Aceshardware

thibs · Joined: 03 Aug 2007 Posts: 115

I need a couple different classrooms to be connected for automatic inventory purposes (pointing on a central Win2K3 server).

Internet is enabled in classroom where the server is located (hence, 'Internet classroom') but I do NOTwant other classroom to have access to Internet though.

Each classroom will have its own server mainly for printers shring, DHCP and if possible in this situation, domain controller -> managing user accounts.

What would be the possibilitites not involving any additional software?
Maybe messing with the DNS?

Del · Joined: 09 Aug 2007 Posts: 99

thibs wrote:

What would be the possibilitites not involving any additional software?

Beats me, I assume GNU/Linux is still off your table?

LiamC · Joined: 23 Jul 2007 Posts: 70

Smoothwall. It will run on fine on an old Pentium 2 & 256MB of memory. Make it the gateway.

You can set all the rules you want (about who, what, when etc.) on the Smoothie.

thibs · Joined: 03 Aug 2007 Posts: 115

The win2003 server and router associated with it (a Cisco but I do not remind the model number, I rememebr however that it is fairly common Cisco router) have software configuration which I can not change much: I can add software but that's it.

The Cisco routes the all thing. Its IP is 172.16.116.1 with the w2k3 server being controller domain/DNS (which forwards request to the cisco)/DHCP server with IP 172.16.116.2.

The DHCP server gives DNS address of both the server and the Cisco.

I may have to manually set rules to give those PCs another DHCP pool and not giving them any DNS. But then it will prevent from using a domain controler on each classroom.

Hmm Crap! :x

I will ask those idiots at the government agency which give us those server et all to manage something for us. :roll:

Del · Joined: 09 Aug 2007 Posts: 99

thibs wrote:

I will ask those idiots at the government agency which give us those server et all to manage something for us. :roll:

Do as many others before you, set up a linux box in a closet somewhere. It is about high time you put yourself out of misery, and get some fun into your everyday work. Ten years ago the typical linux deployment was done by a bottom up approach, driven by need, management often unaware. Today it is unbelievable for me to see the level of lock-in and entrenchment win-servers have achieved, often due to ignorance by the customer.

MadRat · Joined: 22 Jul 2007 Posts: 128

Ignorance often emanates from the sys admin group itself. Some of the worst morons get those jobs...

lux_interior · Joined: 26 Jul 2007 Posts: 235

Ignorance, but also plain mediocrity and unwillingness to help solve the users' actual problems (rather than what the sysadmins consider the users' problems to be). Many of them seem to be stuck in an era where frequent retrieval of information from the Internet was exotic, and the most advanced use of a server was for serving files. I've heard some of them even think of Perl as a modern, elegant language :-)

Today I had to send a zipped tarball to the service support of a software vendor. The archive file was blocked by my client's outgoing mail server (a "security" measure of course). I was told I had to use a public file upload system instead. "Security"... and confidentiality too...

Groo · Joined: 22 Jul 2007 Posts: 127

thibs wrote:

I need a couple different classrooms to be connected for automatic inventory purposes (pointing on a central Win2K3 server).

Internet is enabled in classroom where the server is located (hence, 'Internet classroom') but I do NOTwant other classroom to have access to Internet though.

Each classroom will have its own server mainly for printers shring, DHCP and if possible in this situation, domain controller -> managing user accounts.

What would be the possibilitites not involving any additional software?
Maybe messing with the DNS?

Set the ones you want on the internet to DHCP, and give them valid net addresses and DNS. The ones that you don't want out, hard set their IPs and give them no/false DNS info.

This way they can get out via IPs directly, but that is about it. If they can figure out how to get where they want via IPs directly, you probably can't keep them out anyway. :)

You could also do it the other way around, DHCP without DNS, static with DNS, but then you couldn't plug your laptop in and get out.

-Charlie

thibs · Joined: 03 Aug 2007 Posts: 115

Groo wrote:

Set the ones you want on the internet to DHCP, and give them valid net addresses and DNS. The ones that you don't want out, hard set their IPs and give them no/false DNS info.

This way they can get out via IPs directly, but that is about it. If they can figure out how to get where they want via IPs directly, you probably can't keep them out anyway. :)

You could also do it the other way around, DHCP without DNS, static with DNS, but then you couldn't plug your laptop in and get out.

-Charlie

Ah an actually constructive and helpful post.
Thank you Charlie !

telackey · Joined: 17 Jul 2008 Posts: 1

The simplest thing you can do is make sure all the ones which should not have Internet have private IPs (http://en.wikipedia.org/wiki/Private_network) and then don't give them a default gateway.

That beats spoofing the DNS since you are actually preventing access to other networks, not obscuring it.

You could do that using DHCP or by assigning the address settings manually. If you use DHCP you can create reservations for the boxes you don't want to have access and adjust their settings appropriately.

You could also do it by blocking DHCP packets from them but leaving DHCP enabled on the boxes. They'll get APIPA (http://en.wikipedia.org/wiki/Apipa) addresses which can talk to each other but won't route to the Internet.