DNS server for a private network

  • Thread starter Thread starter Worf son of Maugg
  • Start date Start date
W

Worf son of Maugg

How do setup an AD file server without a public domain? AD seems to
need DNS but DNS is always trying to contact "root" name servers for
no apparent reason. The down side is that it is taking 10min to boot
because it has to time out 13 or root servers before it comes up. I
filled out and imported an lmhost file with names and IP's of my
network but it still takes forever to boot. The installer seems to be
able to set it up properly as long as there is no network attracted
during the install. I found this out too late so I need to fix it
manually.
 
You need to point the AD DNS server to itself for DNS, point all AD clients
to your AD DNS server ONLY, for internet access configure forwarders and
list your ISP's DNS server as the forwarder.

See:
How to: Configure DNS for Internet Access In Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675



Get rid of the hosts/lmhosts files you modified.



hth

DDS W 2k MVP MCSE
 
You need to point the AD DNS server to itself for DNS, point all AD clients
to your AD DNS server ONLY, for internet access configure forwarders and
list your ISP's DNS server as the forwarder.

See:
How to: Configure DNS for Internet Access In Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675



Get rid of the hosts/lmhosts files you modified.



hth

DDS W 2k MVP MCSE
Click to expand...
Yeah but

What do i use?
* Active Directory-integrated: An Active Directory-integrated zone
stores the DNS zone information in Active Directory instead of in a
..dns file.
* Standard primary: A standard primary zone stores the DNS zone
information a .dns text file instead of in Active Directory.
* Standard secondary: A standard secondary zone copies all of the
information from its master DNS server. A master DNS server can be an
Active Directory, primary, or secondary zone that is configured for
zone transfers. Note that you cannot modify the zone data on a
secondary DNS server. All of its data is copied from its master DNS
server.

And what does this mean?

A Windows 2000-based DNS server follows specific steps in its
name-resolution process. A DNS server first queries its cache, then it
checks its zone records, then it sends requests to forwarders, and
finally it tries resolution by using root servers.

By default, a Microsoft DNS server connects to the Internet to further
process DNS requests with root hints. When you use the Dcpromo tool to
promote a server to a domain controller, the domain controller
requires DNS. If you install DNS during the promotion process, you get
a root zone. This root zone indicates to your DNS server that it is a
root Internet server. Therefore, your DNS server does not use
forwarders or root hints in the name-resolution process.

Do i delete the "." zone? (what ever that is)
do i need forwarders?
do i need hints?

I got a small file server with static addressing do i really need DNS
with staic addressing? I imported a lmhost file is that not enough?
 
In
Worf son of Maugg said:
Do i delete the "." zone? (what ever that is) Yes

do i need forwarders?
Click to expand...
Yes, recommended
do i need hints? Yes


I got a small file server with static addressing do i really need DNS
with staic addressing? I imported a lmhost file is that not enough?
Click to expand...

Don't use LMHosts, use DNS it is easier and requires less system resources.

It sounds to me like you didn't understand the articles Danny posted.
If you will
1. post your unedited ipconfig /all
2. post domain name from Active Directory users and Computers

I will tell you what you need and what you should have in DNS.
 
In
Yeah but

What do i use?
* Active Directory-integrated: An Active Directory-integrated zone
stores the DNS zone information in Active Directory instead of in a
.dns file.
* Standard primary: A standard primary zone stores the DNS zone
information a .dns text file instead of in Active Directory.
* Standard secondary: A standard secondary zone copies all of the
information from its master DNS server. A master DNS server can be an
Active Directory, primary, or secondary zone that is configured for
zone transfers. Note that you cannot modify the zone data on a
secondary DNS server. All of its data is copied from its master DNS
server.

And what does this mean?

A Windows 2000-based DNS server follows specific steps in its
name-resolution process. A DNS server first queries its cache, then it
checks its zone records, then it sends requests to forwarders, and
finally it tries resolution by using root servers.

By default, a Microsoft DNS server connects to the Internet to further
process DNS requests with root hints. When you use the Dcpromo tool to
promote a server to a domain controller, the domain controller
requires DNS. If you install DNS during the promotion process, you get
a root zone. This root zone indicates to your DNS server that it is a
root Internet server. Therefore, your DNS server does not use
forwarders or root hints in the name-resolution process.

