Joe said:Would somebody please give me the step by step and detail info about how to
set up Pri & Sec DNS server Without AD and just stand alone servers (no DC)
????
Thanks.
Joe said:Thanks for the clarification.
We want to accomplish both (1 & 2) but especially for internet, because this
DNS server will be used mainly for hosting client's domain that hosting
their websites in our web servers.
More detail to the technical setup, I would like to know:
Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com
Those are just "domain names" unless you put a dot. on the end. said:1. So for the msi.com at the registrar we have to change the nameserver to
pointing to the IP address of these new DNS servers, isn't it?!
2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP setting
including the DNS & alternate dns setting for Pri & Sec DNS?
3. For pri DNS server, the other NIC is using to connect to other
subnet/network so this VPN server which will be installed with DNS, able to
connect remote user to the other network. Is the setting at #2 still the
same, if that the case?
4. For sec DNS server, the other NIC is using to connect to other
subnet/network so this Backup server which will be installed with DNS, able
to backup all servers from other network too. Is the setting at #2 still the
same, if that the case?
5. If I would setup to just listen on "The following IP" at NS properties
and use forwarder to ISP DNS, but from the Monitoring tab....the query test
and recursive Both failed, why is that??
6. In the msi.com zone file "Name Server" tab, it just show the ns1.msi.com
only, do I have to add the A record for ns2.msi.com also??
7. What's the problem if in the Pri DNS for all zone the "Name server" tab
the ns1.msi.com doesn't able to resolve (IP adress Unkown)??
I am quite new with setup DNS so probably my understanding still quite notHerb Martin said:Right. For external DNS servers that offer your external (view of )
resources,
you register them with the Registar and make sure they are publicly
routable.
If you move them, you update the registrar. Best practice* is to just let
the Registrar PROVIDE them to you so that changes are seldom necessary.
(* Unless you are a large company with many redundent public servers
and your own 24/7 support staff that.)
Register.com (and many others) do this as part of the yearly registration
fee.
If you intend to use the SAME DNS server for both the internal and
external views of the domain this is GENERALLY a very bad idea.
It can be done; it's non-trivial; it's fraught with both design and
security concerns -- and again, sending the PUBLIC DNS back
to the registrar is almost always better.
No, i don't have ADI did not understand the above paragraph.
What does VPN have to do with the design?
(Note, do NOT CONSIDER irrelevant details when doing initial
design -- you can combine services and servers afterwards once
the design is understood.)
"Setting at #2" ???? Nic settings for DNS server have NOTHING
to do with the functioning of the machine AS A DNS Server.
Those are it's own client settings and need to (both/all) be set to
the correct server set for the machine's own needs. (e.g., a
DNS server in a domain needs to point itself to the internal DNS
server set even if it is NOT one of them itself -- or an internal
DNS server points to itself perhaps.)
Again, you seem to be mixing purposes and even different services.
An external DNS server should only offer the service on the external
NIC.
An internal DNS server should be totally internal (in most all cases.)
If it is a server for the zone you do.
Also the NS records for it.
DNS servers resolve in one of three/four ways (plus combinations):
1) From the zones they hold
2) From cache of things they have resolved external to themselves
(see #3 and#4)
3) By recursing from the TOP (usually the Root) of the namespace
down
4) By forwarding to another DNS server that does these
Usually #3 & #4 are mutually exclusive but that is not a rule.
Root hints (or "cache file" in Unix terminology) sets up #3.
Forwarders tab sets up number #4.
Zones take care of #1 and #2 is automatic if either #3 or #4 work.
Do you have AD? If so, you have more problems that you are
discussing so far....
I am quite new with setup DNS so probably my understanding still quite not
right. Please correct it if any.
purposes):Basically this is related with #3 & #4, because the server that my boss
wants to use are (we don't have any other servers avail for these
for Pri DNS: already use as an VPN server and has 2 NIC (with two different
NAT IP address, different gateway) to connect two network (network A & B),
so remote admin could connect vpn to this server and remote access to the
other network also.
for Sec DNS: already use as a Backup server and has 2 NIC (with two
different NAT IP address, different gateway) to connect two network (network
A & B), so able to mapping and backup all servers.
I read somewhere that for dual homed DNS, ALL of the dns settng in the
TCP/IP properties needs to point to internal IP, if that's true...which IP
do I have to use IP NIC connect to network A or B??
true?Also as far as I know the external NIC need to enable TCP/IP only and
internal NIC could have more protocols and services installed. Is that
The other servers now is using ISP DNS in their dns in TCPIp properties,
later on after the new pri & sec DNS works fine, should I change all the
server to use this new pri & sec DNS in the dns setting in TCP IP
properties? Or just leave it as is?? What the advantage and disadvantage?
