Just to confirm

  • Thread starter Thread starter Murray
  • Start date Start date
M

Murray

Hi Everyone,
I have been reading some posts and I just thought that I should double check
to make sure I was doing the right / wrong thing.

I should not use the secondary DNS server spot in my client workstations to
enter the ISP's DNS server as a backup.

If I had what would've happened?

Murray
 
Murray said:
Hi Everyone,
I have been reading some posts and I just thought that I should double
check to make sure I was doing the right / wrong thing.

I should not use the secondary DNS server spot in my client workstations
to enter the ISP's DNS server as a backup.

If I had what would've happened?

Murray
Click to expand...
You have 2 domain controllers, that's backup enough generally. If you set
ISP as the secondary if you lose the primary the client reverts to the
secondary and will not reslove internal IP's .... ok doens't seem bad since
but here's the issue, the client (to my understanding) won't revert back to
the primary when it becomes available again without rebooting.

Matt
 
Murray said:
Hi Everyone,
I have been reading some posts and I just thought that I should
double check to make sure I was doing the right / wrong thing.

I should not use the secondary DNS server spot in my client
workstations to enter the ISP's DNS server as a backup.
Click to expand...

Right. Nor on your servers themselves. No external/public DNS server IPs in
your IP configs.
If I had what would've happened?
Click to expand...

Your computers would eventually start looking for your domain controllers on
the Internet. And wouldn't find them.
 
Right. Nor on your servers themselves. No external/public DNS server IPs in
your IP configs.
Click to expand...

I have the DHCP scope setup with DNS1 as the DNS server in the LAN, and
it has forwarders to the ISP. I have DNS2 and DNS3 setup for the ISP's
DNS servers. There is no problem on the network with this that I can
see, and it works quite well.
Your computers would eventually start looking for your domain controllers on
the Internet. And wouldn't find them.
Click to expand...

Wrong, it will only look for the DNS from the public servers if it can't
find the DNS records locally on the internal DNS server. I've used
internal DNS with Forwarders and secondary DNS of the ISP in every scope
for years, and we're always able to find internal network resources by
name.

If you add your ISP's DNS it means that you can still resolve external
DNS should you take down the DNS server inside your network.
 
Leythos said:
I have the DHCP scope setup with DNS1 as the DNS server in the LAN,
and it has forwarders to the ISP. I have DNS2 and DNS3 setup for the
ISP's DNS servers. There is no problem on the network with this that
I can see, and it works quite well.


Wrong, it will only look for the DNS from the public servers if it
can't find the DNS records locally on the internal DNS server.
Click to expand...

Or if for some reason it queries the public ones.
I've
used internal DNS with Forwarders
Good

and secondary DNS of the ISP
Bad

in
every scope for years, and we're always able to find internal network
resources by name.
Click to expand...

You've been lucky.
If you add your ISP's DNS it means that you can still resolve external
DNS should you take down the DNS server inside your network.
Click to expand...

And network users will usually have slow logins and other problems. This is
not the recommended setup. See http://support.microsoft.com/kb/237675/EN-US/
 
You've been lucky.

And network users will usually have slow logins and other problems. This is
not the recommended setup. See http://support.microsoft.com/kb/237675/EN-US/
Click to expand...

No login problems, and it's performed as well as any network I've been
on, ever. Since the local name is domain.lan and since the DSN is setup
internally for domain.lan I don't have to worry about the users trying
to resolve domain.lan on the public networks.

The article you provided the link to does not indicate any problem with
creating the DNS as I did, in fact, it looks fine to me. Since I'm not
about to use a TLD in the company network, it looks fully supported just
the way that I did it.

In addition to the forward lookup zone, I also created zones for each of
the domain names that we host and then local A records that match the
public names, but they point to the internal IP of the public record.

Not only does this work, but trusts between domains works fully, all
domains are visible in the Network Places, and only public needed DNS is
sent outside the network.

Combine this with a properly scoped DHCP and you're in business.
 
In
Leythos said:
(e-mail address removed)
says...

I have the DHCP scope setup with DNS1 as the DNS server
in the LAN, and it has forwarders to the ISP. I have DNS2
and DNS3 setup for the ISP's DNS servers. There is no
problem on the network with this that I can see, and it
works quite well.


Wrong, it will only look for the DNS from the public
servers if it can't find the DNS records locally on the
internal DNS server. I've used internal DNS with
Forwarders and secondary DNS of the ISP in every scope
for years, and we're always able to find internal network
resources by name.

If you add your ISP's DNS it means that you can still
resolve external DNS should you take down the DNS server
inside your network.
Click to expand...

