DNS help please

[Al Taylor]

I am setting up a small win2k network at a little community school and have some DNS questions.

Please correct me if I am wrong

1.) I want to use group policies to enforce certain security settings for the students, therefore Active Directory must be used?

2.) Because AD must be used, a DNS server must be used.

3.) Group policy depends on AD which depends on DNS.

4.) Because DNS must be used, the school must register a valid domain (i.e. schoolname.edu or schoolname.com).


Please help.

Al Taylor

 

[Herb Martin]

Please correct me if I am wrong

1.) I want to use group policies to enforce certain security settings

for the students, therefore Active Directory must be used?

GPO's "can" be use -- not must. They are an excellent choice and probably
the best one
if all your machines are AT LEAST Win2000.

2.) Because AD must be used, a DNS server must be used.
Yes.

3.) Group policy depends on AD which depends on DNS.

Yes, yes.

4.) Because DNS must be used, the school must register a valid domain

(i.e. schoolname.edu or schoolname.com).

NO.
DNS can be run on a "private name", e.g., Domain.local as long as it doesn't
need to be
accessible (using that name) from the Internet.

 

[Al Taylor]

Thank you Sir. In regard to number 4:

4.) Because DNS must be used, the school must register a valid domain
(i.e. schoolname.edu or schoolname.com).

NO.
DNS can be run on a "private name", e.g., Domain.local as long as it doesn't
need to be accessible (using that name) from the Internet.

Does your answer mean that users on the network will NOT be able to access the internet through the school's router? Common sense tells me that this is not the case. The way I understand your answer, outside people will not be able to see 'into' the school's network, for example to get to an 'internal' web site but the students WILL be able to 'see' out and browse the web.

Is my thinking correct here?

Al Taylor

 

[Herb Martin]

4.) Because DNS must be used, the school must register a valid domain

Does your answer mean that users on the network will NOT be able to access

the internet through the school's router?

No, this has nothing to do with the machines in your net accessing the
Internet -- or actually
"access" (being explicit) of ANY type. It has to do with machine from
OUTSIDE trying
to RESOLVE (not access) your resources.

If you don't need external machines to access or resolve internal names
(which is probably
the case) then a public DNS registration is unnecessary (and maybe even
counterproductive.)

Common sense tells me >that this is not the case.

You estimation is correct.

The way I understand your answer, outside people will not be able to see 'into' the
school's network,

It's really about NAME resolution -- I am being picky because straightening
out these
misdefinitions and misconceptions let most smart people (like you) work it
out for
themselves.

Access is about routing the IP -- public addresses or some form of
translation between
Public<->Private IP.

DNS is ONLY about the "name resolution" portion that makes access more
CONVENIENT.
(i.e., use names instead of numbers.)

for example to get to an 'internal' web site but the students WILL be able

to 'see' out and browse the web.>

Right, but don't get me started on "see" which usually refers to Browsing
and is a whole 'nuther

Is my thinking correct here?

Yes, you are getting it. Clean up the terminology a bit and your common
sense will
serve you. Most of the problem is that people (probably whoever you learned
from)
are sloppy about the terminology (access vs. see vs. resolve names etc.) and
then
they try to reason from faulty information.

 

[Al Taylor]

Thank you Herb. I really enjoyed our phone conversation this afternoon, and look forward to attending LearnQuick.

Let me see if I understand zones vs. domains. Here is an analogy... The domain would be like a city while zones would be like the suburbs that are part of the city. For example I live in a suburb of Cleveland (Domain) called East Cleveland (Zone).

Am I on the right track?

Al Taylor

 

[Herb Martin]

Thank you Herb. I really enjoyed our phone conversation this afternoon, and look forward to attending LearnQuick.

You are welcome.

Let me see if I understand zones vs. domains. Here is an analogy...
The domain would be like a city while zones would be like the suburbs
that are part of the city. For example I live in a suburb of Cleveland
(Domain) called East Cleveland (Zone).

Nope. For most companies, the Zone is contiguous with it's zone.

We can twist your analogy a bit and say that some Counties only have
one "town" or "city" that takes up the WHOLE county while a few have
move than one town in the county but the analogy is then backwards to
what is typical in real life -- and it doesn't imply the real hierarchy that is
present in DNS.

A military analogy might be better but then it would presume you understand
how Divisions and Bridgades actually work (which even military people
frequently do not. <grin>)

Your Zone is typically YourDomain.Com AND includes everything beneath that
name, e.g., sub.Yourdomain.com.