Herb Martin said:[The entire previous post is below my signature in case it is
needed for context (e.g., reference to #3 or #4 etc...) but here
is the outline....]
I am quite new with setup DNS so probably my understanding still quite not
right. Please correct it if any.
No, problem and it's usually useful since it (correcting misuse of terms)
avoids adding confusing to an already confusing topic.
purposes):Basically this is related with #3 & #4, because the server that my boss
wants to use are (we don't have any other servers avail for these
This is ONE of the main reasons for NOT providing your own
external DNS -- doesn't require trying to use the "same server"
and avoids adding other servers for just this purpose.
RECOMMENDATION: Put your EXTERNAL DNS zone (back) at your
registrar or move it to one like Register.com.
for Pri DNS: already use as an VPN server and has 2 NIC (with two different
NAT IP address, different gateway) to connect two network (network A & B),
so remote admin could connect vpn to this server and remote access to the
other network also.
This vastly complicates trying to get the DNS right (it's even
difficult for you to explain clearly above.)
RECOMMENDATION: Move your INTERNAL DNS back (completely)
INTERNAL to your network where both internal and VPN clients
can access it.
for Sec DNS: already use as a Backup server and has 2 NIC (with two
different NAT IP address, different gateway) to connect two network (network
A & B), so able to mapping and backup all servers.
I read somewhere that for dual homed DNS, ALL of the dns settng in the
TCP/IP properties needs to point to internal IP, if that's true...which IP
do I have to use IP NIC connect to network A or B??
RECOMMENDATION: Separate the "I am a DNS server" function
(in your mind and design) from the "I am a DNS client" function.
true?Also as far as I know the external NIC need to enable TCP/IP only and
internal NIC could have more protocols and services installed. Is that
I don't even understand the DISTINCTIONS you are making above.
Any machine must have IP (correctly) configured on any NIC (or
other interface, e.g., RAS or VPN) where it will do IP.
Generally the CLIENT DNS settings should be the SAME on all
NICs (or at least point to the same "set of" DNS servers.)
Remember that DNS Clients PRESUME that all DNS servers they
can connect will return the SAME ANSWERS (and correct answers
of course.)
disadvantage?The other servers now is using ISP DNS in their dns in TCPIp properties,
later on after the new pri & sec DNS works fine, should I change all the
server to use this new pri & sec DNS in the dns setting in TCP IP
properties? Or just leave it as is?? What the advantage and
You are mostly confusing yourself by considering Server and Client
DNS issues at the same time; and by confusing External and Internal
DNS servers as well.
Separate both the function AND the consideration to simplify.
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
Restart NetLogon on any DC if you change any of the above that
affects a DC.
Typically the internal DNS server will "forward" to the ISP (or
gateway) DNS for external (public Internet) resolution on behalf
of the clients.
Typically the EXTERNAL DNS resources records will be published
via a completely public DNS server located OUTSIDE your network;
the best choice for most small companies is AT THE REGISTRAR.
If you are still not getting it you can CALL ME -- my phone number
is on my web site: LearnQuick.Com
--
Herb Martin
Joe said:nameserver
I am quite new with setup DNS so probably my understanding still quite not
right. Please correct it if any.
Basically this is related with #3 & #4, because the server that my boss
wants to use are (we don't have any other servers avail for these purposes):
for Pri DNS: already use as an VPN server and has 2 NIC (with two different
NAT IP address, different gateway) to connect two network (network A & B),
so remote admin could connect vpn to this server and remote access to the
other network also.
for Sec DNS: already use as a Backup server and has 2 NIC (with two
different NAT IP address, different gateway) to connect two network (network
A & B), so able to mapping and backup all servers.
I read somewhere that for dual homed DNS, ALL of the dns settng in the
TCP/IP properties needs to point to internal IP, if that's true...which IP
do I have to use IP NIC connect to network A or B??
Also as far as I know the external NIC need to enable TCP/IP only and
internal NIC could have more protocols and services installed. Is that true?
The other servers now is using ISP DNS in their dns in TCPIp properties,
later on after the new pri & sec DNS works fine, should I change all the
server to use this new pri & sec DNS in the dns setting in TCP IP
properties? Or just leave it as is?? What the advantage and disadvantage?
server"
tab
No, i don't have AD