DNS config

  • Thread starter Thread starter Edmond
  • Start date Start date
E

Edmond

Hi all,
I have this question about DNS.
We are using two Win 2000 servers. Both are DNS servers as
well as DCs. Currenlty one DNS (let's call it DC1) is
setup to have a forward lookup zone as well as a backup
lookup zone. The other DNS (DC2) only have a backward
lookup zone setup, with the DNS settings points to DC1
only.
The case we want to set up is as follows:
We want to have one DNS being an external DNS, which only
answers query from outside our network. The other DNS will
be an internal DNS, hosting only records with internal IP
addresses. For example, queries to our web server from
outsiders will be answer by external DNS while the same
queries from within the company will be answer by the
internal DNS.
I have searched for quite a bit but still cannot locate
any information about such setup. Please kindly point me
in the right direction. Thanks in a million.
 
We want to have one DNS being an external DNS, which only
answers query from outside our network. The other DNS will
be an internal DNS, hosting only records with internal IP
addresses. For example, queries to our web server from
outsiders will be answer by external DNS while the same
queries from within the company will be answer by the
internal DNS.
Click to expand...

It's called a Shadow or Split DNS server. You set up what
is essentiall TWO ZONE with ONE name -- most people
think of it as one zone because the names are the same but
it helps in understanding if you consider it as TWO ZONES.

They will NOT replicate with each other -- this is the feature
that makes it two zones.

(Of course you could just use two completely distince zones,
but the principles are similar -- e.g., parent, child.)

On the outside place a Primary (and secondaries) that are NOT
dynamic zones.

On the inside use a Primary (OR AD-integrated set) and make
any that support Win2000 AD DYNAMIC.

When you change the EXTERNAL, you must manual duplicate
those changes on teh INTERNAL (since we purposely broke
replication.)

Internal records will not be (automatically) duplicated to the
outside.
 
Dave said:
What does DC stand for?
Click to expand...

Domain Controller -- usually a Win2000+ Domain Controller running
Active Directory.

In Win NT, these were either THE PDC (Primary DC) or BDCs (Backup DCs).
 
Thanks.
Currently we are having everything on one DNS server (both
internal computer records and records of servers that go
public). For the other one the forward lookup zone is not
setup.
I understand that I need to put one of them with internal
records only, and the other one with only IP addresses
that can go public (such as our web server). However, how
can I setup the new forward lookup zone just to hold
internal hosts? The main concern here is our Exchange
server. Should I set the primary DNS of the exchange
server to point to the internal or external DNS after the
split? OR even point to our ISP's DNS?
Sorry for dumb questions.
Thx
 
Edmond said:
Thanks.
Currently we are having everything on one DNS server (both
internal computer records and records of servers that go
public). For the other one the forward lookup zone is not
setup.
I understand that I need to put one of them with internal
records only, and the other one with only IP addresses
that can go public (such as our web server). However, how
can I setup the new forward lookup zone just to hold
internal hosts? The main concern here is our Exchange
server. Should I set the primary DNS of the exchange
server to point to the internal or external DNS after the
split? OR even point to our ISP's DNS?
Sorry for dumb questions.
Thx
Click to expand...
 
Currently we are having everything on one DNS server (both
internal computer records and records of servers that go
public). For the other one the forward lookup zone is not
setup.
I understand that I need to put one of them with internal
records only, and the other one with only IP addresses
that can go public (such as our web server).
Click to expand...

Actually, you (almost always) want the INTERNAL DNS server
to have ALL addresses, the external DNS will have only the
publicly accessible addresses though. Reason: Your users
probably need to access your public servers too.
However, how
can I setup the new forward lookup zone just to hold
internal hosts?
Click to expand...

Well, since actually you want EVERYTHING there, the easiest
(from where you are) is to just make TWO masters -- right now
you have a Primary-Secondary (Ok, the Primary might be AD-integrated
but I don't want to keep writing that long thing so Primary means either
type of DNS Master, ok?)

Take the Secondary (inside or outside) and make it ANOTHER Primary
(Master) -- now they have the same records (to start) but you have
BROKEN replication -- on purpose -- between them.

From now on, YOU must manually add EXTERNAL records to both
masters. That's it.
The main concern here is our Exchange
server. Should I set the primary DNS of the exchange
server to point to the internal or external DNS after the
split?
Click to expand...

Different issue -- INTERNAL machines should point to INTERNAL
DNS -- external to external DNS.

