Client Connections
When
you have a scenario in which clients
on the LAN connect directly to the
Internet and not through a NAT
device, the clients should connect
to the Active Directory domain
controller using an internal network
on a second network adapter. This
prevents any issues that may arise
if clients obtain an IP address from
your Internet service provider
(ISP). You can achieve this
configuration with a second network
adapter on the server connected to a
hub. You can use NAT or ICS to
isolate the clients on the local
network. The clients should point to
the domain's DNS server to ensure
proper DNS connectivity. The DNS
server's forwarder will then allow
the clients to access DNS addresses
on the Internet.
Do
not use ICS (recommended)
Use
NAT instead. ICS (Internet
Connection Sharing) will break down
all the DHCP and DNS functionality
on your LAN. Try to avoid ICS at all
costs. If you must, make the Domain
Controller itself the ICS server,
and let all clients obtain their IP
configuration automatically. This of
course is not a good security
decision, because you will expose
your Domain Controller to potential
Internet threats. Again, and I
cannot stress this more, avoid ICS
on your corporate LAN and use NAT
instead. |