Do i delete the "." zone? (what ever that is)
do i need forwarders?
do i need hints?

I got a small file server with static addressing do i really need DNS
with staic addressing? I imported a lmhost file is that not enough?
Click to expand...


Just delete the Root zone. That article Danny posted (300202) shows how to.
If you don't, forwarding option will be grayed out.
Also, provide that info Kevin suggested to get a better look at your config.

As for AD Integrated or Primary zone, it depends. If you have more than one
DC and hosting DNS on both and they;re in the same AD domain (W2k), then I
would suggest AD Integrated so the zone copy is auto replicated between the
DCs thru the AD replication process (since that's where it resides).


Regards,
Kern Son of Maugg

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Yes, recommended


Don't use LMHosts, use DNS it is easier and requires less system resources.

It sounds to me like you didn't understand the articles Danny posted.
If you will
1. post your unedited ipconfig /all
2. post domain name from Active Directory users and Computers

I will tell you what you need and what you should have in DNS.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
Click to expand...

Windows IP Configuration

Host Name . . . . . . . . . . . . : brixius
Primary Dns Suffix . . . . . . . : NewBrixius <-domain name
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : NewBrixius

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
Connection
Physical Address. . . . . . . . . : 00-0C-F1-71-76-6A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 127.0.0.1 <-local host
192.168.1.20 <-server IP
24.160.227.25 <-ISP name server
24.94.163.32 <- ISP name server

As far as deleting the "." It looks kind of important see .jpg. Had
to take a screen shot because the export in MMC doesn't work well. Is
this info in a ".conf" file somewhere?

DNS seems to work as I can resolve any name on my network from
anywhere on my network with "nbtstat -a netbiosname".
My problem is that it takes forever to boot the server and I'm having
major problems with unstable network browsing through network
neighborhood with win98 clients. The SAMBA and win2k/xp clients work
just fine. I'm beginning to think that it's M$'s way of encouraging me
to upgrade my clients to XP.
 
You're in advanced view. That dot is normal in there. Disregard it.

--
Regards,
Kern

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
DNS Servers . . . . . . . . . . . : 127.0.0.1 <-local host
192.168.1.20 <-server IP
24.160.227.25 <-ISP name server
24.94.163.32 <- ISP name server
Click to expand...


Get rid of the 127.0.0.1 and use the server's actual IP address. Get rid of
your ISP's DNS servers, they should be listed as forwarders after deleting
the dot forward lookup zone.

hth
DDS W 2k MVP MCSE
 
Well there seems to be a bit of a counter diction one says the "." is
normal and the other says delete it. Just what dot do you guys mean?
Is it in"DNS Manager"? Is there a ".conf" file I can edit to set this
up. The wizard doesn't allow me to just "rem out" this dot thing you
speak of so I can put back if needed. How about the forwarder is there
".conf" to edit them too? I don't want to try ANYTHING that I can't
undo. What about all the stuff under the "." thing. What happens if I
delete it?
I would like to know why I can't just shut down the DNS server as the
whole network is mapped. There is no need for names to be resolved a
simple lookup table should be enough.
 
On the contrary, there is no contradiction, but just a mis-understanding of
the terminology and what you're looking at in the DNS console.

To lessen your confusion, please get out of Advanced view and just look at
it in normal view.

If you are looking at Advanced View, it is showing you what has been
resolved and cached from the Root down, and what's under the root is of
course, your "com's", "edu's", etc... What we're concerned with is the Root
zone under your Forward Lookup Zone. If you notice, you do not have a Root
zone under your Forward Lookup Zone, just in the cached. The cached zone
Root is normal. The one under the Forward Lookup Zone needs to be removed.

The other think we're concerned with is using the 127.0.0.1 and your ISP's
DNS in your properties. You MUST only point to your internal DNS, that's it,
and configure a forwarder.