BUT your zone can delegate that child zone, like sub.YourDomain.com so
that some other "server" or some other "admin" is responsible for those records.

If you delegate the names then that becomes a new zone, i.e., a child zone.
If you do not delegate, then those records are still hierarchical NAMES but live
in the single zone.

Note:
Com is a zone
Edu is a zone
UTexas.Edu (happens to be) a zone
LearnQuick.Com is also a zone

Even "." (dot or root), the root of the namespace is A ZONE

Let me know if I can help you further.....

--
Herb Martin

Am I on the right track?

Al Taylor

 

[Al Taylor]

Thank you Herb. I hope you had a blessed thanksgiving and hope you did not eat too much like I did <grin>. When I awoke from my turkey induced coma I decided to do some DNS exploration... I successfully installed and configured DNS on my home win2k server. My home network looks like this: 1 win2k server, 1 win2k pro client and 1 win-xp client. I thought all was well until I tried to logon to my domain from one of my client machines. When I try to log on I get this message <The system cannot log you on now because the domain COF is not available>. So I checked all of my physical connections and found that all was correct. I then looked at the system log section of the event log on the server and found this:

Event ID 5513.
The computer xxxxxx tried to connect to the server \\xxxxxxx using the trust relationship established by the xxx domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

Is it possible for the domain not to trust itself??? I looked at Active Directory Domains and Trusts and told the domain to trust itself, but still got the same message. What gives?????

I will begin to discuss the possibility of attending your training in early 2004 with The Boss<my wife> this weekend. I must approach the subject VERY CAREFULLY or I could be singing soprano<ouch> soon.

Al Taylor

Thank you Herb. I really enjoyed our phone conversation this afternoon, and look forward to attending LearnQuick.

You are welcome.

Let me see if I understand zones vs. domains. Here is an analogy...
The domain would be like a city while zones would be like the suburbs
that are part of the city. For example I live in a suburb of Cleveland
(Domain) called East Cleveland (Zone).

Nope. For most companies, the Zone is contiguous with it's zone.

We can twist your analogy a bit and say that some Counties only have
one "town" or "city" that takes up the WHOLE county while a few have
move than one town in the county but the analogy is then backwards to
what is typical in real life -- and it doesn't imply the real hierarchy that is
present in DNS.

A military analogy might be better but then it would presume you understand
how Divisions and Bridgades actually work (which even military people
frequently do not. <grin>)

Your Zone is typically YourDomain.Com AND includes everything beneath that
name, e.g., sub.Yourdomain.com.

BUT your zone can delegate that child zone, like sub.YourDomain.com so
that some other "server" or some other "admin" is responsible for those records.

If you delegate the names then that becomes a new zone, i.e., a child zone.
If you do not delegate, then those records are still hierarchical NAMES but live
in the single zone.

Note:
Com is a zone
Edu is a zone
UTexas.Edu (happens to be) a zone
LearnQuick.Com is also a zone

Even "." (dot or root), the root of the namespace is A ZONE

Let me know if I can help you further.....

--
Herb Martin

Am I on the right track?

Al Taylor

 

[Ace Fekay [MVP]]

In

Thank you Herb. I hope you had a blessed thanksgiving and hope you
did not eat too much like I did <grin>. When I awoke from my turkey
induced coma I decided to do some DNS exploration... I successfully
installed and configured DNS on my home win2k server. My home network
looks like this: 1 win2k server, 1 win2k pro client and 1 win-xp
client. I thought all was well until I tried to logon to my domain
from one of my client machines. When I try to log on I get this
message <The system cannot log you on now because the domain COF is
not available>. So I checked all of my physical connections and found
that all was correct. I then looked at the system log section of the
event log on the server and found this:

Event ID 5513.
The computer xxxxxx tried to connect to the server \\xxxxxxx using
the trust relationship established by the xxx domain. However, the
computer lost the correct security identifier (SID) when the domain
was reconfigured. Reestablish the trust relationship.

Try resetting the computer account in ADUC. It seems like you reinstalled
the machine or something?
Check this out:
http://www.eventid.net/display.asp?eventid=5513&source=

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Try resetting the computer account in ADUC. It seems like you reinstalled

the machine or something?
Check this out:
http://www.eventid.net/display.asp?eventid=5513&source=

I spoke with him on the phone and we worked it out earlier today.

We tried that (reset) and this is the first time I have had to "remove the
station and rejoin the domain" since Winnt -- reset has been working
like a charm except on HIS particular workstation.

After the "rejoin/reboot" it worked find.