Multihomed DNS server install problems

[Adam Marx]

I am trying to set up a multi homed DNS server and am having problems. In a
nutshell DNS isn't resolving a thing.

It's a Windows 2000 box, I did a clean install set both IP addresses one
with a private IP with no Gateway and pointing to the DNS of the private
subnet and the other with a public IP with a correct Gateway and pointing to
itself as the DNS server.

When I ping the FQDN I get a response on the correct public IP address. When
I do an NSLOOKUP I get a "Default server unknown:" with a correct public IP.
When I run the simple DNS tests in the montoring of the DNS server both
"Fail".

I've obviously got something wrong but am at a loss, I could use some
guidance.

Thanks.

AJM,

 

[Ace Fekay [MVP]]

In

I am trying to set up a multi homed DNS server and am having
problems. In a nutshell DNS isn't resolving a thing.

It's a Windows 2000 box, I did a clean install set both IP addresses
one with a private IP with no Gateway and pointing to the DNS of the
private subnet and the other with a public IP with a correct Gateway
and pointing to itself as the DNS server.

When I ping the FQDN I get a response on the correct public IP
address. When I do an NSLOOKUP I get a "Default server unknown:" with
a correct public IP. When I run the simple DNS tests in the montoring
of the DNS server both "Fail".

I've obviously got something wrong but am at a loss, I could use some
guidance.

Thanks.

AJM,

Kind of need a lot more info about what you're trying to do and what you
currently have, etc, such as is this a DC? Is this DNS server hosting your
public recordsfor your domain? Or does it host a copy of the internal AD
zone? Or do you even have AD? If so, is it also a GC?

Normally with dual NICs on a machine (expecially a DC
and/or DNS server), you would put the internal NIC at the top of the Binding
order (not the external NIC), and make absolutely sure that both NICs are
only using the internal DNS server address and not the ISP's DNS or other
issues will arise.

Configure a forwarder for efficient Internet resolution. This article
shows you how:
http://support.microsoft.com/?id=300202

On the external you can disable the MS Client service and the F&P services
and disable NetBIOS.

If it's a DNS server, set it to listen to the internal
interface only. If a DNS server and if you want the external IP to not
register, there's also a reg entry to set to stop that, since by default a
DNS will always register itself. You may also want to stop the GcAddress
too, since that can cause problems with a client or DC on lookup, if this is

a GC.

Now if this is hosting public records, and you have AD and this is not a DC,
then you'll need to point only to the internal DNS and suggest to configure
a forwarder. This insures that your internal machines (including this guy)
will access your internal records without question. If it is hosting public
records, then you would tell it to only listen on the external interface
because in this scenario no internal machines will access it.

Now... if AD and if the same name domain internal and external, then as I
said make sure that the internal users only use the internal DNS and
manually create your www and ftp entries, etc, to point to the private IP
address. Unless of course you have a DMZ then which you would point to the
DMZ IP address(es).






--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

I am trying to set up a multi homed DNS server and am having problems. In a
nutshell DNS isn't resolving a thing.

I presume you mean "resolving client requests" -- not that the
machine is JUST having trouble resolving for itself (that may be
true too but not the main problem.)

How do you know? (really)

If you use NSLookup (or substitute) from the SAME box and
other clients with a SPECIFIC request to this server for something
you believe it must know....

Does it hold any zones?

If so,
nslookup -q=SOA -time=10 thatZoneItHolds.com 127.0.0.1
and
nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.100.10
(whatever it's private ip address)
nslookup -q=SOA -time=10 thatZoneItHolds.com pub.lic.ip.addr

Ignore any "reverse errors" in the first 2-3 lines of output -- their normal
enough.

FYI: The time out is to make sure it has time to initialize on the first
request or so.

It's a Windows 2000 box, I did a clean install set both IP addresses one
with a private IP with no Gateway and pointing to the DNS of the private
subnet and the other with a public IP with a correct Gateway and pointing to
itself as the DNS server.

When I ping the FQDN I get a response on the correct public IP address. When
I do an NSLOOKUP I get a "Default server unknown:" with a correct public IP.
When I run the simple DNS tests in the montoring of the DNS server both
"Fail".

