RE: [ActiveDir] DC and ISA DNS

[Pyron]

If I allow the DC to forward DNS requests to the ISA, will the ISA accept 
the request?
My ISA is set to "Deny All Except the Following Workstations".
Well the "Following Workstations" stated above only points to computers 1 to 6.
If I put the DC to the "Following Workstations" together with computers 1 
to 6 what do you think other security issues may arise?

Regards,
At 01:56 PM 8/28/2004, you wrote:
Well, that's a bit of a quandry now, isn't it?  ;o)
Is there some overriding requirement that will not allow your DC to forward
to the ISA server?  If it's a security concern, then the concern is
unfounded.  All the DC to forward DNS requests through the ISA server.  Or,
if the problem is really security issues with DNS forwarding from the DC and
possible compromise - set up a non-domain member DNS server to do nothing
than just forward requests to the ISA server.  Then, configure the DC to
talk to this 'proxy' DNS.
Yes, this does mean that you're going to have to reconfig the ISA to allow
'a' DNS server to talk out....  Which and how is the question.
Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pyron
Sent: Friday, August 27, 2004 8:16 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DC and ISA DNS
I have a DC running in parallel with ISA (my internet gateway) I have 6 dc
member computers running on the same network with the DC and ISA.
To connect my workstations to the internet, their gateway and DNS must be
the ISA's.
How do I make my workstations communicate with the DC if their DNS points to
the ISA's?
Although I know that If I point the workstations DNS to the DC the DC will
automatically forward the DNS query to the ISA but the problem is the DC do
not have an access to the ISA.
The ISA only permits computers 1 to 6 to connect to the internet.
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/