Red7,
I think you have contrasicted yourself in that last post:
"If you have a microsoft shop I highly recommend you use active directory integrated DNS and their DHCP."
"Now you have the problem of what is going to be your gateway: the router or a server...Plug everything into a switch and make sure to set DHCP to assign IP addresses, SM, DG, and DNS."
These two statements are NOT compatable. Matt is trying to set up M$ AD (which requires DNS) and I have suggested DHCP to supply IP info to his clients. The best way to do this AND allow client access to the internet would be to place the server inside the firewall (or a NAT router) with one NIC and then connect a second NIC to a switch/hub where his clients are connected. In this fashion, all internet traffic will pass through the server, so I test for each in stages.
Step #1 - Does WAN NIC have good settings? The server needs to connect to the router somehow, and most routers/firewalls have own DHCP hosts, so let the WAN NIC be a DHCP client. Check that server can connect to internet and resolve names (surf the net.)
Step #2 - Did the DNS service get setup with correctly, and is it able to forward queries to ISP DNS? In DNS perform simple and recursive testing.
Step #3 - Is the server's DHCP passing IP address info to the clients? Use ipconfig /all or winipcfg to see DNS and gateway settings given from DHCP. Check that clients can ping each other by IP and name.
Step #4 - Did RRAS NAT service get setup correctly? Test if clients can ping internet hosts by name.
If all these steps check out, then you are good to go. If you are worried about security in this case, then your firewall/router isn't good enough.
In extreme security cases, I would suggest placing TWO dual homed servers after the firewall, first is member server still with DNS, DHCP, and NAT plus IP packet-filter software, second is AD server with DNS and DHCP. Now you could set one IP address scope in firewall, one IP address scope in packet-filter server, and your ordinary network scope in AD server. Anyone compromising the firewall, and the packet-filter server must be sitting at the desk NEXT to you, cause they are NOT coming in from outside.
Alex