Does it hold any zones? If not, it is only going to (maybe) resolve public
names.

For that to work, you must allow it through any intermediary firewalls.

Does it have a "." zone (root zone) -- this sometimes gets setup
automatically
and you should (almost always) just delete it.

Are you using a FORWARDER from it? Consider having it forward to the
ISP you would have used were it an ordinary client -- you must delete that
"." zone to do this.

I've obviously got something wrong but am at a loss, I could use some
guidance.

Probably the "." zone.

 

[Adam Marx]

Thanks for the reply's. Because there is so much info I reply in 2 posts.

" Kind of need a lot more info about what you're trying to do and what you

currently have, etc, such as is this a DC? Is this DNS server hosting your
public recordsfor your domain? Or does it host a copy of the internal AD
zone? Or do you even have AD? If so, is it also a GC?"

*Not a DC

*Yes it is hosting my public record for my domain

*Yes I do have a Domain Controller running active directory it is setup on a
different domain. I intend on merging the 2 eventually but currrently have
them running in 2 different domains for testing purposes only. The 2nd NIC
on th eprivate IP is used on for purposes of using Terminal Services to
manage the server and I have no intention of merging the server into the
existing domain.

*I do not know what a "GC" is I am unfamiliar with the term? Is that a
"Global Controller"?

"Normally with dual NICs on a machine (expecially a DC
and/or DNS server), you would put the internal NIC at the top of the Binding
order (not the external NIC), and make absolutely sure that both NICs are
only using the internal DNS server address and not the ISP's DNS or other
issues will arise."

*Exactly how do I make sure that the InternalNIC is at the top of the
binding?
*Both NICs are setup only to use the Public IP for DNS and there are no
refrences to my ISP's DNS servers.

"Configure a forwarder for efficient Internet resolution. This article

shows you how:

http://support.microsoft.com/?id=300202"

*Forwarders are enabled and I have deleted the root zone.

"On the external you can disable the MS Client service and the F&P services

and disable NetBIOS."

*This has been done.

"Now if this is hosting public records, and you have AD and this is not a
DC,

then you'll need to point only to the internal DNS and suggest to configure
a forwarder. This insures that your internal machines (including this guy)
will access your internal records without question. "

*Did you mean Internal records? Pointing it to my private IP wouldn't
resolve external requests would it?

"If it is hosting public records, then you would tell it to only listen on
the external interface

because in this scenario no internal machines will access it."

*I currently have DSN set pointing to my public IP.

Essentially what I am trying to do is setup a Primary DNS server without
this server using AD or being a DC just as a primary for the moment. I know
there are advantages to AD but I can't even get this thing running as a
Primary DNS let alone promoting it to a DC and installing AD. Just when I
thought I was understanding DSN here we go...

To make a long story short my intent is to temporarily run this DNS server
using a new Domain Name, promote it to a DC with AD and then merge my old
DNS records for my current DC running AD into it. Then take my old server
and create a secondary DNS server out of it for internal requests only. so
this is really only a first step in getting a new DC up and running.

AJM,

'***************************************************************************
************************


"Ace Fekay [MVP]"

 

[Adam Marx]

Herb,

" I presume you mean "resolving client requests" -- not that the

machine is JUST having trouble resolving for itself (that may be
true too but not the main problem.)"

*No, it is unable to perform a simple query by using the Monitor tab on the
DNS server name and running "a simple query against this DNS server" and "
recursive query to other DNS servers" they both "FAIL".