No, you're wrong. If the internal server answers with a not found the query
will not go to the external DNS, the query stops. If the Preferred
(internal) DNS responds slowly, as it would if it were busy, the query goes
to the Alternate DNS if the Alternate responds with either a positive or
negative answer, it is still considered an answer, then the system will
consider the Alternate DNS as the best DNS to use and moves it to the
Preferred position until the system resets the DNS server list (default is
15 minutes). Then when the system needs a local query it sends it to the
external DNS, when the external DNS answers negatively, and it will because
it cannot possibly know the answer, the query fails and the internal DNS
will NOT be queried, even though it holds the record.

If you want DNS servers to always use the servers in the order listed in
TCP/IP properties you will have to modify the registry to reset the server
list in less than 15 minutes.

The DNS Client Service Does Not Revert to Using the First Server in the List
in Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;320760
The DNS Client Service Does Not Revert to Using the First Server in the
List:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
 
Leythos said:
No login problems, and it's performed as well as any network I've been
on, ever. Since the local name is domain.lan and since the DSN is setup
internally for domain.lan I don't have to worry about the users trying
to resolve domain.lan on the public networks.
Click to expand...
Ok, I'm going to logon on, I query DNS for an SRV record for a DC. Primary
DNS (One of your DC's) is down, so I query the secondary (ISP DNS). This is
when it becomes slow and you start querying externally for internal
resources. Next problem is what happens when the internal DNS comes up?
Your clients will keep querying externally.

Matt
MCT, MCSE
 
In

No, you're wrong. If the internal server answers with a not found the query
will not go to the external DNS, the query stops. If the Preferred
(internal) DNS responds slowly, as it would if it were busy, the query goes
to the Alternate DNS if the Alternate responds with either a positive or
negative answer, it is still considered an answer, then the system will
consider the Alternate DNS as the best DNS to use and moves it to the
Preferred position until the system resets the DNS server list (default is
15 minutes). Then when the system needs a local query it sends it to the
external DNS, when the external DNS answers negatively, and it will because
it cannot possibly know the answer, the query fails and the internal DNS
will NOT be queried, even though it holds the record.

If you want DNS servers to always use the servers in the order listed in
TCP/IP properties you will have to modify the registry to reset the server
list in less than 15 minutes.
Click to expand...

I understand what you are staying, but it's not working that way in our
networks, or anywhere else I've set it up that way.

If I query for foobar.zzz I get a not found and can see the ISP's DNS
being queried. If I query for station.mydomain.lan, I get a result and
never see it go outbound. If I take the server down, DNS server, flush
the dsn locally, and query, station.mydomain.lan, it does not go to the
ISP's DNS, it just fails. If I take the dns server down, query for
yahoo.com, it hits the ISP's DNS server just fine. If I have the DNS
server running and query yahoo.com, it hits the ISP's DNS server also.

For any of the forward zones that I've created, none of the queries
against them leave the local network - I can see that they don't go to
the ISP because there is no DNS traffic at that time.

Maybe it's because our internal DNS server never gets busy enough to no
respond? The server, DNS, in most cases, is a single server network,
doing all user auth, files, profiles, and sometimes even SQL 2000. We
have never experienced anything like you suggest.

I will setup a test server like you and one other have posted and try it
to see if there is any difference, but I'm not expecting to see any.
 
Ok, I'm going to logon on, I query DNS for an SRV record for a DC. Primary
DNS (One of your DC's) is down, so I query the secondary (ISP DNS). This is
when it becomes slow and you start querying externally for internal
resources.
Click to expand...

I agree, if the internal DNS server is down and they are not caching the
DNS locally, they won't find anything via DNS for the internal network -
that's how its suppose to work. When the local DNS is down, it does not
appear to hit the public DNS server, I've watched the firewall hundreds
of times and never see it do that when our DNS is down, at least not for
local names.
Next problem is what happens when the internal DNS comes up?
Your clients will keep querying externally.
Click to expand...

Nope, it comes right back up and starts working perfectly, always has. I
can't explain it, it's just been that way for me since I started using
DNS internally years ago.
 
In
Leythos said:
I understand what you are staying, but it's not working
that way in our networks, or anywhere else I've set it up
that way.

If I query for foobar.zzz I get a not found and can see
the ISP's DNS being queried. If I query for
station.mydomain.lan, I get a result and never see it go
outbound. If I take the server down, DNS server, flush
the dsn locally, and query, station.mydomain.lan, it does
not go to the ISP's DNS, it just fails. If I take the dns
server down, query for yahoo.com, it hits the ISP's DNS
server just fine. If I have the DNS server running and
query yahoo.com, it hits the ISP's DNS server also.

