Small Office Network with a Domain Controller

Wow, learning QUITE a lot from train_wreck and others here! : )

Ok, I think I am getting closer to getting a solution to get my server going.

To make it easier, I'll just explain what I need and maybe, train_wreck you can just suggest or advice what I need to do pertaining to this IPv6 problem?

Coming in from internet,
Cisco DPC3939B, port 1 connected to trendnet teg-s80g switch. (3 empty ports left on comcast router)
Lenovo ts440 server with Windows Server 2012 R2 Essentials connected to switch. Active Directory. (I also am bypassing the default .local suffix Essentials forces as default. I have my own purchased company domain, so using AD.MYDOMAIN.com versus MYDOMAIN.local).
The rest of the 8 switch ports go to win 8.1 pro clients and devices.

I do not have a hardware firewall? If I do get one, can you suggest a entry level one that will do the basic job of protection including blocking other things also? I've been suggested PFSense? Can I just install the free software on the server? Or do I need to also buy the hardware firewall? I can add this later if need be as I need to really get this server going. Where does the hardware firewall go? Right after the comast modem? The switch? Before modem?

Shouldn't the server have anti-virus software? I've read about using the free Microsoft AV hack.

I do have a spare Asus RT-AC68R wifi router.

I guess what I need to know, is what do you suggest, given this setup and the lack of the IPv6 problem you mention about having to wait for Comcast? I guess I am not clear on that. I currently don't have a external static ip from comcast and probably will use no-ip.net if I need to later and for remoting etc.

I guess I am lost what to do with this IPV6 stuff for the router and windows server.

I just don't know which route to take with it and IPv4.

From my understanding, I just need to turn off BOTH IPv4 and IPV6 on the router and create scopes on the windows server for both. Easy for ipv4, but apparently I am stuck with the ipv6/comcast thing? I am lost there. So just not sure where to go from there. I guess that I don't need or want to wait for Comcast to make ipv6 external static ip to be available? So what's the best setup here to avoid all of that?

Thank you very much. I'm getting a lot of this, but obviously not getting the last final bit to finish this. : /

---

@train_wreck wrote:

---

@ShifterKartRacer wrote:
In a nutshell, is it better to have DNS, AD, and DHCP handled by the Windows Server 2012 R2 Essentials Server?

---

Usually yes, because AD is recommended to be integrated with DNS/DHCP, as the services work together to provide dynamic updates among each other. It simplifies management of network entities within the directory to keep it all on the same server. As well, the processing power in the server is much higher than in the gateways, so offloading these network infrastructure services helps conserve resources on the (already resource-strapped) gateways.

 

Mr. Train Wreck;  Thank you for the clarification regarding this.  Why is it that this topic is so difficult to find reliable information on?  I'd be happy to pay you if you'd submit an invoice!  I've been watching some video's from Eli The Computer Guy.   Seems to be good information and a very talented and excellent teacher.  One of his video class explains setting up a Server as a domain controller in addition to the other server duties.  Yes it's Windows Server 2012 (not R2 or Essentials), but he emphasizes repeatedly that "a Microsoft Server should handle the DHCP" in addition to the DNS which by default would be managed and of course the other tasks mentioned.  He says that for people like me of lesser experience that "DHCP management othe than by the Microsoft Server can make us less experienced people lead a life with a lot of pain.  I feel comfotable enough to setup these services or at least flounder through the steps carefully.  I purposely went for the Essentials Edition to avoid as manay pitfals as possible keeping in mind that Office 365 and the Microsoft Suite as well as Exchange Email are being handled by Microsoft and I wouldn't have a staff of 15 - 20 users sitting around while I tried to play IT "Hero".   I'm also using 2 Servers that were purchased new several years ago when I elected to go with the Citrix Servers being located and managed in a Data Center.  Yes, they are much older HP Proliant ML 350's (Gen 5) with dual 2.0 Ghz Xeon Processors and 16 gig of ram.  Each also has 8 SAS 146 gig drives which is plenty of storage for out needs.  The typical redundant power supplies are also included.  We're Engineers and Scientists.  We generate lot's of files but they are very small in size.  Our clients still prefer written reports in addition to the electronic so we do print 15,000 pages per week on average.  The second server is sitting next to the 1st with no operating system installed.  I just took it out of the box.  Maybe that should be my "lab" or trial server?

