0

This may seem like a dumb question... or it may well be a dumb question (lol)... but its something I have never had to deal with and know little about.

I have 15 physical servers in a datacenter, about half of which are now on a domain (the domain is public facing - all internet connected IPs, etc). It is my intention of eventually bringing all of them on to the domain, but I want things running smoothly before I bring everything online just in case I need to make sweeping changes :) (This is my first Active Directory experience, but I have years of non-AD windows admin experience).

Each of the domain connected servers have multiple NICs, most of which hold external subnets, but one of which is a very basic private gigabit LAN. Currently it does not have any DHCP or anything - I simply assign a 10.5.5.x IP address to each server manually, with a subnet of 255.255.255.0 and no gateway or DNS.

This works when I need to transfer files from server to server manually which is all I have used it for so far (e.g. explore to \10.5.5.x\c$ or whatever. The obvious problem is that as the number of servers on this network grows, my ability to remember which server goes to which IP lol.

Well, I am starting to automate a lot more than I used to, and I need to learn how to better handle this internal traffic, and of course better handling of the LAN itself. So I guess I have 2 questions:

  1. Right now if I were to ping a server by name on my network (from another server on my network), the ping would resolve out to the public IP of the server, which is connected via 100mb/s and I am charged for bandwidth that goes thru the datacenter's router (e.g. across subnets). How do I get the server to know that I want that type of traffic to instead connect to that servers 10.5.5.x IP instead?

  2. Should I consider setting up a DHCP server on the network to handle assigning IPs to that internal network instead of using static IPs as I am now? What are the advantages/disadvantages to that? I do have plenty of resources so I can throw in a primary and secondary DHCP server VPS easily enough, but I am not a networking guru... so need some advice :)

SDsolar
  • 155
  • 1
  • 1
  • 11
David Borneman
  • 33
  • 1
  • 4
  • This is what DNS is for. – Michael Hampton Jan 01 '16 at 19:18
  • The public ip addresses of the servers are registered in your AD DNS. Configure those public NIC's to not register in DNS so that only the private NIC's register in DNS. Why are these servers public facing? – joeqwerty Jan 01 '16 at 19:43
  • Each of the servers were purchased separately over time and essentially ran independently. I am just now starting to remedy that. I could see removing some of these servers from the public facing network, but it would be almost impossible to do so for all of them. Is there not some way to have an internal network take precedence in server to server traffic? – David Borneman Jan 01 '16 at 19:58
  • 1
    Create internal-only DNS records for each server, and then use those for private comms. – EEAA Jan 01 '16 at 20:36
  • EEAA - Is there a link to any info showing how this is done? A quick google search shows nothing. This sounds exactly like what I am looking for, but I have no idea how to do it :) – David Borneman Jan 01 '16 at 20:38
  • Simple DNS naming of the servers is not going to solve your routing issue. You need an internal DNS domain defined in AD, and you can name the servers there. Then you won't need to know their IP addresses at all. – SDsolar Apr 23 '17 at 21:43
  • Also remember that this is why there are non-routable address blocks like 10.0.x.x and 192.168.x.x that will not route out to your ISP. – SDsolar Apr 23 '17 at 21:51

1 Answers1

2

You really should look into an internal DNS, and not so much a DHCP, as it is fairly rare to assign server IPs via DHCP.

You should end up with essentially two DNS domains : - one for your internal use, and absolutely not exposed to the Internet, for example "mycompany.local" or "internal.mycompany.com". It should not be possible to resolve this domain from outside your network - one for external use, typically mycompany.com

Your servers would each get an entry in the internal domain (server123.internal.mycompany.com), and you can use those names for your day to day operations. If you set up the network configurations correctly, with a default DNS domain, you can then user server123 as a short name for your admin tasks. Meanwhile, you really should look at setting up some kind of security filtering in front of your servers, such as a reverse proxy and firewall. The external DNS names would resolve to public IPs that are assigned to the security device, not the servers themselves. The FW or reverse proxy will perform its security functions and then transfer the traffic towards the appropriate internal server, thus minimizing the latter's exposure. It is often possible to do this without breaking the customer-facing service interface.

Jeremy Gibbons
  • 579
  • 2
  • 8
  • Ditto this answer. I would also add that there are non-routable address blocks available like 10.0.x.x and 192.168.x.x that will not go out to the public Internet. You can use those on your internal-only gigabit network. – SDsolar Apr 23 '17 at 21:49