none
dc and tmg new network setup.

    Question

  • Hello all.

    I have my network all in order now except for a few things that arent working to my liking.

    my configuration is currently as follows:

    DC: 192.168.5.1
    TMG: 192.168.5.2 

    my DC has one card with the configuration of:
    192.168.5.1/24 --
    Gateway: 192.168.5.2 --
    DNS: 127.0.0.1

    DNS server on DC has forwarders setup (8.8.8.8) and its working fine. well somewhat.

    My TMG box has two network cards:

    LAN:
    192.168.5.2/24 --
    Gateway: EMPTY --
    DNS: 192.168.5.1 

    External: setup with ip, subnet and gateway. no dns.

    DHCP server on DC is doing this:

    scope 192.168.5.5 -- 192.168.5.255
    gw: 192.168.5.2 (TMG)
    DNS: 192.1685.1 (DC) 

    so far this is working ok.. well somewhat...

    1) if i try to open Remote Desktop using the domain name it takes about a minute to resolve every time. so mydomain.local takes a minute under remote desktop but if i type in the ip address for the DC i login instantly. this is probably a dns issue but i cant figure out the reason.

    2) i really want to restrict users from getting internet access without being joined to the domain. currently i plugged in a machine to the switch for the DC that feeds, got an IP from the DHCP server and voila i have net. This is not supposed to happen. I want a user to JOIN the domain before getting net access. so i headed to TMG and made sure that the web access rule is for authenticated users (HTTP Protocol -- Internal -- External -- Authenticated users) ... that causes a weird block on all stuff.
    If i leave it to ANY USER then i shoot myself in the foot.

    3)  my third issue is somewhat simple and i cant find a resolution for it. i realize when a user joins the domain they will get a blank desktop. this is really bad cause it causes panic. does anyone have a powershell script or a login script that will map a shortcut to the users old profile or perhaps a way to copy the old profile to the new domain profile on the MACHINE not the server?

    my dns lookups are somewhat slow. however once a dns is found the website is loaded fast...

    in fact removing 8.8.8.8 from the dns in the tmg external gives me death. 

    please help!

    p.s. i've changed the web proxy port on tmg to port 80 instead of the usual 8080.
    • Edited by cylent Wednesday, October 19, 2011 3:16 PM
    Wednesday, October 19, 2011 2:46 PM

Answers

  • Hello,

    my DC has one card with the configuration of: 
    192.168.5.1/24 -- 
    Gateway: 192.168.5.2 -- 
    DNS: 127.0.0.1

    For the DC, please make it points to 192.168.5.1 as primary DNS server and 127.0.0.1 as secondary one. Once done, run ipconfig /registerdns and restart netlogon on the DC.

    My TMG box has two network cards: 

    LAN: 
    192.168.5.2/24 -- 
    Gateway: EMPTY -- 
    DNS: 192.168.5.1 

    External: setup with ip, subnet and gateway. no dns.

    For LAN NIC card IP configuration, it is OKay. For the WAN NIC card IP configuration, please disable NetBIOS over TCP / IP and disable LMHOSTS lookup.

    For your DC, please configure your ISP DNS server as a forwarder.

    1) if i try to open Remote Desktop using the domain name it takes about a minute to resolve every time. so mydomain.local takes a minute under remote desktop but if i type in the ip address for the DC i login instantly. this is probably a dns issue but i cant figure out the reason.

    Please try suggestions that I already provided. Also, delete all unused IP addresses of the DC that are recorded in your DNS zone.

    2) i really want to restrict users from getting internet access without being joined to the domain. 

    So create user accounts for them and configure your TMG server as a proxy server.

    currently i plugged in a machine to the switch for the DC that feeds, got an IP from the DHCP server and voila i have net. This is not supposed to happen. I want a user to JOIN the domain before getting net access. so i headed to TMG and made sure that the web access rule is for authenticated users (HTTP Protocol -- Internal -- External -- Authenticated users) ... that causes a weird block on all stuff.
    If i leave it to ANY USER then i shoot myself in the foot.

    That is okay as only AD authenticated users will have internet access. TMG Forefront should be configured as a proxy and the clients should use the server as a proxy server.

    3)  my third issue is somewhat simple and i cant find a resolution for it. i realize when a user joins the domain they will get a blank desktop. this is really bad cause it causes panic. does anyone have a powershell script or a login script that will map a shortcut to the users old profile or perhaps a way to copy the old profile to the new domain profile on the MACHINE not the server?

    That is perfectly normal as a new profile will be created. Please check NTFS permissions for the old profile and then you can copy their desktop manually or via using copy command.

    my dns lookups are somewhat slow. however once a dns is found the website is loaded fast...

    in fact removing 8.8.8.8 from the dns in the tmg external gives me death. 

    Please use your ISP DNS server as a forwarder and not 8.8.8.8.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Wednesday, October 19, 2011 8:58 PM

All replies

  • anybody?
    Wednesday, October 19, 2011 6:57 PM
  • Hello,

    my DC has one card with the configuration of: 
    192.168.5.1/24 -- 
    Gateway: 192.168.5.2 -- 
    DNS: 127.0.0.1

    For the DC, please make it points to 192.168.5.1 as primary DNS server and 127.0.0.1 as secondary one. Once done, run ipconfig /registerdns and restart netlogon on the DC.

    My TMG box has two network cards: 

    LAN: 
    192.168.5.2/24 -- 
    Gateway: EMPTY -- 
    DNS: 192.168.5.1 

    External: setup with ip, subnet and gateway. no dns.

    For LAN NIC card IP configuration, it is OKay. For the WAN NIC card IP configuration, please disable NetBIOS over TCP / IP and disable LMHOSTS lookup.

    For your DC, please configure your ISP DNS server as a forwarder.

    1) if i try to open Remote Desktop using the domain name it takes about a minute to resolve every time. so mydomain.local takes a minute under remote desktop but if i type in the ip address for the DC i login instantly. this is probably a dns issue but i cant figure out the reason.

    Please try suggestions that I already provided. Also, delete all unused IP addresses of the DC that are recorded in your DNS zone.

    2) i really want to restrict users from getting internet access without being joined to the domain. 

    So create user accounts for them and configure your TMG server as a proxy server.

    currently i plugged in a machine to the switch for the DC that feeds, got an IP from the DHCP server and voila i have net. This is not supposed to happen. I want a user to JOIN the domain before getting net access. so i headed to TMG and made sure that the web access rule is for authenticated users (HTTP Protocol -- Internal -- External -- Authenticated users) ... that causes a weird block on all stuff.
    If i leave it to ANY USER then i shoot myself in the foot.

    That is okay as only AD authenticated users will have internet access. TMG Forefront should be configured as a proxy and the clients should use the server as a proxy server.

    3)  my third issue is somewhat simple and i cant find a resolution for it. i realize when a user joins the domain they will get a blank desktop. this is really bad cause it causes panic. does anyone have a powershell script or a login script that will map a shortcut to the users old profile or perhaps a way to copy the old profile to the new domain profile on the MACHINE not the server?

    That is perfectly normal as a new profile will be created. Please check NTFS permissions for the old profile and then you can copy their desktop manually or via using copy command.

    my dns lookups are somewhat slow. however once a dns is found the website is loaded fast...

    in fact removing 8.8.8.8 from the dns in the tmg external gives me death. 

    Please use your ISP DNS server as a forwarder and not 8.8.8.8.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Wednesday, October 19, 2011 8:58 PM