"> nslookup -q=SOA -time=10 thatZoneItHolds.com 127.0.0.1"

* returns:
server: localhost
address: 127.0.0.1

mydomainname.com
primary NS = FQDN
serial = 2004040302
refresh = 900
retry = 600
expire = 86400
TTL = 3600
FQDN = internet address = Public IP


"> nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.1.99"

* returns
DNS request timed out
timeout was 10 seconds
*** can't find server name for 192.168.1.99***
server unknown
address: 192.168.1.99

DNS request timed out
timeout was 10 seconds

DNS request timed out
timeout was 10 seconds

"nslookup -q=SOA -time=10 thatZoneItHolds.com pub.lic.ip.addr"

* returns
**can't find server name for pub.lic.ip.addr***
server: unknown
address: pub.lic.ip.addr

mydomainname.com
primary NS = FQDN
serial = 2004040302
refresh = 900
retry = 600
expire = 86400
TTL = 3600
FQDN internet address = pub.lic.ip.addr

"Does it hold any zones? If not, it is only going to (maybe) resolve public

names."

*Yes, currently only 1 "mydomainname.com" the Machine name is DNS1. (FQDN =
"DNS1.mydomainname.com"(

"For that to work, you must allow it through any intermediary firewalls."

*none currently.

" Does it have a "." zone (root zone) -- this sometimes gets setup

automatically
and you should (almost always) just delete it.

Are you using a FORWARDER from it? Consider having it forward to the
ISP you would have used were it an ordinary client -- you must delete that
"." zone to do this."

*It did have the Root zone when created but I deleted it and am using
forwarders to my ISP's DNS.

AJM,

"***************************************************************************
********************

 

[ObiWan]

" I presume you mean "resolving client requests" -- not that the

*No, it is unable to perform a simple query by using the Monitor tab on the
DNS server name and running "a simple query against this DNS server" and "
recursive query to other DNS servers" they both "FAIL".

"> nslookup -q=SOA -time=10 thatZoneItHolds.com 127.0.0.1"

mydomainname.com

<snip>

try adding a dot to the query, like in thatZoneItHolds.com.
(notice the ending dot into the above domain name)

"> nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.1.99"

*** can't find server name for 192.168.1.99***
server unknown
address: 192.168.1.99

<snip>

The DNS has no reverse zone for its private IP, create
the 1.168.192.in-addr.arpa zone and be sure it contains
a record for your DNS; it's not strictly required but it won't
be bad and it will allow you to solve some nslookup bugs


--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

Support and discussions forum
http://ntcanuck.com/net/board

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm

 

[Ace Fekay [MVP]]

Hi Adam

I wouldn't make it a DC if you're hosting external data. Security MINUS!

I would point to the internal DNS only on both NICs, not to itself.
Configure a forwarder on the internal DNS to this server. On this server,
let both interface listen for DNS requests. Then on this server, configure a
forwarder to your ISP's. This way your server can get to internal stuff by
their private IPs. It will also resolve external requests.

If the AD domain name will be the same as the external (not a recommended
naming method), manually create your www and other records on the internal
server's zone.

Binding order is done in Network & Dialup window, Adv Menu, Adv Settings.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Thanks for the reply's. Because there is so much info I reply in 2 posts.

" Kind of need a lot more info about what you're trying to do and what you

currently have, etc, such as is this a DC? Is this DNS server hosting your
public recordsfor your domain? Or does it host a copy of the internal AD
zone? Or do you even have AD? If so, is it also a GC?"

*Not a DC

*Yes it is hosting my public record for my domain

*Yes I do have a Domain Controller running active directory it is setup on a
different domain. I intend on merging the 2 eventually but currrently have
them running in 2 different domains for testing purposes only. The 2nd NIC
on th eprivate IP is used on for purposes of using Terminal Services to
manage the server and I have no intention of merging the server into the
existing domain.

*I do not know what a "GC" is I am unfamiliar with the term? Is that a
"Global Controller"?

"Normally with dual NICs on a machine (expecially a DC
and/or DNS server), you would put the internal NIC at the top of the Binding
order (not the external NIC), and make absolutely sure that both NICs are
only using the internal DNS server address and not the ISP's DNS or other
issues will arise."

*Exactly how do I make sure that the InternalNIC is at the top of the
binding?
*Both NICs are setup only to use the Public IP for DNS and there are no
refrences to my ISP's DNS servers.

"Configure a forwarder for efficient Internet resolution. This article

shows you how:

http://support.microsoft.com/?id=300202"

*Forwarders are enabled and I have deleted the root zone.

