Can I add to local DNS table?

  • Thread starter Thread starter Tcs
  • Start date Start date
T

Tcs

Problem:

Our DNS entries that the DHCP server is dispensing, appear to be ahh...not as
correct as they could/should be.

(I went looking because I *always* take 1:30 to 1:45 to log on, staring at the
"Applying your personal settings..." msg. When I replace our ISP's servers
entries in DNS with *our* intermal DNS servers, this problem goes away. I also
had a scriping issue until I made this change. My script couldn't find our
domain name of/for Active Directory before my fix.)

And of course, apparently, I've pissed off the network admin who has done all
this network stuff (I'm the DBA), so he has now taken me out of the Domain
Admins group. (I sent him 2 emails just asking why DNS was setup the way it
was.)

Question:

Can I, via a script or whatever, merely "add" our two DNS server entries to what
the DHCP server spits out? Or do I have to stay with either the DHCP server
entries entirely, or specify ALL my DNS entries not using any DHCP entires alat
all? (I guess I'm not very hopeful he'll inform me when he makes any change(s)
to the DHCP entires.)

Or...

Should I just set my entries the way *I* want, and wait until I have a[nother]
problem?

I appreciate the advice/help. Thanks in advance,

Tom
 
Why not convince the admin that the way it is set up is incorrect?
(I went looking because I *always* take 1:30 to 1:45 to log on, staring at
the
"Applying your personal settings..." msg. When I replace our ISP's
servers
entries in DNS with *our* intermal DNS servers, this problem goes away.
Click to expand...

Typical mistake that admins make when moving from NT 4.0 to AD. Setting the
ISP's DNS server on the client computer *was* the way to go with NT, but
with AD it causes multiple problems. Long log in times, group policy errors.

The basic AD DNS setup is to install DNS on a server that supports SRV
records (Win 2k or Win 2k3 server) point this server to itself for DNS in
the properties of TCP/IP. Point ALL AD clients to the DNS server set up for
the AD domain ONLY. Pointing them to your ISP's DNS server as secondary will
cause a whole new set of problems. Remember DC's are AD clients also.

For Internet access either set up the AD DNS server to forward requests, and
list your ISP's DNS server as the forwarder (this is the ONLY place on your
domain your ISP's DNS server should be listed) or use root hints.

See:
Best Practices for DNS Client settings in Windows 2000 server and in Windows
Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;825036



Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675



Not sure if you are running Win 2k or 2k3



How to configure DNS for Internet access in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202



How to configure DNS for Internet access in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;323380







Reasoning behind pointing all AD clients to the internal DNS server?



When you point the AD DNS server to itself for DNS, it will register the SRV
record clients MUST find in order to *find* the domain. Pointing to your
ISP's DNS server won't do. Your ISP probably will NOT allow your server to
dynamically register your AD domain's SRV records on their DNS server. If
they would consider how secure that would be with your AD internal records
hosted on a public DNS server where all users (not just your domain users)
have access? To answer that, do you need to provide any authentication to
query those DNS servers for www.yahoo.com? No, just ask and they will tell
you. That would be the same if your internal (private domain set up for your
company) SRV records were registered there. Since your ISP's DNS server does
not have the SRV records for your AD domain (they don't want who ever
filling up their DNS server with whatever they want. Someone could change
their records for yahoo.com to point to their own phishing site) it take a
long time to log in.


Or...

Should I just set my entries the way *I* want, and wait until I have
a[nother]
problem?
Click to expand...


Actually leaving it the Admin's way *will* cause you problems.



Setting it up *your* way (read your way = MS best practice) *Will* cause
Group policy to work correctly. It *will* cause login times to be shorter.
It *will* stop all those "domain can not be found" errors. It *will* cause
AD to purr right along like a finely tuned expensive foreign automobile.



Bottom line - Your Admin has DNS set up incorrectly.





hth

DDS W 2k MVP MCSE



Tcs said:
Problem:

Our DNS entries that the DHCP server is dispensing, appear to be ahh...not
as
correct as they could/should be.

(I went looking because I *always* take 1:30 to 1:45 to log on, staring at
the
"Applying your personal settings..." msg. When I replace our ISP's
servers
entries in DNS with *our* intermal DNS servers, this problem goes away. I
also
had a scriping issue until I made this change. My script couldn't find
our
domain name of/for Active Directory before my fix.)

And of course, apparently, I've pissed off the network admin who has done
all
this network stuff (I'm the DBA), so he has now taken me out of the Domain
Admins group. (I sent him 2 emails just asking why DNS was setup the way
it
was.)

Question:

Can I, via a script or whatever, merely "add" our two DNS server entries
to what
the DHCP server spits out? Or do I have to stay with either the DHCP
server
entries entirely, or specify ALL my DNS entries not using any DHCP entires
alat
all? (I guess I'm not very hopeful he'll inform me when he makes any
change(s)
to the DHCP entires.)