 

---

@ShifterKartRacer wrote:
If that's the case, the 3939B would simply be used in Bridge Mode for its' modem?

---

It wouldn't technically be "bridge mode" at that point, because the gateway would still be doing routing capabilities (e.g., traffic from 10.1.10.0/24 LAN clients would still need to be NATted out the gateway's WAN address.)

 

Your response above is where I really fall off a steep cliff.  I signed up last night on Lynda.com and am currently doing a 2 + hour Subnet Class.  I understand the concept of NAT and resolving "qualified domain name" (I believe that's what is a part of it), to put it into practice would not be a smart idea for me at least at this time. 

---

@ShifterKartRacer wrote:
 I also thought life would be simplifed by going to a "one box fits all" solution (the Comcast Cisco 3939B). Maybe I was wrong in my thinking with that subject also.

One of my thoughts was that you'd think the 3939B would be better handling all these tasks.

---

In general, I usually recommend that the policy "jack-of-all-trades, master of none" applies to most networking gear, at least until you get into enterprise-level equipment. I tend to find better results with single, dedicated devices that do one thing well. I prefer to use a standalone router, in conjunction with the Comcast gateway being in bridge mode or provisioned with rented static IPs (to which said router has the static IP configured into.)

 

I'm sort of following.  I was fearful that the "jack of all trades, master of none would apply".  Your statement (i.e. opinion) made sense in another way while thinking about it this morning.  The Modem, Router, Gateway, and Switch(s) are needed and used 24 hours per day, 7 days a week.  If they go down, most or all of the office is down.  Our clients are then jeopardized subsequently putting us into jeopardy.  I need to share files, print, allow remote access, and whatever common tasks a typcial small office would need to handle.  But yes, security is critical to us.  If a coworkers PC (desktop or laptop) goes down, I've got spares that either are or could be configured in short order.

 

---

@ShifterKartRacer wrote:
Last night, I was able to let the server obtain it's own address from the 3939B and for the first time I could get Anywhere Access working. That may be in part due to the uPNP being enabled on the 3939B.

---

Likely a firewall/port forwarding rule wasn't set for the requisite ports/protocols that are used by "Anwhere Access". Keep in mind, even with DHCP disabled on the gateway, if you are still using it with the stock 10.1.10.x subnet (e.g., your LAN clients are still within that range, and have a default gateway pointing to 10.1.10.1), you will still need to configure appropriate firewall rules on the gateway. In this configuration, it is still functioning as your router.

---

As I can hear Eli the Computer Guy saying repeatedly; "a router is used to allow 2 or more subnets to communicate".  That's what a router is for.  I've looked at the router incorrectly for several years.  I only have one network cable coming out of the back of the router which connects to 3 3Com 2424plus Switches.  I thought what am I routing?  Again, lack of understanding.  The Anywhere Access is the term used in the Essentials edition.  The interface is more like a Win 8 OS to me.  I'd not call it Remote Desktop.   Yes, it's empahsized that Port 443 be open and that a uPnp modem be used.   I guess I'm still going back to what my basic goals are and it you'd like to help out I'd appreciate it.  But I've got to say, you've put so much time into something that is very time consuming and for that I feel very guilty.

Basic Goals:

15 - 18 users connected to a server.

Remote Access is VERY important.

Printing and Scanning handled by 3 Savin Copier/Scanner/Printers (C2828's) 15,000 pages per week on average.

Backup of workstations and laptops by the Server (Essentials states this as a feature).

Exchange handled by Office 365

Applications are the current MS Suite provided by Office 365 (Office 2013 or a version thereof).

Concerns:

Correct setup of the Modem, Gateway, and Router.  I believe I'm hearing from you that these pieces are the critical link.

At least you know what I have so if you find it in your heart to help out, I'd appreciate it.

Regards,

TG

"Correct setup of the Modem, Gateway, and Router.  I believe I'm hearing from you that these pieces are the critical link."

(firewall too!)