"On the external you can disable the MS Client service and the F&P services

and disable NetBIOS."

*This has been done.

"Now if this is hosting public records, and you have AD and this is not a
DC,

then you'll need to point only to the internal DNS and suggest to configure
a forwarder. This insures that your internal machines (including this guy)
will access your internal records without question. "

*Did you mean Internal records? Pointing it to my private IP wouldn't
resolve external requests would it?

"If it is hosting public records, then you would tell it to only listen on
the external interface

because in this scenario no internal machines will access it."

*I currently have DSN set pointing to my public IP.

Essentially what I am trying to do is setup a Primary DNS server without
this server using AD or being a DC just as a primary for the moment. I know
there are advantages to AD but I can't even get this thing running as a
Primary DNS let alone promoting it to a DC and installing AD. Just when I
thought I was understanding DSN here we go...

To make a long story short my intent is to temporarily run this DNS server
using a new Domain Name, promote it to a DC with AD and then merge my old
DNS records for my current DC running AD into it. Then take my old server
and create a secondary DNS server out of it for internal requests only. so
this is really only a first step in getting a new DC up and running.

AJM,

'***************************************************************************
************************


"Ace Fekay [MVP]"

In Adam Marx <[email protected]> posted their thoughts, then I offered mine

Kind of need a lot more info about what you're trying to do and what you
currently have, etc, such as is this a DC? Is this DNS server hosting your
public recordsfor your domain? Or does it host a copy of the internal AD
zone? Or do you even have AD? If so, is it also a GC?

Normally with dual NICs on a machine (expecially a DC
and/or DNS server), you would put the internal NIC at the top of the Binding
order (not the external NIC), and make absolutely sure that both NICs are
only using the internal DNS server address and not the ISP's DNS or other
issues will arise.

Configure a forwarder for efficient Internet resolution. This article
shows you how:
http://support.microsoft.com/?id=300202

On the external you can disable the MS Client service and the F&P services
and disable NetBIOS.

If it's a DNS server, set it to listen to the internal
interface only. If a DNS server and if you want the external IP to not
register, there's also a reg entry to set to stop that, since by default a
DNS will always register itself. You may also want to stop the GcAddress
too, since that can cause problems with a client or DC on lookup, if

this

 

[Herb Martin]

*No, it is unable to perform a simple query by using the Monitor tab on
the

DNS server name and running "a simple query against this DNS server" and "
recursive query to other DNS servers" they both "FAIL".

"> nslookup -q=SOA -time=10 thatZoneItHolds.com 127.0.0.1"

* returns:
server: localhost
address: 127.0.0.1

mydomainname.com
primary NS = FQDN

It's working. Are you by any chance using the "Configure Computer"
Services, DNS MMC-snapin without service packs? There was a bug
in that one, I forget exactly but it might have included failing a test.

The NSLookup is resolving so the server is working (at least minimally).

"> nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.1.99"

* returns
DNS request timed out
timeout was 10 seconds
*** can't find server name for 192.168.1.99***

PERFECTLY normal error "can't find" but the time out is a problem.

DNS request timed out
timeout was 10 seconds

Check the server to ensure that it is enabled on ALL (or appropriate)
IP addresses.

"nslookup -q=SOA -time=10 thatZoneItHolds.com pub.lic.ip.addr"

* returns
**can't find server name for pub.lic.ip.addr***

Perfectly normal error.

server: unknown
address: pub.lic.ip.addr

mydomainname.com
primary NS = FQDN

Server is answering on public address.

"Does it hold any zones? If not, it is only going to (maybe) resolve public

*Yes, currently only 1 "mydomainname.com" the Machine name is DNS1. (FQDN =


" Does it have a "." zone (root zone) -- this sometimes gets setup

*It did have the Root zone when created but I deleted it and am using
forwarders to my ISP's DNS.

What version/service packs?

 

[Adam Marx]

Sorrry, you're correct I said that wrong. It won't be a DC only going to be
a primary DNS for external hosting. DC will remain internal and seperated
form the net.