This article shows how to configure a forwarder:
http://support.microsoft.com/?id=300202


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ok the dot goes away when in normal view so it looks like I don't have
a ".". When I check properties for "Brixius" it shows

Interfaces: All IP addresses is checked

Forwarders: Says "All other DNS domains" in the top box and the list
shows the name servers for my ISP

Advanced: BIND sec. is checked
Enable round robin is checked
Enable netmask ording is checked
Secure cache against pollution is check
Name checking set to mulitybyte (utf8)
Load zone data on startup set to from active dir. and reg.
Root hints has one entry j.root-servers.net 192.58.128.30
The tests under monitoring both pass

So it looks like I have the forwarders and don't have a ".". All I
need to do now is to take out the 127.0.0.1 and the other names
servers from the server TCP/IP settings and let the DNS take over the
job. Sound about right?
 
Worf son of Maugg said:
Ok the dot goes away when in normal view so it looks like I don't have
a ".". When I check properties for "Brixius" it shows

Interfaces: All IP addresses is checked

Forwarders: Says "All other DNS domains" in the top box and the list
shows the name servers for my ISP

Advanced: BIND sec. is checked
Enable round robin is checked
Enable netmask ording is checked
Secure cache against pollution is check
Name checking set to mulitybyte (utf8)
Load zone data on startup set to from active dir. and reg.
Root hints has one entry j.root-servers.net 192.58.128.30
The tests under monitoring both pass

So it looks like I have the forwarders and don't have a ".". All I
need to do now is to take out the 127.0.0.1 and the other names
servers from the server TCP/IP settings and let the DNS take over the
job. Sound about right?
Click to expand...

You got it Worf!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Worf son of Maugg <[email protected]> posted a question
Then Kevin replied below:

Sorry it took so long to get back Worf, Spring Break all my kids are here.
I am supprised Ace and Danny didn't pick up on this one.
Your domain name is a single label domain name.

Since it is trying to contact the Root Servers then my bet is that you don't
have SP4 on this box yet.
SP4 stopped the behavior, but started another, you will start getting 5781
events and the SP4 boxes will no longer register in DNS with a single label
name.

The best advice I can give on this is to build a new domain with a good DNS
name with a "." in the name(domain.com vs.domain) Then Migrate the users to
the new domain.

You can stop the going to the root by installing SP4 but then you have to
make registry entries to allow the Single label name.

BTW, this is in addition to Ace's and Danny's advice to remove the external
DNS entries from all members.
 
In
Kevin D. Goodknecht said:
In Worf son of Maugg <[email protected]> posted a question
Then Kevin replied below:

Sorry it took so long to get back Worf, Spring Break all my kids are
here. I am supprised Ace and Danny didn't pick up on this one.
Your domain name is a single label domain name.
Click to expand...
Host Name . . . . . . . . . . . . : brixius
Primary Dns Suffix . . . . . . . : NewBrixius <-domain name
Node Type . . . . . . . . . . . . : Hybrid
Click to expand...

<snip>

Good eye Kevin. We got so hungup on the DOT issue that we lost site of the
other possible issues! Good to have all of us out here teaming up!

The domain needs to be obviously renamed to the proper format of
'newbrixius.com' or newbrixius.net', but suggest not to choose the external
domain name, if newbrixius.com exists. Keep it different to eliminate
addition administrative overhead.

To help in renaming/migrating it for Worf, we'll need more info to suggest
the best possible course of action, of course, such as:

1. What service pack?
2. What mode is the domain in?
3. Is Exchange installed and what version?
4. How many users?
5. How many locations?
6. Any child domains?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
1. None it's w2k3
2. It's got something to do with trees right?
3. no exchange
4. got 30 cal's (26) in use
5. 1
6. 0

I looked into the "single label domain name" thing and found for what
I'm doing it will be ok as it is. I have no need to be a child domain
or need to have any children. I'm never going to use it as public
server. All my clients are win98se and if I change the domain name I
will have to run around and adjust all the client machines. You had
said that I should change all the clients to only look to the server's
IP for DNS. Is that absolutely necessary? It seems that I may not even
need DNS because almost all my clients are win98se and don't browse
the network using DNS.
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675 This is
why SAMBA and win2k, xp clients don't have any browsing issues and my
win98 clients do. So I'm thinking that setting up the DNS server was
an exercise in futility.
I want to thank you guys for all your help.
I'm amazed how fast you guys responded to my requests. WOW.
 