Or...

Should I just set my entries the way *I* want, and wait until I have
a[nother]
problem?

I appreciate the advice/help. Thanks in advance,

Tom
Click to expand...
 
Problem:

Our DNS entries that the DHCP server is dispensing, appear to
be ahh...not as
correct as they could/should be.

(I went looking because I *always* take 1:30 to 1:45 to log
on, staring at the
"Applying your personal settings..." msg. When I replace our
ISP's servers
entries in DNS with *our* intermal DNS servers, this problem
goes away. I also
had a scriping issue until I made this change. My script
couldn't find our
domain name of/for Active Directory before my fix.)

And of course, apparently, I've pissed off the network admin
who has done all
this network stuff (I'm the DBA), so he has now taken me out
of the Domain
Admins group. (I sent him 2 emails just asking why DNS was
setup the way it
was.)

Question:

Can I, via a script or whatever, merely "add" our two DNS
server entries to what
the DHCP server spits out? Or do I have to stay with either
the DHCP server
entries entirely, or specify ALL my DNS entries not using any
DHCP entires alat
all? (I guess I'm not very hopeful he'll inform me when he
makes any change(s)
to the DHCP entires.)

Or...

Should I just set my entries the way *I* want, and wait until
I have a[nother]
problem?

I appreciate the advice/help. Thanks in advance,

To
Click to expand...

don’t point the clients or servers to the ISP DNS. POint them ONLY
to the internal DNS. On your internal DNS servers configure forwarding
to the ISP DNS
see also:
MS-KBQ291382_Frequently asked questions about Windows 2000 DNS and
Windows Server 2003 DNS
MS-KBQ825036_Best practices for DNS client settings in Windows 2000
Server and in Windows Server 2003

The main reason everything takes so long and stuff does not work
correctly is that because (I assume) does not know anything about your
internal AD. Your DNS servers internally only do!
 
don’t point the clients or servers to the ISP DNS. POint them ONLY
to the internal DNS. On your internal DNS servers configure forwarding
to the ISP DNS
Click to expand...

I'm *trying* to...
 
Why not convince the admin that the way it is set up is incorrect?
Click to expand...

I'm trying...
Typical mistake that admins make when moving from NT 4.0 to AD. Setting the
ISP's DNS server on the client computer *was* the way to go with NT, but
with AD it causes multiple problems. Long log in times, group policy errors.

The basic AD DNS setup is to install DNS on a server that supports SRV
records (Win 2k or Win 2k3 server) point this server to itself for DNS in
the properties of TCP/IP. Point ALL AD clients to the DNS server set up for
the AD domain ONLY. Pointing them to your ISP's DNS server as secondary will
cause a whole new set of problems. Remember DC's are AD clients also.
Click to expand...

I believe this is what we have. Two DNS servers (2k3), in the new AD domain.
For Internet access either set up the AD DNS server to forward requests, and
list your ISP's DNS server as the forwarder (this is the ONLY place on your
domain your ISP's DNS server should be listed) or use root hints.
Click to expand...

He says the reason he is pushing the ISP's servers out to clients is because
twice already BellSouth has changed their DNS servers' IPs...without telling us.
So he wants to forward requests to them. (Wouldn't the gateway (PIX) get this?
Which is why all I need to do is point to it for my gateway?)
See:
Best Practices for DNS Client settings in Windows 2000 server and in Windows
Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;825036



Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675



Not sure if you are running Win 2k or 2k3



How to configure DNS for Internet access in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202



How to configure DNS for Internet access in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;323380



Reasoning behind pointing all AD clients to the internal DNS server?

When you point the AD DNS server to itself for DNS, it will register the SRV
record clients MUST find in order to *find* the domain. Pointing to your
ISP's DNS server won't do. Your ISP probably will NOT allow your server to
dynamically register your AD domain's SRV records on their DNS server. If
they would consider how secure that would be with your AD internal records
hosted on a public DNS server where all users (not just your domain users)
have access? To answer that, do you need to provide any authentication to
query those DNS servers for www.yahoo.com? No, just ask and they will tell
you. That would be the same if your internal (private domain set up for your
company) SRV records were registered there. Since your ISP's DNS server does
not have the SRV records for your AD domain (they don't want who ever
filling up their DNS server with whatever they want. Someone could change
their records for yahoo.com to point to their own phishing site) it take a
long time to log in.


Or...

Should I just set my entries the way *I* want, and wait until I have
a[nother]
problem?
Click to expand...


Actually leaving it the Admin's way *will* cause you problems.



Setting it up *your* way (read your way = MS best practice) *Will* cause
Group policy to work correctly. It *will* cause login times to be shorter.
It *will* stop all those "domain can not be found" errors. It *will* cause
AD to purr right along like a finely tuned expensive foreign automobile.



