Question : Need Help with Network Configuration

Need Advice on Network Configuration

Question: Hello,

This is a follow-up to an earlier question of mine.  Thank you in advance for your help!

Situation Summary
I am looking for advice on the most secure way to configure a network that has two servers and five computers.  

Server #1: Dell 2950 with Windows Server 2008.  This server is in the process of being configured to replace a 6-year old W2K server.  It is meant to be a dedicated web server that will host a website and run a .NET application with SQL Server 2005.  I have a 1 CPU license for SQL 2005 Standard edition that I have not yet installed on this server.  This server has mirrored hot swap drives and a third hot spare (as well as 5 slots for more drives), and hot swap power supplies among other features.  It also has the fastest CPU of the two.  Combined my application and database and OS will likely require roughly 5GB of space - a tiny fraction of the capacity.  It has two separate NICS (one dual port card and a dual port built into the mother board).

Server #2: Dell R300 with Windows Server 2003 Small Business Server.  All of the 5 PCs are networked with this server.  It has 2 mirrored hot swap drives (no room for more).  I have about 140 GB of files stored on this server so far out of 500GB capacity.

Firewall: I currently use a Netscreen 5xt firewall that let's me establish two different zones, home and work, that control access to the internet as well as other network resources.  The old W2K web server is in the "Home Zone" and sits alone in its own 192.168.2.xx network.  This is where I plan to put the Dell 2950.  The R300 file server and all PCs are in the "Work Zone" which has an IP range of 192.168.1.xx.  The file server acts as the domain controller for the Work Zone.  The firewall is configured so that all communication between the Work network and the Home network (i.e., web server) is blocked.  In order to access my web server I need to go through the internet.  I did this as an extra layer of security to protect my file server from problems in case the web server was hacked into.

My developer has suggested that when I configure the new web server I should get rid of the Home Zone and have everything on one network using the same domain controller.  He said I can make group policies that will prevent users behind my firewall from having access to areas they should not see.  He says this will make things much easier because then I can use Windows Integrated Security with the SQL Server.

This makes me nervous as I like to keep the web server in its own zone is best for security.  In my first post several experts agreed with this separation.

As I understand it, my web server will need a domain controller.  Since I am blocking all traffic between two servers, it cannot use the 2003 file server as a DC.  I also want to use Windows Integrated Security.

Another challenge is that everyone is saying I should separate the web server and database.  I just spent about $10K on the two new servers with SQL and very much want to avoid buying another $3K server for a web server.  Besides the cost, I am concerned that a third server will greatly reduce the amount of runtime my APC UPS system would provide in the event of a blackout.  I currently have about 6 hours of run time.  This would be reduced a lot if the UPS had to keep an extra server up and running.  Note: I do have a retired Dell 600SC with W2K server on it that I could use.  The problem is that it is 6+ years old without most of the reliability features of the new servers (including no support contract).  If the old server crashed my network could be offline for a long time.

Here are my questions:

1. In a previous post someone suggested I use Server 2008 Read-Only Domain Controller.  I would like some feedback if this is still a good solution for me.

2. Is there some way that I could open up a "limited" safe connection for the web server to use the 2003 server as a domain controller?  What type of traffic/ports are involved with a DC?  Can I use the 2003 server with the web while keeping the file server 100% safe?  

3. Another idea would be to configure the new 2950 web server with two separate partitions and OSs.  I have an unused license/copy for Windows Server 2003 web edition.  I know that the Web Edition cannot act as a Domain Controller and cannot run any database application.  If it is possible to have two separate environments running on one server, I could have my website running on the Web Edition using the built-in NICs and my database running on Server 2008 with the NIC card.  Then maybe I could have the database server also act as a domain controller.  Is this idea even feasible?  If yes, how secure would it be?  More importantly, how difficult would it be to set-up (I am not an expert here and probably could not do this on my own).

4. Do I have to use a DC with Server 2008 and SQL 2005?  My old W2K server is configured in a workgroup.  If I end up with the web and database apps on one server, can I use a workgroup configuration and avoid the DC issue?

I very much want to get this new server configured and online and greatly appreciate your thoughts/ideas.  Thanks again!

Answer : Need Help with Network Configuration

An advice of "another kind": your question consists of about 1000 words. Make it 200 or split it to 2 or three questions and you will see that people will start adding comments. If I click such a question, I usually close the tab after 2 seconds and I don't think I'm the only one. Only the best.
Random Solutions  
 
programming4us programming4us