Member Server on gateway box - how to set DNS ?

[Majstor]

Hello,

I have 1 DC (SP3) on internal network and in process of installing Member
server box (SP3) on gateway to Internet (should replace current gateway).

1) How to set DNS in TCP/IP properties on both DC and both NICs on gateway
in regard to Domain Membership?

Current situation:
DC has itself as "Preffered" and actual gateway as "Alternate".
Current gateway box : "Intranet" NIC - has its private address as
"Preferred" and ISP DNS as "Alternate"
"Internet" NIC - has its
public address as "Preferred"

2) How to set DNS server on both boxes?

Current situation:
DC DNS has gateway box as forwarder in DNS, and only AD-integrated
forward lookup zone whose only NS is DC itself.
Gateway box DNS has forward lookup zones for our registered
INTERNIC domains (no doubt about that I suppose).

Is this configuration correct ?

Regards,
Vladimir

 

[Kevin D. Goodknecht]

In

Hello,

I have 1 DC (SP3) on internal network and in process of installing
Member server box (SP3) on gateway to Internet (should replace
current gateway).

1) How to set DNS in TCP/IP properties on both DC and both NICs on
gateway in regard to Domain Membership?

Current situation:
DC has itself as "Preffered" and actual gateway as
"Alternate". Current gateway box : "Intranet" NIC - has its
private address as "Preferred" and ISP DNS as "Alternate"
"Internet" NIC - has
its public address as "Preferred"

2) How to set DNS server on both boxes?

Current situation:
DC DNS has gateway box as forwarder in DNS, and only
AD-integrated forward lookup zone whose only NS is DC itself.
Gateway box DNS has forward lookup zones for our registered
INTERNIC domains (no doubt about that I suppose).

Is this configuration correct ?

Regards,
Vladimir

It does not sound like it is correct. Let me elaborate, All DCs and domain
members must point ONLY to the DNS server that hosts the AD DNS zone for DNS
on all NICs, required.
This includes the multi-homed member you are using as your gateway. In the
DNS server on the gateway machine you can enable a forwarder to your ISP in
the DNS server properties. But both it's NICs DNS should be pointed
internally to alleviate errors and slow logons.
Having your internal DNS forward to the gateway box is OK that will build up
its DNS cache.

 

[Majstor]

Ok,

so all 3 NICs on both boxes should have "Preferred" pointed to DC?

Now concerning DNS servers settings,


1) Does it make sense to register Member server(gateway box) as second NS in
DC`s AD-integrated "Forward lookup zones/Name Servers" or only pointing to
it for forwarding?
2) ON gateway box I should have primary zones created for registered public
domains. In that case, does it make excessive to set forwarder to ISP?

Regards,
Vladimir

 

[Kevin D. Goodknecht]

In

Ok,

so all 3 NICs on both boxes should have "Preferred" pointed to DC?

Now concerning DNS servers settings,


1) Does it make sense to register Member server(gateway box) as
second NS in DC`s AD-integrated "Forward lookup zones/Name Servers"
or only pointing to it for forwarding?
2) ON gateway box I should have primary zones created for registered
public domains. In that case, does it make excessive to set forwarder
to ISP?

Regards,
Vladimir

Answers
1. Not on the AD zone, remember the AD zone must have records in it to find
the Domain Controller, if the Member has a secondary of this zone it will
have these records in it, too.
What you can do is this, If you have not chosen your AD name yet, you can
make the AD domain name something other than your public name. such as
home.example.com or example.local. this is a decision you must decide based
on your needs.
This way you can host your public name without conflict on either namespace
in both DNS servers.

2 I would not say excessive, but if you are hosting a lot of zones and are
getting a lot of DNS requests, you might consider disabling recursion on the
primary. Then it can only answer Authoritatively, and cannot be used as a
Forwarder by the internal DNS server. And even if you have a forwarder
defined it won't use it. Some say this is a bug in MSDNS because it allows
you to define a forwarder that it won't use.

 

[Majstor]

Concerning

Your answer:

1. Not on the AD zone, remember the AD zone must have records in it to find
the Domain Controller, if the Member has a secondary of this zone it will
have these records in it, too.
What you can do is this, If you have not chosen your AD name yet, you can
make the AD domain name something other than your public name. such as
home.example.com or example.local. this is a decision you must decide based
on your needs.
This way you can host your public name without conflict on either namespace
in both DNS servers.

I am not sure about the DNS mechanism in this case:
I have 2 DNS servers, one of which is on DC and primarily intended for AD
(user logons), but has to forward Internet requests.
Another DNS server exists for public services and forwarding internal
requests and does not need to have anything with AD, except that he is a
member of internal domain. The Domain name is already set and it does have
nothing with with public DNS names.

Please, correct me if I took it wrong:
1) AD-integrated DNS zone on DC should have only 1 NS, it is DC (DNS1)
itself. Member (DNS2) should only be forwarder.
2) AD-integrated zone exists as "Primary" of course, only on DC (DNS1), not
on Member (DNS2) as "Secondary".
3) Member (DNS 2) should have only Primary zones for public domains. No need
to configure forwarding since all public zones have "Secondary" at ISP DNS.

Thanks,
Vladimir

 

[Kevin D. Goodknecht [MVP]]

In

Concerning


Your answer:


I am not sure about the DNS mechanism in this case:
I have 2 DNS servers, one of which is on DC and primarily intended
for AD (user logons), but has to forward Internet requests.
Another DNS server exists for public services and forwarding internal
requests and does not need to have anything with AD, except that he
is a member of internal domain. The Domain name is already set and it
does have nothing with public DNS names.

Please, correct me if I took it wrong:
1) AD-integrated DNS zone on DC should have only 1 NS, it is DC (DNS1)
itself. Member (DNS2) should only be forwarder.

Actually on the internal DNS just forward to the ISP not to the DNS on the
member. If you are using the DNS as Authoritative for public zones, using it
as a forwarder can slow it down.

2) AD-integrated zone exists as "Primary" of course, only on DC
(DNS1), not on Member (DNS2) as "Secondary".

Is you AD domain name the same name as your public domain name?
If it is you should probably make the zone on the member a standard primary.
It will need only public records in it. If you make it a secondary to the
internal AD domain it will have private records in it which must not be
publish publicly.

Remember you have two views of your network, private view and public view.
Depending on if you are on the inside looking out, or outside looking it.
Your internal machines should not even see the DNS server on the member in
their NICs.
Their may be public records in it that internal clients can use, say if the
website/server are hosted elsewhere, but I would delegate those records on
the internal DNS.

If you are hosting any websites or mail servers locally you will need to
duplicate domain name zones on your two DNS servers. not primary/secondary
but both should be primary each with its own view.
For records on the member that point to websites/servers that are NOT hosted
locally you can use a delegation on the internal DNS to make administration
easier. For instance you host a DNS zone for thierdomain.com and the website
is hosted elsewhere but you host the mail server. You need:
Internal DNS server in theirdomain.com FLZ
mail "A" host <internalipaddress>
www delegation to member DNS server

External DNS on member in theirdomain.com FLZ
mail "A" host <publicipaddress>

3) Member (DNS 2) should have only Primary zones for public domains.
No need to configure forwarding since all public zones have
"Secondary" at ISP DNS.

If you are going to use forwarding on the DC to this DNS then you should use
forwarding on this one to the ISP.

 

[Michael Johnston [MSFT]]

As a general rule of thumb, the DC should only point to itself for DNS. The gateway box, if it is a member of the AD should also only point to the DC for DNS.
The DC should then be configured to forward to the gateway box and the gateway can either forward to the ISP or just use root hints.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.