setup is quite common and I'm hoping strongly for help. Here's the story: > > I have a small network connected to the web with a Bering uClibc that > works as dhcpd and of course dns server. Center of the network is a > Windows 2003 SmallBusinessServer as domain-controller, file-, print-, > and MSSQL-server. The network is slow and I get a lot of serious errors > in the event-logs that seem to cause the bad performance: > > > event-id 4004: The DNS server was unable to complete directory service > enumeration of zone .. This DNS server is configured to use information > obtained from Active Directory for this zone and is unable to load the > zone without it. Check that the Active Directory is functioning properly > and repeat enumeration of the zone. The event data contains the error. > > > event-id 4015: The DNS server has encountered a critical error from > the Active Directory. Check that the Active Directory is functioning > properly. The event data contains the error. > > I agree my question is quite flat but it is simple: What should I look > for and what can I do? > > My own brain puts out something like this: > > - I don't want to make the windows server dncpd. > > - afaik Windows Active Diretory needs the own DNS-Service, so it's > impossible to deactivate it. > > - Could the problem be solved through building something like a > dns-cascade (windows-server asks bering-box -> bering-box asks > windows-server). How can I do something like this? > > Thanks a lot for your ideas! > > Boris [...snip...] ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