Those that sit on boundaries require a bit of thought, but the answer to
this question is the answer to another question: Do I want a boundary
machine to 'see' ALL of the internal names/addresses AND can it
physically (net, firewall, etc) reach the INTERNAL DNS? If the
answer to this question is TWO "YES"es then point its client settings
to the inside.
OR even point to our ISP's DNS?
Sorry for dumb questions.
Click to expand...

Not dumb at all -- took me a while to figure this out the first time:

I had a DNS Forwarder (caching only DNS) as a Firewall -- it's
a boundary machine, right? But it's also a DNS server ITSELF,
which means it USUALLY would have its own client settings
poinint at itself, BUT...

I wanted the boundary machine firewall to be able to resolve
internal names -- hmmmm?

Answer: Point its CLIENT settings to the INTERNAL DNS,
which forwards to the firewalls CACHING ONLY DNS.

(Not the only answer, but it works for me.)
 
I ran into problems again.
I tried to split the DNS servers (lets called them DNSA
and DNSB). DNSA holds all the public addresses, itself is
also a DC and the owner of the FSMO role. DNSB now holds
only internal IP addresses, and also a DC AND a GC.
Both DNSA and DNSB are primary, non-AD integrated DNS.
Only DNSB sets to be update dynamically.
On DNSA I have the following in the DNS server settings:
_msdcs
_sites
_tcp
_udp
However these are missed in DNSB. I have manually added IP
addresses of both DCs in the name server tab in the DNS
settings. (Because when I tried to resolve the address it
can't find the record)
And here is the problem.
After I made the modifications to both DNS servers the
first sign of problems is the Exchange server. Users
cannot logon to the Exchange server. In the event log
there were events saying that all GC in use are not
responding (Event ID 2103). For the DNS servers there were
events 5781, 5774, 5782 that said DCs are unreachable. At
that time I was putting our third DC offline for some
maintenance but had to put it back online. After some
moment (I'd say about half an hour) it seems that users
can logon back to the Exchange. But that didn't stop
there. As of now users still experiencing trouble logging
on to the file server thru AD. Some of the symptoms are as
follow:
- Some users cannot logon to the network, prompting either
the password is incorrect or there is no DC. (client using
Windows 95/98/2000/XP)
- user logoff and re-logon to the same machine found the
same problem (first time logon ok, but then when re-logon
there is problem.) A temporary remedy is strange. The
machine has to release the IP address it is using.
(ipconfig /release) Then renew the IP address and then re-
boot the computer. That way the user can logon. But it
will happen all over again when the user log off again.
Strange, huh??!!
Also operations on the AD seems to have problems, such as
add / delete users, move mailbox from one mail store to
another etc.
Can any body help??? Thanks in a billion....
Re : Sorry for typing such a long message, but I simply
want to volunteer all the info needed for the experts. Thx
 
Edmond said:
I ran into problems again.
I tried to split the DNS servers (lets called them DNSA
and DNSB). DNSA holds all the public addresses, itself is
also a DC and the owner of the FSMO role.
Click to expand...

It is generally impractical -- and a security risk -- to make
the external DNS using a DC from the internal domain.

I MIGHT be able to get it to work that way but I would be
unlikely to even try.

In order to make it work, you must "pretend" that DNS A
(external) is NOT a DC. It's client settings much be pointed
at an internal (dynamic) DNS (set.)

The only sense in which the external DNS can be consider
to exist is (perhaps) as a forwarder.

Otherwise, it is going to attempt registration ON ITSELF,
and look there for the dynamic records -- which we have
disabled and prevented from reaching this DNS.

