DNS questions

[Dave McDuell]

This may be same or similar to other post-sorry.

I have a dns server on my network which has entries
for "local" servers. I have 2 dns entries in my client
network setup, one for the local dns server and one for my
isp's. If I put the isp dns entry as my primary one, I
can't ping local servers by their full dns names. If I
move my local dns server up to the top, I can ping OK.
Why is this ? I thought if the primary one cannot resolve
the name, the client would try the second one ??

If the answer is to delete the "." entry in my forward
lookup zones and put forwarder info there, I don't see
a "." entry. Or is the "." entry a generic term for
something else ??

Thanks

 

[Herb Martin]

This may be same or similar to other post-sorry.

I have a dns server on my network which has entries
for "local" servers. I have 2 dns entries in my client
network setup, one for the local dns server and one for my
isp's.

All internal clients should be configures as above.

If I put the isp dns entry as my primary one, I
can't ping local servers by their full dns names. If I

And this will occur unles the INTERNAL servers are
configured to use the ISP DNS (or equivalent external
DNS servers) as FORWARDERS.

move my local dns server up to the top, I can ping OK.

Don't do that -- even though it "seems" to work it is
unreliably and the source of many "intermittant errors",
often giving admins the mistaken impression that name
resolution or Active Directory are unreliable since they
don't understand the real problem.

Why is this ? I thought if the primary one cannot resolve
the name, the client would try the second one ??

No. Clients assume that EVERY DNS server will return
the same -- and the correct -- answer, even if that is "Name
not found." (aka, negative response.)

If the answer is to delete the "." entry in my forward
lookup zones and put forwarder info there, I don't see
a "." entry. Or is the "." entry a generic term for
something else ??

If you don't have a "." root zone on your DNS servers then
you can skip that step and just configure the FORWARDER
property sheet.

Those who have the "." zone (yes, literally that name) have
their forwarders configuration GREYED out and DISABLED.

If yours is enable then you can just configure it.

While we are on the subject, make sure that ALL of your
clients are configured to point ONLY to the internal DNS
server (set).

Clients include DCs, DNS servers themselves, and in other
"internal server."

(Even my ISA box which is part of my firewall is a "member"
machine of the internal domain and must override the automatic
setting it gets from the ISP when it does DHCP client etc...)

 

[Guest]

Dave,

External DNS servers cannot resolve names to internal IP's. This is why your primary internal DNS server should point to itself. Please leave your "." entries as is.

 

[Herb Martin]

Dave,

External DNS servers cannot resolve names to internal IP's. This is why

your primary internal DNS server should point to itself. Please leave your
"." entries as is.

--

Almost everyone should delete the "." root entry -- unless
they specifically need it -- and then they likely created and
understand it.

People with one or only a few domains should dump it
99.9% of the time.

 

[Dave McDuell]

Thanks for all the info. I'm a little confused by what
seems to a 2 conflicting staements, though. In the first
part of my oringinal post, I say I have 2 dns entries in
each client -- one set to my local dns server and one set
to my isp's dns server. Your response is that clients
should be "configured as above".

Later you state that clients should only point to internal
dns server set. If this is true then the clients use the
forwarders configured on the internal dns server set to
resolve names not found directly on the internal dns
server set ??
It seems dns can take 10 words to explain and a lifetime
to master.

Thanks

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks for all the info. I'm a little confused by what
seems to a 2 conflicting staements, though. In the first
part of my oringinal post, I say I have 2 dns entries in
each client -- one set to my local dns server and one set
to my isp's dns server. Your response is that clients
should be "configured as above".

Let me clarify, do not use your ISP's DNS in any position on an Active
Directory domain member, period.

Later you state that clients should only point to internal
dns server set. If this is true then the clients use the
forwarders configured on the internal dns server set to
resolve names not found directly on the internal dns
server set ??
It seems dns can take 10 words to explain and a lifetime
to master.

Point all AD Domain members and Domain Controllers, only to the internal DNS
server that hosts the AD Domain zone, if you have only one, use only one.
Non members do not have to use the internal DNS but, DNS stores the location
info on your local network, as far as client IP addresses go and you can
connect to the servers by their DNS name (\\server.domain.com)

 

[Herb Martin]

Thanks for all the info. I'm a little confused by what
seems to a 2 conflicting staements, though. In the first
part of my oringinal post, I say I have 2 dns entries in
each client -- one set to my local dns server and one set
to my isp's dns server. Your response is that clients
should be "configured as above".

As above in "my explantion": The local DNS ONLY,
leave out the ISP.

Sorry for the confusion.

Later you state that clients should only point to internal
dns server set. If this is true then the clients use the
forwarders configured on the internal dns server set to
resolve names not found directly on the internal dns
server set ??

Maybe I moved the paragraphs around trying to make it
more clear and screwed it up.

It seems dns can take 10 words to explain and a lifetime
to master.

Actually, when you "get it" you get it. The weird thing
about DNS is actually the opposite -- with the GUI it is
so easy to get simple setups correct that many people who
don't really understand it thing that they do.

I know this was true for me -- the first time I ever played
with DNS I used the MS GUI and 20 minutes later had
a production setup working.

Boy did I have a lot to learn, but none of it was really that
hard.

 

[Ace Fekay [MVP]]

In

Thanks for all the info. I'm a little confused by what
seems to a 2 conflicting staements, though. In the first
part of my oringinal post, I say I have 2 dns entries in
each client -- one set to my local dns server and one set
to my isp's dns server. Your response is that clients
should be "configured as above".

Later you state that clients should only point to internal
dns server set. If this is true then the clients use the
forwarders configured on the internal dns server set to
resolve names not found directly on the internal dns
server set ??
It seems dns can take 10 words to explain and a lifetime
to master.

Thanks

Just to verify and confirm what Kevin and Herb are saying, do NOT use your
ISP's DNS for anything on your internal clients and/or DCs, other than just
as a forwarder.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:

Just to verify and confirm what Kevin and Herb are saying, do NOT use
your ISP's DNS for anything on your internal clients and/or DCs,
other than just as a forwarder.

Do you think he is getting the picture now? :-D

 

[Dave McDuell]

Thanks so much for your time and Patience !! I may
actually be getting it.

 

[Ace Fekay [MVP]]

In

Do you think he is getting the picture now? :-D

--

I thnk he's got it now!