In
Worf son of Maugg said:
1. None it's w2k3
2. It's got something to do with trees right?
3. no exchange
4. got 30 cal's (26) in use
5. 1
6. 0

I looked into the "single label domain name" thing and found for what
I'm doing it will be ok as it is. I have no need to be a child domain
or need to have any children. I'm never going to use it as public
server. All my clients are win98se and if I change the domain name I
will have to run around and adjust all the client machines.
Click to expand...

Not true Win98SE and NT4 uses the Netbios domain name you won't change the
Netbios name, there's no need to.
Renaming to domain won't affect the membership, client membership stays the
same only the Primary DNS suffix changes on the member clients, that takes
place automatically. Member clients are the Win2k, WinXP and Win2k3, the
Win9x clients are NOT members and cannot be members.

There are many problems with Single label DNS domains, we have only touched
on a few.
 
Worf son of Maugg said:
1. None it's w2k3
2. It's got something to do with trees right?
3. no exchange
4. got 30 cal's (26) in use
5. 1
6. 0

I looked into the "single label domain name" thing and found for what
I'm doing it will be ok as it is. I have no need to be a child domain
or need to have any children. I'm never going to use it as public
server. All my clients are win98se and if I change the domain name I
will have to run around and adjust all the client machines. You had
said that I should change all the clients to only look to the server's
IP for DNS. Is that absolutely necessary? It seems that I may not even
need DNS because almost all my clients are win98se and don't browse
the network using DNS.
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675 This is
why SAMBA and win2k, xp clients don't have any browsing issues and my
win98 clients do. So I'm thinking that setting up the DNS server was
an exercise in futility.
I want to thank you guys for all your help.
I'm amazed how fast you guys responded to my requests. WOW.
Click to expand...




Will you ever update to W2kor XP clients? That's when the single label name
will bite you, if not already where it's not registering properly into DNS,
which AD requires for itself (and clients).

If Win9x or NT4, then it doesn't really matter. It's just a matter of best
practice to use the internal DNS. If using the DSClient on these machines,
then you would need the internal DNS.

Mode is not tree based, but rather what functionality the domain (or forest)
is in, such as if compatible with NT4 or not and/or compatible with W2k AD,
etc. If still in mixed mode (NT4 compatible) you can easily fix the domain
name issue by installing an NT4 BDC into the domain, then removing your
current server, then promoting the NT4 BDC to a PDC, then run dcpromo again
on the other machine, this time selecting the proper name. This method will
allow you to save your user accounts and settings.

But DNS is still REQUIRED for you AD domain controller.

Check your domain mode (rt-click domain name in ADUC, properties), and see
if still in mixed mode. If so, then do the above. It'll give you peace of
mind and fix all these other things that have been happening.

No prob for the quick response, if not too busy, I usually respond quick.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Oddly enough the one xp client and my Linux (using SAMBA) notebook are
the only ones that browse network reliably. It is only network
neighborhood that doesn't work well on the rest. The shares and mapped
drives are working just fine. So i'm going to leave well enough alone.
I'll worry about the domain name thing when and if the time comes. We
will probably move to a Linux desktop before I spend any more money on
M$ stuff. Their tech support and quality has gone to hell in the last
few years. It's just not worth the money anymore without free phone
tech support. I bought win2k3 and 30 cal's and they won't take a phone
call without a CC number. That's why I'm forced to beg for help on
Usenet and I resent it.
Thanks again for your help!!!!!!
 
Well, at least this help is free. That's why the groups and us folks are
here helping out free.

I believe there's an issue with SAMBA and the browser service, hence why it
seems flaky to you. I believe the resolution was to disable browse master
participation on the machine with SAMBA installed and let the Windows
machines take care of that service. The linux machine can still browse the
network, but this will just stop it from trying to become the Browse Master.
It's a known issue with SAMBA.

Ace
 
It's the SAMBA and the XP clients that browse just fine. It's the
win98se clients that are having problems. The browsing has been funny
ever since I took the old NT4 PDC down. I was using my Linux notebook
because SAMBA diagnostic tools are so much better then what I have on
win98se boxes. I have always had it set not to enter the elections so
I don't think it caused the problem.
 
Back
Top