I can make the external DNS a AD correct? Do you have a preference for
naming conventions when establishing the AD?

Thanks for the info.

Hi Adam

I wouldn't make it a DC if you're hosting external data. Security MINUS!

I would point to the internal DNS only on both NICs, not to itself.
Configure a forwarder on the internal DNS to this server. On this server,
let both interface listen for DNS requests. Then on this server, configure a
forwarder to your ISP's. This way your server can get to internal stuff by
their private IPs. It will also resolve external requests.

If the AD domain name will be the same as the external (not a recommended
naming method), manually create your www and other records on the internal
server's zone.

Binding order is done in Network & Dialup window, Adv Menu, Adv Settings.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Thanks for the reply's. Because there is so much info I reply in 2 posts.

" Kind of need a lot more info about what you're trying to do and what you

*Not a DC

*Yes it is hosting my public record for my domain

*Yes I do have a Domain Controller running active directory it is setup

on

a
different domain. I intend on merging the 2 eventually but currrently have
them running in 2 different domains for testing purposes only. The 2nd NIC
on th eprivate IP is used on for purposes of using Terminal Services to
manage the server and I have no intention of merging the server into the
existing domain.

*I do not know what a "GC" is I am unfamiliar with the term? Is that a
"Global Controller"?


*Exactly how do I make sure that the InternalNIC is at the top of the
binding?
*Both NICs are setup only to use the Public IP for DNS and there are no
refrences to my ISP's DNS servers.

"Configure a forwarder for efficient Internet resolution. This article
http://support.microsoft.com/?id=300202"

*Forwarders are enabled and I have deleted the root zone.

"On the external you can disable the MS Client service and the F&P services

*This has been done.

"Now if this is hosting public records, and you have AD and this is not a
DC,

*Did you mean Internal records? Pointing it to my private IP wouldn't
resolve external requests would it?

"If it is hosting public records, then you would tell it to only listen on
the external interface

*I currently have DSN set pointing to my public IP.

Essentially what I am trying to do is setup a Primary DNS server without
this server using AD or being a DC just as a primary for the moment. I know
there are advantages to AD but I can't even get this thing running as a
Primary DNS let alone promoting it to a DC and installing AD. Just when I
thought I was understanding DSN here we go...

To make a long story short my intent is to temporarily run this DNS server
using a new Domain Name, promote it to a DC with AD and then merge my old
DNS records for my current DC running AD into it. Then take my old server
and create a secondary DNS server out of it for internal requests only. so
this is really only a first step in getting a new DC up and running.

AJM,

'***************************************************************************

************************


"Ace Fekay [MVP]"

default

a this a
DC,

as

 

[Adam Marx]

If I am not going to be using the internal NIC for DNS queries then it
shouldn't be listed at all when binding IP's correct?

Hi Adam

I wouldn't make it a DC if you're hosting external data. Security MINUS!

I would point to the internal DNS only on both NICs, not to itself.
Configure a forwarder on the internal DNS to this server. On this server,
let both interface listen for DNS requests. Then on this server, configure a
forwarder to your ISP's. This way your server can get to internal stuff by
their private IPs. It will also resolve external requests.

If the AD domain name will be the same as the external (not a recommended
naming method), manually create your www and other records on the internal
server's zone.

Binding order is done in Network & Dialup window, Adv Menu, Adv Settings.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Thanks for the reply's. Because there is so much info I reply in 2 posts.

" Kind of need a lot more info about what you're trying to do and what you

*Not a DC

*Yes it is hosting my public record for my domain

*Yes I do have a Domain Controller running active directory it is setup

on

a
different domain. I intend on merging the 2 eventually but currrently have
them running in 2 different domains for testing purposes only. The 2nd NIC
on th eprivate IP is used on for purposes of using Terminal Services to
manage the server and I have no intention of merging the server into the
existing domain.

*I do not know what a "GC" is I am unfamiliar with the term? Is that a
"Global Controller"?


*Exactly how do I make sure that the InternalNIC is at the top of the
binding?
*Both NICs are setup only to use the Public IP for DNS and there are no
refrences to my ISP's DNS servers.