For any of the forward zones that I've created, none of
the queries against them leave the local network - I can
see that they don't go to the ISP because there is no DNS
traffic at that time.

Maybe it's because our internal DNS server never gets
busy enough to no respond? The server, DNS, in most
cases, is a single server network, doing all user auth,
files, profiles, and sometimes even SQL 2000. We have
never experienced anything like you suggest.

I will setup a test server like you and one other have
posted and try it to see if there is any difference, but
I'm not expecting to see any.
Click to expand...

With all due respect, it is not just me and one other that will tell you
this. One big reason why your wrong, All DCs by default and any client that
supports DDNS and is configured to do so, will attempt to register their
records in all DNS server listed in TCP/IP properties and DCs will log
Netlogon errors if they can't.

If you have your ISP's DNS listed in TCP/IP properties it means that your
machines will try to register their records in your ISP's DNS servers. I
would not be surprised if you ISP would ask you to stop this practice
because of this. It would not be the first ISP to do this, and some have
even blocked access to their DNS server because it overloaded their DNS
servers with registration requests. This is true, there was a user in
Australia that his ISP blocked his network's access to their DNS servers
until the problem was fixed. They can do this because it was prohibited in
their service agreement.

Besides all that, it would be inappropriate for you to allow this and it
causes problems for your ISP's other users. So it would be to you best
interest to properly configure any network you set up. It is not beneficial
to do otherwise, and if you lose local DNS resolution, having your ISP's DNS
won't help one bit. Your machines' will be slowed to a crawl because the DC
cannot be located in the ISP's DNS.
 
[snip]

Ok, so I've got it setup wrong, let's go over the proper method in
Window 2000/2003 server to set it up so that I can properly understand
my error.

Setup new DC, install AD, which does and auto-install of DNS.

When I open DNS, click Server, Properties, I see the following:

Interfaces: local IP of DNS server, 192.168.3.10
Forwarders: None, I add the DNS Servers from the ISP and Enable.
Root Hints: No Change, as it came out of the box.

Forward Lookup Zones
mycompany.lan
secondcompany.lan
thirdcompany.lan

Aging is set to 1 day for all zones


Setup DHCP:

003 Router - local IP of router/default GW
006 DNS Servers - 192.168.3.10, ISP1 DNS, ISP2 DNS
015 DNS Domain Name - mycompany.lan
(other options not shown here)


So, for an internal DNS server, that also uses DHCP to provide DNS info
to client workstations, what should I be doing?

Thanks, I will make the suggested changes tonight and let you know what
impact I see on Wednesday.
 
Leythos said:
[snip]

Ok, so I've got it setup wrong, let's go over the proper method in
Window 2000/2003 server to set it up so that I can properly understand
my error.

Setup new DC, install AD, which does and auto-install of DNS.

When I open DNS, click Server, Properties, I see the following:

Interfaces: local IP of DNS server, 192.168.3.10
Forwarders: None, I add the DNS Servers from the ISP and Enable.
Root Hints: No Change, as it came out of the box.

Forward Lookup Zones
mycompany.lan
secondcompany.lan
thirdcompany.lan

Aging is set to 1 day for all zones


Setup DHCP:

003 Router - local IP of router/default GW
006 DNS Servers - 192.168.3.10, ISP1 DNS, ISP2 DNS
Click to expand...

No - only 192.168.3.10, presuming that's your internal DNS server's IP.
015 DNS Domain Name - mycompany.lan
(other options not shown here)


So, for an internal DNS server, that also uses DHCP to provide DNS
info to client workstations, what should I be doing?
Click to expand...

Fix your DHCP so it doesn't dish out any external DNS server IPs. All
clients will use the internal DNS server for resolution, and the forwarders
will take care of external resolution.
 
In
Leythos said:
[snip]

Ok, so I've got it setup wrong, let's go over the proper
method in Window 2000/2003 server to set it up so that I
can properly understand my error.

Setup new DC, install AD, which does and auto-install of
DNS.

When I open DNS, click Server, Properties, I see the
following:

Interfaces: local IP of DNS server, 192.168.3.10
Forwarders: None, I add the DNS Servers from the ISP and
Enable.
Root Hints: No Change, as it came out of the box.

Forward Lookup Zones
mycompany.lan
secondcompany.lan
thirdcompany.lan

Aging is set to 1 day for all zones


Setup DHCP:

003 Router - local IP of router/default GW
006 DNS Servers - 192.168.3.10, ISP1 DNS, ISP2 DNS
015 DNS Domain Name - mycompany.lan
(other options not shown here)


So, for an internal DNS server, that also uses DHCP to
provide DNS info to client workstations, what should I be
doing?
Click to expand...

