In
BusMaster said:
The subject environment consists of a WINDOWS2000 PDC, three
WINDOWS2000 SERVERS, numerous stationary desktops, roaming laptops,
and smartphones. One of the three servers is running DNS, and when
configured, No Forward Lookups presumably has now made it a caching
only server; it certainly is acting well as one.
I believe the DNS environment here is not configured correctly, as
NSLOOKUP does not return what one would expect, eg. doesn't know the
internal servers/workstation names, however they are properly
resolved with PING etc.
I am planning a new environment as the organization is growing, and
some of the Q&D gizmos like Internet Connection Sharing are
problematic at best, albiet adequate given the 'callouses' already in
place. We would be better served using Routing and Remote Access
(instead of ICS), yes?
PDC: Points to itself on all interfaces. If one of the interfaces
goes elsewhere, point the Preferred to itself, point the Secondary
DNS to the CACHE.
Others: Points to the PDC as Primary and the Cache as secondary.
BDC: How does this work when I set it up?
In addition to Kurt's post and questions (which I share), I am not sure as
well, what role the caching only server is being used for. If a forwarder is
configured to the DC's DNS (which is the DNS server for the AD domain and
has all the SRV data for the domain, and the ISP doesn't have info about the
internal AD domain name), then I can see using the caching as the "second"
entry in IP properties. But that wouldn't make sense anyway because if the
first doesn't answer, the second points right back to it and sending a query
that can't be resolved.
I just want to make one note about the terminology before I go on: There are
PDCs or BDCs in Active Directory, rather they are all just replica DCs.
There is a FSMO Role called the PDC Emulator that *each* domain has, and it
acts like an NT4 PDC for NT4 BDCs if they are any in the domain, other than
that, it acts as a time server for all machines in an AD domain, handles
password changes for legacy clients, and any GPO creation/editing is
performed on it, unless one decides to use another for GPOs.
You mention the "PDC" is "pointing to itself on all interfaces", then to the
caching server. That leads me to believe the chaching only server is
forwarding to the ISP's or is just using it's Root Hints. If so, and that is
the second entry, I am surprised there aren't any Netlogon errors on the DC,
or USRENV errors in any of the machines (including the DC).
There is also another issue. The DC is multihomed (more than one NIC). This
can cause problems with a DC and it's rather recommended to only single home
a DC. There are multiple steps associated with forcing a multihomed DC to
properly register only the internal interface in DNS (including a couple of
reg entries). I can post them if you like. If you are using ICS, then that
is another issue as well. ICS conflicts with DNS and DHCP services because
it acts as a mini unconfigurable DHCP server as well as a DNS proxy. I would
suggest to use NAT (thru RRAS), but really it is more efficient for a DC not
to do this (lot's of overhead), and rather suggest an inexpensive Linksys
router to perform NAT, but still use the DC's DHCP and DNS services (not the
router's.)
The cardinal rule is to only use the internal DNS in an AD environment and
it's recommended to configure a forwarder from the internal DNS server to
the ISP's DNS for efficient Internet name resolution. This way all machines
querying for AD service locations will ask it first, and if it is an outside
name, it will forward it to the ISP's to resolve it, then return the answer
to the internal clients.
If you promote a Windows 2000 server as a DC in your current domain, you can
install DNS on it too. Make sure the AD zone name is AD integrated on the
first DC, then on the second (new) DC with DNS on it, don't create any
zones. It will automatically populate (because AD integration just means the
zone data is stored in the physical AD database (DomainNC partition), and is
replicated to other DCs in a 2000 domain. The other machine will recognize
that and auto populate. Then on the first server, point to itself, and set
the other DC as the second one. Then on the second DC, point to itself, then
the second one to the first.
As for your 'unknown' server message in nslookup, create a reverse zone on
the DC's DNS, and make sure a PTR entry is created (allow updates), (and
make sure ALL internal machines only use the DNS only), and the 'unkown'
message will turn into the name of the machine and it's IP.
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================