"Configure a forwarder for efficient Internet resolution. This article
http://support.microsoft.com/?id=300202"

*Forwarders are enabled and I have deleted the root zone.

"On the external you can disable the MS Client service and the F&P services

*This has been done.

"Now if this is hosting public records, and you have AD and this is not a
DC,

*Did you mean Internal records? Pointing it to my private IP wouldn't
resolve external requests would it?

"If it is hosting public records, then you would tell it to only listen on
the external interface

*I currently have DSN set pointing to my public IP.

Essentially what I am trying to do is setup a Primary DNS server without
this server using AD or being a DC just as a primary for the moment. I know
there are advantages to AD but I can't even get this thing running as a
Primary DNS let alone promoting it to a DC and installing AD. Just when I
thought I was understanding DSN here we go...

To make a long story short my intent is to temporarily run this DNS server
using a new Domain Name, promote it to a DC with AD and then merge my old
DNS records for my current DC running AD into it. Then take my old server
and create a secondary DNS server out of it for internal requests only. so
this is really only a first step in getting a new DC up and running.

AJM,

'***************************************************************************

************************


"Ace Fekay [MVP]"

default

a this a
DC,

as

 

[Adam Marx]

Awesome tag! "ObiWan"...

I'm a tad confused, as usual. I have 2 NIC's in this box 1 is private and 1
is public.

In my SOA do I need to list both IP's or only the public IP that will be
recieving requests for DNS information?

Do I also need to add a host record for the private IP "DNS1
192.168.1.99"?

I have a NameServer record that points to my FQDN won't adding the second
host record "DNS1 192.168.1.99" cause a mix up? I see that as when a
request comes in that it will have to check both the private and public
records, that seems wrong to me?

If I only need the public IP why add the reverse zone for my private IP?

 

[Adam Marx]

" It's working. Are you by any chance using the "Configure Computer"

Services, DNS MMC-snapin without service packs? There was a bug
in that one, I forget exactly but it might have included failing a test."

I tried that but ran into problems so I manually installed DNS after
removing it so I could start fresh.

"Check the server to ensure that it is enabled on ALL (or appropriate)

IP addresses."

This might refer to my last post to ObiWan, I have some confusion as to
which records I should add to the DNS. I don;t think I should be adding the
private IP to the DNS and that could explain some of my confusion? exactly
what should be in the DNS with regards to my private IP?

"What version/service packs?"

Windows 2000 and I am currently as I type downloading SP4 currently.

Thanks,

 

[Ace Fekay [MVP]]

As I previously said, No. It's not recommended to make any machine that's
externally exposed to be a DC.

If your external name is company.com, suggest something different
internally, such as companyname.adam, etc.

Ace

 

[Ace Fekay [MVP]]

If I am not going to be using the internal NIC for DNS queries then it
shouldn't be listed at all when binding IP's correct?

You should be using both NICs talking to the internal DNS only, not itself.
Yes, it should be set to listen to requests if you follow my
suggestion/recommendation to allow the internal DNS forward to this machine.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

Awesome tag! "ObiWan"...

I'm a tad confused, as usual. I have 2 NIC's in this box 1 is private and 1
is public.

In my SOA do I need to list both IP's or only the public IP that will be
recieving requests for DNS information?

That's also problematic with public records and cause issues.

Do I also need to add a host record for the private IP "DNS1
192.168.1.99"?

If on the public server, no. Will cause issues with public clients trying to
connect. They can't connect to a private IP.

I have a NameServer record that points to my FQDN won't adding the second
host record "DNS1 192.168.1.99" cause a mix up?

Yes, a mixup with Internet client resolution.

I see that as when a
request comes in that it will have to check both the private and public
records, that seems wrong to me?

Yes, wrong. You don't want to do that.

If I only need the public IP why add the reverse zone for my private IP?

Not necessary for external or on this server. Some internal apps need
reverse zones. On W2k3, 40960 errors are eliminated with a vaild reverse
zone. More than likely, your ISP owns the ip range and they would need to do
a reverse zone for you.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

If I am not going to be using the internal NIC for DNS queries then it
shouldn't be listed at all when binding IP's correct?