Remember, by definition, the external DNS in a shadow
DNS setup has NO INTERNAL RECORDS and cannot
assist with internal name resolution in any way.
DNSB now holds
only internal IP addresses, and also a DC AND a GC.
Both DNSA and DNSB are primary, non-AD integrated DNS.
Only DNSB sets to be update dynamically.
On DNSA I have the following in the DNS server settings:
_msdcs
_sites
_tcp
_udp
However these are missed in DNSB. I have manually added IP
addresses of both DCs in the name server tab in the DNS
settings. (Because when I tried to resolve the address it
can't find the record)
And here is the problem.
After I made the modifications to both DNS servers the
first sign of problems is the Exchange server. Users
cannot logon to the Exchange server. In the event log
there were events saying that all GC in use are not
responding (Event ID 2103). For the DNS servers there were
events 5781, 5774, 5782 that said DCs are unreachable. At
that time I was putting our third DC offline for some
maintenance but had to put it back online. After some
moment (I'd say about half an hour) it seems that users
can logon back to the Exchange. But that didn't stop
there. As of now users still experiencing trouble logging
on to the file server thru AD. Some of the symptoms are as
follow:
- Some users cannot logon to the network, prompting either
the password is incorrect or there is no DC. (client using
Windows 95/98/2000/XP)
- user logoff and re-logon to the same machine found the
same problem (first time logon ok, but then when re-logon
there is problem.) A temporary remedy is strange. The
machine has to release the IP address it is using.
(ipconfig /release) Then renew the IP address and then re-
boot the computer. That way the user can logon. But it
will happen all over again when the user log off again.
Strange, huh??!!
Also operations on the AD seems to have problems, such as
add / delete users, move mailbox from one mail store to
another etc.
Can any body help??? Thanks in a billion....
Click to expand...

Yes, don't do that but if you must, you treat the external
DNS as if it doesn't exist (except perhaps as a Forwarder.)
 
Thanks for your quick response.
Yes I agree that using DC as external DNS is a security
risk, and frankly my boss sees the same thing. Thus I am
back to square one now.
I am now trying to setup a third DNS server to be hosting
the external records, and eventually this will be placed
in the DMZ. Currently I have THREE DNS servers:
DNSA - Primary Std DNS; DC hosting public IPs
DNSB - Primary Std DNS; DC (also GC) hosting internal IPs
DNSC - Secondary DNS; also a DC

I came to this config by setting DNSA as a Pri DNS and
make DNSB & DNSC secondary. Then I performed zone transfer
(transfer from Master) to have the zone replicated over.
Then I set DNSB to Pri Std again and stop zone transfer on
all three DNS. Now the plan is to put DNSC to be the
external DNS. Questions are I am not sure how. But here is
what I think I might do:
1. demote DNSC to be a member server
2. give DNSC a public IP
3. set name server to point to itself only
4. delete all hosts but those with public IPs
And here come the questions:
1. How can I put it in the DMZ? (it sounds stupid, but pls
forgive me coz I don't have whole lot of exp. with
networking)
2. With DNSA & DNSB setup as Pri Std, and both are DCs to
our network. What is the recommend setup so that now they
are belong in the internal network? Should one be Pri / AD-
integrated and the other as Secondary? Or both as AD-Int?
3. When I check DNS records from the web, such as that
from network-tools.com, DNSA is the name server. How can I
change it? OR is it a necessity to change it? Coz I'm
thinking that the NS is the server which should be
answering to public queries, thus if we setup an ext DNS
in DMZ then it should be updated to direct public queries
to this server, correct?

Sorry again for typing this long message.
 
See below....

Edmond said:
Thanks for your quick response.
Yes I agree that using DC as external DNS is a security
risk, and frankly my boss sees the same thing. Thus I am
back to square one now.
I am now trying to setup a third DNS server to be hosting
the external records, and eventually this will be placed
Click to expand...

Actually the BEST method is to let an isp OR BETTER YET,
a REGISTAR host the external DNS for you. (e.g., Register.com)
They have big, fault-tolerant servers with a crew of elves to keep
them running 24/7.

You probably get this service for your $30 a year you already
pay for registration.
in the DMZ. Currently I have THREE DNS servers:
DNSA - Primary Std DNS; DC hosting public IPs
DNSB - Primary Std DNS; DC (also GC) hosting internal IPs
DNSC - Secondary DNS; also a DC
Click to expand...

You are really supposed to have 2 on the Internet anyway --
it's part of the registration deal (you can fake it but...)
Again, let the registrar host public DNS.
I came to this config by setting DNSA as a Pri DNS and
make DNSB & DNSC secondary. Then I performed zone transfer
(transfer from Master) to have the zone replicated over.
Click to expand...

That's pretty normal if I understand. Setup External, make the
internal a secondary to it, slurp the records then make the internal
another Primary and they never replicate again.
Then I set DNSB to Pri Std again and stop zone transfer on
all three DNS. Now the plan is to put DNSC to be the
external DNS. Questions are I am not sure how. But here is
what I think I might do:
1. demote DNSC to be a member server
2. give DNSC a public IP
3. set name server to point to itself only
4. delete all hosts but those with public IPs
And here come the questions:
1. How can I put it in the DMZ? (it sounds stupid, but pls
forgive me coz I don't have whole lot of exp. with
networking)
Click to expand...