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380
 
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380
Click to expand...

So, based on what I've read, and what others have said, it appears that
as long as I have my DNS DOMAIN NAME properly configured that the DNS
traffic for the DOMAIN NAME never leaves the network.

The advantage of using DNS1 = internal dns server, DNS2/3 = ISP, is that
when the internal DNS server is down, the users can still get to the
Internet. Once the DNS server comes back on-line they all automatically
start using it again - at least that's how it's working in the real
world.
 
In
Leythos said:
So, based on what I've read, and what others have said,
it appears that as long as I have my DNS DOMAIN NAME
properly configured that the DNS traffic for the DOMAIN
NAME never leaves the network.

The advantage of using DNS1 = internal dns server, DNS2/3
= ISP, is that when the internal DNS server is down, the
users can still get to the Internet. Once the DNS server
comes back on-line they all automatically start using it
again - at least that's how it's working in the real
world.
Click to expand...

You posted here to confirm if your DNS server list is configured right, I
advised you it's wrong, so did Lanwench and Matt. Everyone that regularly
posts here will tell you the same. But it is obvious that your going to use
your ISP's DNS in TCP/IP properties incorrectly anyway. Why did you even
ask?
If you want to know the official Microsoft position on your question, here
it is. Take it anyway you want, there is no need to argue any longer. It is
your reputation you are working on anyway.
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
 
Leythos said:
So, based on what I've read, and what others have said, it appears
that as long as I have my DNS DOMAIN NAME properly configured that
the DNS traffic for the DOMAIN NAME never leaves the network.

The advantage of using DNS1 = internal dns server, DNS2/3 = ISP, is
that when the internal DNS server is down, the users can still get to
the Internet. Once the DNS server comes back on-line they all
automatically start using it again - at least that's how it's working
in the real world.
Click to expand...

My internal DNS server doesn't go down unless I take it down, generally
speaking, and I don't do that during business hours. See Kevin's reply as
well - you can set up your networks as you like, but you aren't doing it
properly if you use your ISP's DNS servers on any server or client on your
network, and I assure you that this *does* cause problems.
 
My internal DNS server doesn't go down unless I take it down, generally
speaking, and I don't do that during business hours. See Kevin's reply as
well - you can set up your networks as you like, but you aren't doing it
properly if you use your ISP's DNS servers on any server or client on your
network, and I assure you that this *does* cause problems.
Click to expand...

Leythos, feel free to configure your network as you like, but you'll be
better off in the long run if you follow teh suggestions in this thread.
Best of luck to you : ).

Matt
MCT, MCSE
 
In

You posted here to confirm if your DNS server list is configured right, I
advised you it's wrong, so did Lanwench and Matt. Everyone that regularly
posts here will tell you the same. But it is obvious that your going to use
your ISP's DNS in TCP/IP properties incorrectly anyway. Why did you even
ask?
Click to expand...

Because I wanted to see how I was being impacted by doing it like I
have. From my experience, and from the documents presented by others, it
does not appear that my settings hinder the operation of the network at
all. There is no extra traffic while the local DNS server is working,
and when the local DNS server is not working we can still get access to
external sites. When the local DNS server returns to operation so does
all local resolution.

The entire point of me posting was to say that IT DOES WORK LIKE I'M
SAYING, not to ask if it follows the Microsoft Approved Way.

From all that I can see, and use in the real world in many sites, there
does not appear to be any detriment to using the additional DNS servers
of the ISP as long as your local DNS is first and setup properly.

That's the only point - it works fine.
 
Leythos, feel free to configure your network as you like, but you'll be
better off in the long run if you follow teh suggestions in this thread.
Best of luck to you : ).
Click to expand...

Matt, and others - I agree with the above. It's definitely not the MS
way, not the approved MS way, but, the entire point of the conversation
was for me to learn WHAT PROBLEMS this setup causes. I've read one post
that described a number of issues with resolution of DNS if there is an
internal problem. I duplicated the DNS problem and when recovered it did
not exhibit the described problem.

My entire interest in this thread is only to learn about the problem,
not the proper MS way of configuring it, and to learn about what impact
it can have on my network. Based on everyone's comments I should be able
to see problems, but I'm unable to see them, and the domain requests do
not leave the local network (I would see them in the firewall logs if
they did).

So, here's a question for you: Have you tried it exactly like I describe
and seen the problem on YOUR networks? I'm not talking about some text-
book lab example, I'm talking about a network with 50+ active nodes and
multiple servers.
 
Back
Top