Right.

You should only list NICs which should respond to queries.

Although some people do use the same DNS server for Internal and External
(client) resolution, this is generally a poor idea, especially if Active
Directory
is supported by the zone.

There is no way to split the view of the zone using MS DNS (BIND can do
this but even that is argued as a practice.)

In fact, your best bet is to let the REGISTRAR hold you internal zone
anyway, but you didn't ask that question.

 

[Herb Martin]

This might refer to my last post to ObiWan, I have some confusion as to

which records I should add to the DNS. I don;t think I should be adding the
private IP to the DNS and that could explain some of my confusion? exactly
what should be in the DNS with regards to my private IP?

Part of the trouble is you are trying to use the same DNS server for
internal
and external clients to use -- this is a bad idea. In fact, you should even
try
to use your own DNS for external clients -- let the REGISTER do that.
(They have bigger, better, faster servers with 24/7 support and you probably
already paid for it.)

Also, you REALLY do not want to expose internal only records to the
Internet and hackers.

None of this has much to do with your problems in TESTING the server
however -- we have been focused on helping you fix the actual technical
problems, not in your design which is probably not optimal.

"What version/service packs?"
Windows 2000 and I am currently as I type downloading SP4 currently.

What were you using before? SP3 is pretty solid too but the original
version
had a lot of little bugs.

 

[Adam Marx]

One last note and question.

You should only list NICs which should respond to queries.

I think I follow, if the server is for external use only then the private IP
basically should not show up in DNS. Only if the DNS server needs to direct
some internal client should there be a record?

When I attempt to add a Nameserver to for a zone shouldn't I be able to
enter in a FQDN of an external DNS and have my DNS resolve it? When I try to
add a NS I get an error that the IP can't be found, shouldn't the forwarders
kick in and resolve the FQDN of the external DNS?

Thanks for all you help.

p.s. after the service pack 4 install the errors when trying to run simple
query's against the DNS server have been fixed.

 

[Herb Martin]

I think I follow, if the server is for external use only then the private
IP

basically should not show up in DNS. Only if the DNS server needs to direct
some internal client should there be a record?

Make sure we are talking about the same thing: I was referencing the
RESPOND on address. If it should only respond to external client
requests, disable it on the internal interface address (actually ONLY
enable it externally.)

Or vice versa -- which is far more common (answering requests by your
OWN clients from the inside.)

Now, putting internal addresses -- especially from the privately
administered
ranges 192.168.x.x., 10.x.x.x, 172.16-31.x.x -- in as RESOURCE records
for resolution is just a waste of time at best and is going to cause errors
or
security issues at worst.

RULE: The ONLY records you expose to external resolution are those
which you wish outside users to access (simple really.)

RULE: The only interfaces that should support DNS resolution are those
where you expect to service user requests for resolution.

When I attempt to add a Nameserver to for a zone shouldn't I be able to
enter in a FQDN of an external DNS
YES.

and have my DNS resolve it?

No, Yes, or maybe, depending on what you mean.

A nameserver can be known by a DNS name from outside the zone.
Example:
ns1.register.com is one of the nameservers for zone LearnQuick.Com

When I try to
add a NS I get an error that the IP can't be found, shouldn't the forwarders
kick in and resolve the FQDN of the external DNS?

I will bet you aren't putting a "." at the end of an FQDN (I wasn't just
being
picky when I mentioned that it is NOT an FQDN until you add that DOT.)

IF you add the name "ns1.isp.com" to a zone, it will be entered as:

ns1.isp.com.thatzone.com. <---dot on end makes it FULLY QUALIFIED

 

[Ace Fekay [MVP]]

In

Make sure we are talking about the same thing: I was referencing the
RESPOND on address. If it should only respond to external client
requests, disable it on the internal interface address (actually ONLY
enable it externally.)

If Adam follows the recommendation of just using the internal private DNS,
then he would need to allow it to listen internally as well if he were to
forward from the internal private DNS to this DNS.


<snip>







--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory