Can I push DNS ip address search order in group policy

  • Thread starter Thread starter Ovid Bailey
  • Start date Start date
O

Ovid Bailey

I have a DNS server with two IP addresses (e.g.,
172.16.1.10 and 192.168.1.10). For 95% of the connecting
clients, I need them to use the 192.168.1.10 address; the
other 5% need to use 172.16.1.10.

Everyone is connected using a Cisco VPN. DHCP is provided
via a server at each site, and it is not synched with AD.
At those locations, the DNS server for the Class C clients
is defined as 192.168.1.10. The DHCP works fine, and
ipconfig shows only one DNS server (the Class C address).

However, when I look at the client DNS cache, I see both
addresses. My problem comes when the Class C client tries
to use one of the AD functions (like changing a pwd). It
looks for foo.bar.com, and if the Class C address is used,
everything works fine. But if the Class B address is used
(i.e., if it's the first in the local cache), the client
request fails since it doesn't know where that Class B
network is.

Is there a way to create an OU / group policy / script to
define which client uses which DNS server in its cache?
I've read through the posts and MS docs and found DSN
search order, but that describes name servers order, not
ip address order for the same server. Or tell the DNS
server to push only one of those addresses, not both? I'm
using Win2K, not 2003, and XP clients.

Thanks in advance.
 
In
Ovid Bailey said:
I have a DNS server with two IP addresses (e.g.,
172.16.1.10 and 192.168.1.10). For 95% of the connecting
clients, I need them to use the 192.168.1.10 address; the
other 5% need to use 172.16.1.10.

Everyone is connected using a Cisco VPN. DHCP is provided
via a server at each site, and it is not synched with AD.
At those locations, the DNS server for the Class C clients
is defined as 192.168.1.10. The DHCP works fine, and
ipconfig shows only one DNS server (the Class C address).

However, when I look at the client DNS cache, I see both
addresses. My problem comes when the Class C client tries
to use one of the AD functions (like changing a pwd). It
looks for foo.bar.com, and if the Class C address is used,
everything works fine. But if the Class B address is used
(i.e., if it's the first in the local cache), the client
request fails since it doesn't know where that Class B
network is.

Is there a way to create an OU / group policy / script to
define which client uses which DNS server in its cache?
I've read through the posts and MS docs and found DSN
search order, but that describes name servers order, not
ip address order for the same server. Or tell the DNS
server to push only one of those addresses, not both? I'm
using Win2K, not 2003, and XP clients.

Thanks in advance.
Click to expand...

No, there isn't any such method.
It's difficult with multi homed DNS servers, as you've experienced. Usually
recommended to not mutli home DNS servers or DCs due to this. The mutli IPs
you're finding in the client cache are coming from the nameserver tab in
DNS, since that dictates what is SOA for the zone.

If you can just use the one IP address on the DNS server, all the clients
can connect to it by that IP address, as long as the VPNs are offering you
seemless integration between your locations. A better idea is to install DNS
on a server locally in the other site and either use AD Integrated (if DNS
is installed on a DC), or just make the other location (172.16.x.x) DNS with
a secondary zone of the one in the 192.168.x.x subnet. This way the clients
will use the DNS server locally, eliminating WAN query traffic, and the AD
info will consistent (AD will function), and there won;'t be any confusion.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Is there a way to create an OU / group policy / script to
define which client uses which DNS server in its cache?
I've read through the posts and MS docs and found DSN
search order, but that describes name servers order, not
ip address order for the same server. Or tell the DNS
server to push only one of those addresses, not both? I'm
using Win2K, not 2003, and XP clients.

Thanks in advance.
Click to expand...
Hi Ovid,

sorry - you are not able to easily change the DNS-Servers via GPO in Windows
2000. This would be possible in Windows NT with a customizes ADM-Template, and
is provided after Windows XP.
Reason is that in Windows NT the entry is stored in a static location in the
registry. With Windows 2000 that moved to a subkey underneath the adapter GUID
which might be different at each client. MS implemented a GPO to address this
issue with Windows XP.

Here's a script which some of the MVPs provides to change the DNS-Adresses
using WMI - just change it to run either against the machines you specify, or
adjust a part of it to run within a Script which you assign via GPO:
http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=25


Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
In
Ulf B. Simon-Weidner said:
Hi Ovid,

sorry - you are not able to easily change the DNS-Servers via GPO in
Windows 2000. This would be possible in Windows NT with a customizes
ADM-Template, and is provided after Windows XP.
Reason is that in Windows NT the entry is stored in a static location
in the registry. With Windows 2000 that moved to a subkey underneath
the adapter GUID which might be different at each client. MS
implemented a GPO to address this issue with Windows XP.

Here's a script which some of the MVPs provides to change the
DNS-Adresses using WMI - just change it to run either against the
machines you specify, or adjust a part of it to run within a Script
which you assign via GPO:
http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=25


Gruesse - Sincerely,

Ulf B. Simon-Weidner
Click to expand...

Thanks for the link, Ulf!
:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ulf,

Thanks! This is exactly what I was looking for.

Quick question...you said that changing this via GP is
possible "after Windows XP" and "MS implemented a GPO to
address this issue with Windows XP."

Do you mean Windows 2003 Server, or is this a capailibity
that I can implement in 2000 Server as long as the XP
client GP plugin is installed?

Thanks again,

Ovid
sorry - you are not able to easily change the DNS-
Click to expand...
Servers via GPO in Windows 2000. This would be possible
in Windows NT with a customizes ADM-Template, and is
provided after Windows XP.
MS implemented a GPO to address this issue with Windows
Click to expand...
XP.
 
Ace,

I did the multihomed patch with full knowledge that it
wasn't the right solution, but couldn't figure out how to
make it work properly with NAT occuring three times
before I get it.

Your solution looks absolutely proper. I'm going to try
Ufs's script this week, but put your solution in place
over the next month (I don't have a remote DNS server
yet) as the proper way to handle this.

Thanks so much,

Ovid Bailey
 
In
Ace,

I did the multihomed patch with full knowledge that it
wasn't the right solution, but couldn't figure out how to
make it work properly with NAT occuring three times
before I get it.

Your solution looks absolutely proper. I'm going to try
Ufs's script this week, but put your solution in place
over the next month (I don't have a remote DNS server
yet) as the proper way to handle this.

Thanks so much,

Ovid Bailey
Click to expand...

Good luck!
:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top