Yup.  I am in the same boat here...  got a good grasp on most of the server part, but this IPv6 is killing me.  Seems this over-complicated way of doing things these days is excellent JOB SECURITY.  : /

As far as your network/system going down... I think that is why Microsoft recommends more than 1 DOMAIN CONTROLLER with Active Directory also.  Seems every part of the system needs redundacy.  I cannot worry too much about it and it will drive you nuts...  my BIG thing is BACKUPS of our data is the abosulte best no matter what.  If need be, I can always pull up a spare PC and work locally if abosilutely need be...but my DATA is what is precious.  We don't have to be online 24/7 or remotely.

Considering your line of work and liabilty, sounds like you need a dedicated IT person handling all this.  Yeah, I know, having all that tech knowledge under your belt like me (and I am also a control freak), it's hard to give that up...especially when you got 90% of it down and just havea  little more to learn to grasp it ALL completely.  I "alos" liek learning about all this... I used to be bleeding edge with tech, but running a business sure takes a lot of your time away.  Never had a "real" need for a SERVER...but NOW I do.  SO I have feverlishly "learning" as much as I can in a short amount of time..i.e. yes, Eli the Computer Guy videos!  That man made all of this so easily learned VERY quickly!  I love that guy...he really makes it so easy for newbies like me when it comes to servers, dns, dhcp AD, etc etc.  But unfortuneatly he doens;t have really anythign on the IPv6 dilemma.

I don't know,  but maybe it is job security, but if I was a full fledge IT guy, I sure would make a video like Eli's does just merely showing the setup up a small business server utilizing Windows Server 2012 R2 Essentials from A to Z.  I notice the videos on youtube tend to leave out the most important parts...leads me to beleive they may not know those answers either...so they don;t cover it.  After all this learning, it's not really that complicated, but there are some things that I just don't know enough about.

What's rough, is going over to ServerFault.com and Spiceworks.com and trying to get this very basic help...it's like PULLING TEETH!  They KNOW I am a newbie from my basic questions, and resistance is high. Me, I am one to help, no matter how easy or difficult it may be.  I did get some help over there, but really, it's a shame the quality help you finally end up getting considering just how many millions of people are at those sites...just vague answers from a handful of people...leave you hanging...so you continue to research and learn and learn and it just takes so long when you don't have the time to get it all.  Honestly, as professionla as they are over there, I don;t think they even know the real answers to my questions...as to why they dodge them.  (again, job security...they don't want to make all this too easy or their out a job more easily...which is understandable) All in all, just useless.

I was amazed there are few here that really know their stuff here and are very helpful and friendly.  Cannot say that about ServerFault (and all that editing and censorshiop and ON HOLD of your questions, etc etc...it's like quora.com, people spend more time editing or bashing or nit-picking or complaining about your question, rather than JUST HELPING with an answer or advice at least!  I actaully do not like that place much anymore.) Spiceworks is better though...but still hard to get good "thorough" answers... if you aren't part of the HIGH END IT clique, you're not going to get good help if any at all it sure seems... the things I have asked should be able to be answered VERY easily, in their sleep!  Ok, done with the rant about the other sites.  Glad I gave this one a chance...seems to get more help here in just a couple posts than I have in a bunch anywhere else.

Here is something I had to totally learn ON MY OWN, as the people at ServerFault would not help me with this at all.  ANd it was so SIMPLE... simple but HARD to find the answer!  So I found it:

http://www.em-soft.si/myblog/elvis/?p=403

Essentials will FORCE you to set your domain name to what you choose, but it makes it .local suffix.  i.e. MYDOMAIN.local.

I wanted AD.MYDOMAIN.com (i own my own .com domain), so the link above shows the trick.  Basically you don;t use the WIZARD that starts after iniital install.  You cancel it...and you can set it up as if you had STANDARD, and get around the Essentials forced upon .local.  You CANNOT change this later in Essentials.  You either get it right the first time or that's it.

here's some IPv6 videos I found that are helpful:

https://www.youtube.com/watch?v=qaWR5r7owyc

https://www.youtube.com/watch?v=knu0folNoCs

"It's been a good learning experience though.  What a way to spend evenings and weekends (lol)!"

Yeah...but I would much rather spend it with my (2) young daughters...it's hard enough running a business and finding that time...but this server stuff has really slowed me down.  I really need to get over this hurdle so i can got on to the next one.