DNS on W2k Advanced Server

[Jim Muir]

Our LAN failed yesterday.
I was able to connect just fine to the internet, but no
login or local network was available.

I was puzzled by this, because the consultants to the
network admin say it is a problem with the ISP.

In reviewing my understanding of LANs, I concluded that the
network configuration is wrong. Noticing that I have a two
DNS numbers in my local workstation pointing to external
servers, its no wonder.

In looking here (newsgroup) I see that the Domain
Controller should have its DNS settings pointing to itself
(our Server is 192.168.0.9) and the first DNS setting on
each workstation should be this DNS number. That way if
the ISP burps or terminates, the LAN is still operating,
unlike what happened yesterday.

The network consultant tells our netadmin that our Advanced
Server is not set up as a DNS server. Yet we are operating
in Active Directory. How is this possible?

And, where should I go from here? I do not want this
happening again. (network down, internet up)

 

[Herb Martin]

Our LAN failed yesterday.
I was able to connect just fine to the internet, but no
login or local network was available.

I was puzzled by this, because the consultants to the
network admin say it is a problem with the ISP.

That is foolish on it's face - unless the DCs are all beyond the
ISP (e.g., branch office to the ISP to the main office) then the
ISP can have NOTHING to do with your problem.

Fire the consultant -- or send him back to the work for which he
was actually hired and qualified.

(Really, that is just plain silliness from someone who is SELLING
his expertise -- perfectly fine for a beginning admin who is seeking
help of course.)

In reviewing my understanding of LANs, I concluded that the
network configuration is wrong. Noticing that I have a two
DNS numbers in my local workstation pointing to external
servers, its no wonder.

Correct. All internal clients much point ONLY to internal DNS
servers when you have such servers.

In looking here (newsgroup) I see that the Domain
Controller should have its DNS settings pointing to itself
(our Server is 192.168.0.9) and the first DNS setting on
each workstation should be this DNS number.

Not just first but all -- if you have more than one DNS server
then more than one can be listed but do NOT list the ISP DNS
on the clients.

Clients include the servers, DNS/DCs/etc, so the rule is simplified
once you realize that client NIC settings apply to all internal machines.

That way if
the ISP burps or terminates, the LAN is still operating,
unlike what happened yesterday.

True but that is not the reason. The reason is that the ISP has
no knowledge of the internal DNS servers (most of the time) and
cannot help resolve those names (presumably through firewall
filters) anyway.

The network consultant tells our netadmin that our Advanced
Server is not set up as a DNS server. Yet we are operating
in Active Directory. How is this possible?

Badly. <grin>

You must have an INTERNAL DNS server which contains a
zone corresponding to you AD domain name and which is
DYNAMIC.

It does not have to be "on the DC" but that is the most common
location for the DNS server(s).

The zone much be dynamic, and all clients must point their
NIC properties to ONLY the internal, dynamic DNS server
(set).

Remember that "servers" are DNS clients too.

If you change any of the above, you must restart the NetLogon
service on each DC which might be affected.
(Otherwise they must be rebooted.)

And, where should I go from here? I do not want this
happening again. (network down, internet up)

See above.

How much are you paying the consultant?
[/QUOTE]

 

[Guest]

Thanks Herb. I knew I was right (although partially wrong
as to use of the external ISP in the DNS settings on the
workstations and servers.

I have instructed the Netadmin to reset the DNS settings on
the internal units to the main server and that is it.

It appears in the MMC DNS properties that forwarding is
properly in place except for one entry 192.168.2.11 that
doesn't match our network addresses 192.168.0.xxx would
there be any danger of deleting it?

 

[Herb Martin]

Thanks Herb. I knew I was right (although partially wrong
as to use of the external ISP in the DNS settings on the
workstations and servers.

I have instructed the Netadmin to reset the DNS settings on
the internal units to the main server and that is it.

It appears in the MMC DNS properties that forwarding is
properly in place except for one entry 192.168.2.11 that
doesn't match our network addresses 192.168.0.xxx would
there be any danger of deleting it?

If it "doesn't make sense" then 'no, no danger' but if anything
quits working have it written down so that you can consider
restoring it.

An internal address in "forwarding" is NOT ALWAYS wrong,
however:

Many times internal DNS server forward to one "firewall" or
top level server that plays the role of "root" (either formally
or just by having delegations that lead to all other zones) or
which consolidates requests across a WAN line.

The latter is frequently on the internal firewall which is charged
with all requests that actually go to the internet so that it's
cache is consolidated (collective) and so that no internal
machine is ever allowed to make request out in the big, scary
world. (DCs especially should be restricted to "internal
access/requests only.")

Example: All of my internal machines forward to the firewall-
gateway-router(s) to the Internet. This machine has a CACHING
ONLY DNS server that forwards or recurses the actual Internet.

(Weird thing: Such gateways in my design are "domain member
machines" and as such their OWN CLIENT NIC settings point
back to the INTERNAL DNS servers and NOT to themselves
or the ISP.)
[/QUOTE]

 

[Ace Fekay [MVP]]

In

Thanks Herb. I knew I was right (although partially wrong
as to use of the external ISP in the DNS settings on the
workstations and servers.

I have instructed the Netadmin to reset the DNS settings on
the internal units to the main server and that is it.

It appears in the MMC DNS properties that forwarding is
properly in place except for one entry 192.168.2.11 that
doesn't match our network addresses 192.168.0.xxx would
there be any danger of deleting it?

Curious, are you saying that in the DNS MMC it shows two DNS servers:
192.168.2.11 and another one in 192.168.0.x? Or are you saying your network
has two subnets?

In addtion to what Herb metioned, I find it easier to forward to your ISP's
DNS. You can use 4.2.2.2 as your forwarder (its reliable).


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

In

In looking here (newsgroup) I see that the Domain
Controller should have its DNS settings pointing to itself
(our Server is 192.168.0.9) and the first DNS setting on
each workstation should be this DNS number. That way if
the ISP burps or terminates, the LAN is still operating,
unlike what happened yesterday.

DC should point to itself and _all_ workstations should point to the DC,
_ONLY_. This has nothing to do with internet connectivity, Active Directory
will not function properly and logons will take close to forever if you
don't use your local DNS, where the Domain Controller stores the records
domain members are looking for not only at logon, but anytime you do
anything.