Bottom line - Your Admin has DNS set up incorrectly.





hth

DDS W 2k MVP MCSE
Click to expand...
It helps *very* much. I greatly appreciate the assistance. Thank you,

Tom
 
He says the reason he is pushing the ISP's servers out to clients is
because
twice already BellSouth has changed their DNS servers' IPs...without
telling us.
So he wants to forward requests to them. (Wouldn't the gateway (PIX) get
this?
Which is why all I need to do is point to it for my gateway?)
Click to expand...

Hmm... ISP changes their DNS server's IP? It would seem to me that if the
ONLY place the ISP's DNS server was listed on your domain was under the
forwarder tab, when the ISP changes the DNS IPs, the only place you would
have to change it would be under the forwarder tab and the change would
affect the entire domain *immediately*. This change does not have to
replicate to the clients. The clients "go there and look" they see what is
set up for a forwarder and use it. Change the forwarder and they "see what
is set up for a forwarder and use it.".

Where as having DHCP hand out the changed IP address, this change would
"trickle" down to your clients "eventually".
Since DNS is not properly set up (ISP's DNS server listed on an AD client)
he is compounding the problem.


hth
DDS W 2k MVP MCSE

Tcs said:
Why not convince the admin that the way it is set up is incorrect?
Click to expand...

I'm trying...
Typical mistake that admins make when moving from NT 4.0 to AD. Setting
the
ISP's DNS server on the client computer *was* the way to go with NT, but
with AD it causes multiple problems. Long log in times, group policy
errors.

The basic AD DNS setup is to install DNS on a server that supports SRV
records (Win 2k or Win 2k3 server) point this server to itself for DNS in
the properties of TCP/IP. Point ALL AD clients to the DNS server set up
for
the AD domain ONLY. Pointing them to your ISP's DNS server as secondary
will
cause a whole new set of problems. Remember DC's are AD clients also.
Click to expand...

I believe this is what we have. Two DNS servers (2k3), in the new AD
domain.
For Internet access either set up the AD DNS server to forward requests,
and
list your ISP's DNS server as the forwarder (this is the ONLY place on
your
domain your ISP's DNS server should be listed) or use root hints.
Click to expand...

He says the reason he is pushing the ISP's servers out to clients is
because
twice already BellSouth has changed their DNS servers' IPs...without
telling us.
So he wants to forward requests to them. (Wouldn't the gateway (PIX) get
this?
Which is why all I need to do is point to it for my gateway?)
See:
Best Practices for DNS Client settings in Windows 2000 server and in
Windows
Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;825036



Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675



Not sure if you are running Win 2k or 2k3



How to configure DNS for Internet access in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202



How to configure DNS for Internet access in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;323380



Reasoning behind pointing all AD clients to the internal DNS server?

When you point the AD DNS server to itself for DNS, it will register the
SRV
record clients MUST find in order to *find* the domain. Pointing to your
ISP's DNS server won't do. Your ISP probably will NOT allow your server to
dynamically register your AD domain's SRV records on their DNS server. If
they would consider how secure that would be with your AD internal records
hosted on a public DNS server where all users (not just your domain users)
have access? To answer that, do you need to provide any authentication to
query those DNS servers for www.yahoo.com? No, just ask and they will tell
you. That would be the same if your internal (private domain set up for
your
company) SRV records were registered there. Since your ISP's DNS server
does
not have the SRV records for your AD domain (they don't want who ever
filling up their DNS server with whatever they want. Someone could change
their records for yahoo.com to point to their own phishing site) it take a
long time to log in.


Or...

Should I just set my entries the way *I* want, and wait until I have
a[nother]
problem?
Click to expand...


Actually leaving it the Admin's way *will* cause you problems.



Setting it up *your* way (read your way = MS best practice) *Will* cause
Group policy to work correctly. It *will* cause login times to be shorter.
It *will* stop all those "domain can not be found" errors. It *will* cause
AD to purr right along like a finely tuned expensive foreign automobile.



Bottom line - Your Admin has DNS set up incorrectly.





hth

DDS W 2k MVP MCSE
Click to expand...
It helps *very* much. I greatly appreciate the assistance. Thank you,

Tom
Click to expand...
 
In
Tcs said:
I'm trying...
Click to expand...

It is quite unfortunate that an IT administrator lacks product knowledge or
even the fact they do not try to educate themselves in the product they are
using to run a corporation's IT infrastructure. Matter of fact, I wrote a
paper recently about how some IT admins or managers lack the necessary
*basic* knowledge about AD, yet they are still in control of their network.
How can they get away with it without fully understanding the feature set or
configuration know-how to ensure user productivity efficiency? That is a
good question.

If you can't persuade him, esepcially with the tech articles already
provided by Danny explaining it, then there's really not much you can do
about it. There may come a time when your admin realizes that there are
problems with AD functionality and he may actually post in one of these
groups trying to get a resolve just to be told that his current config is
incorrect.

Good luck, TCS.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
 
Back
Top