I don't understand the problem or the question.
2. With DNSA & DNSB setup as Pri Std, and both are DCs to
our network. What is the recommend setup so that now they
are belong in the internal network? Should one be Pri / AD-
integrated and the other as Secondary? Or both as AD-Int?
Click to expand...

If they are both DCs then (eventually) make them AD-integrated
DNS servers.
3. When I check DNS records from the web, such as that
from network-tools.com, DNSA is the name server. How can I
change it? OR is it a necessity to change it? Coz I'm
Click to expand...

Again, I don't understand "change it"?
You request records from a DNS server and:
1) It tells you what it 'knowns' (from zones or cache)
2) It recurses from the root down (like the Internet namespace)
or 3) It asks another DNS server (the forwarder) to do these

Whatever it finds, it returns as the answer.
thinking that the NS is the server which should be
answering to public queries, thus if we setup an ext DNS
in DMZ then it should be updated to direct public queries
to this server, correct?
Click to expand...

I am not sure I understand you but that sounds (sort of) right.
Sorry again for typing this long message.
Click to expand...

That's ok, if you get confused you can call me -- visit my web
site for the phone number http://www.LearnQuick.Com
 
I tried to send to "news" but got bounced back. But I also
cc a copy to "LearnMore". Have you got that? Anyways, I am
now posting again the lengthy message here, and thanks in
advance sincerely for all those who offer opinion.
Best Regards,
Edmond

Here is the post:
First of all I'd like to thank you for your kind help. I
am indeed still a bit green to managing network
environment. I hope you don't mind if I sound a bit silly
or naive at times.

The question I am facing is actually this:
My boss wants to setup an external DNS and wants to put it
in DMZ. This DNS will hosts only public IP addresses of
the servers we have, such as web server and mail
(exchange) server etc. For the internal DNS servers, which
is behind a firewall, they only host internal IPs records.
So the internal will answer queries for internal
addresses, and for external addresses it will be forwarded
to the external one to handle. And now I am suppose to
make this work.

We have now the scenario like in my last post, but let me
simplify and clarify a bit (I'll try my best to clarify,
but forgive me because my English is very limited):
We have three DNS servers:
DNSA - DC; Primary Std DNS; currently FSMO role owner
DNSB - DC & also a GC; Primary Std DNS; DHCP server
DNSC - DC; Secondary DNS
Like I said in the post I used zone transfer to replicate
the zone in DNSA to DNSB & DNSC. I want to demote DNSC to
be just a member server, so that it can be setup as the
external DNS. Thus in our network we only have two DCs,
DNSA & DNSB. Since DNSA & DNSB are both Primary Std DNS
(zone) should I just set both of them to be AD-integrated?
Because right after I first messed up with the DNS
settings I am facing with user logon problems, as well as
Exchange server problem (as in my previous posts).
The lastest is Exchange is okay now, but users still
experiencing logon problems. The symptom is like this:
User enter the password and cannot logon to the domain.
The error message says that either the password is not
correct or the account is missing. Tried using different
users to logon at the same computer still yielded the same
result. After some digging in both the newsgroup and
Microsoft's KB I found the following method which seems to
work at the moment (for Windows 2K or above client):
1. First logon to the computer as local administrator
2. at command prompt enter ipconfig /flushdns
3. enter ipconfig /registerdns
4. enter net stop netlogon
5. enter net start netlogon
6. enter ipconfig /release
7. reboot computer
This way the user can logon to the domain. However, there
is another method to this (and I don't know why yet). The
user can keep trying and / or wait for about 10 minutes.
Then s/he can logon to the domain without any problem. But
this problem strikes different users everyday (well some
of them are the same users) and we certainly can't operate
like this.
Right now I am puzzling of how to improve the situation.
Would you have any suggestion?
 
I tried to send to "news" but got bounced back. But I also
cc a copy to "LearnMore". Have you got that? Anyways, I am
now posting again the lengthy message here, and thanks in
advance sincerely for all those who offer opinion.
Click to expand...

Both should work.
@
LearnQuick.Com

(I certainly get enough spam at both of them. <grin>)

Try sending from the email form on the webpage -- it
goes to me too.

I do filter for "prn site words" and "viagra" so maybe I
caught yours on an accidental match.
 
Back
Top