Proper DNS Config?

[Brian Rodeck]

Can someone point me to what must be a very standard document? I need help
with the proper DNS design for my simple network. I'm getting DNS errors
that suggest I have the config wrong and want to review a doc before pushing
the details.

- Private network 192.168.200.x protected by ISA server.

- Single Win2K domain with two domain controllers. Each has DNS and DHCP
enabled.

- DSL connection to ISP with two ISP-provided DNS addresses.

I'm confused about pointing to the root on the PDC emulator, root hints,
forwarders. Also, what should the DNS settings be for the ISA server?

 

[TIM ROBERTS]

Here is a link for the DNS white Paper
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
Also here is a link for your ISA Sedrver
www.isaserver.org
www.isatools.org

What Kind od DNS errors are you getting?
I would recommend this for your DNS settings.
Your DNS Server (2) Server A and Server B
Are we using AD for DNS? The below information asume we are.

Server A Perfered DNS should point to server B and then its alternate should
point to itself
Sever B perfered should point to Server A and then its self as alternate.
Then do a Ipconfig /flushdns and ipconfig /registerdns
Make sure both DNS server forward to your ISP dns Servers,
make sure your zone are AD intergrated and are allowing dynamtic upates as
yes.
Check the name server tabs and make sure you only have the two listed with
the correct information.
If your DNS server has multple IP make sure the interface is set to "only
the following IP address"
Then check your forward lookup zone for any forgien IP remove them

 

[Brian Rodeck]

Tim and Herb, thanks for the quick replies!

I have numerous errors, starting with the error of misunderstanding <g>.
Thanks to your docs, I have my DNS server "client" information correct. I
will verify that the forwarders are set correctly as well.

The other thing that I'm not clear on is Root Hints. Should I have them on
my two DNS servers? Do they do anything if I have forwarders in place?

Finally, I removed the root from my DNS. I'm behind an ISA server firewall
which connects to the ISP. With the root entry, I was unable to do
forwarders.

 

[Brian Rodeck]

Herb, my "allow dynamic updates" setting is "Only Secure Updates" on both
AD-integrated DNS servers.

Do I need to check elsewhere to make sure they can communicate with each
other's DNS using this setting?

 

[Brian Rodeck]

Thanks Herb. To be a bit more specific, does "Secure Updates" for "Allow
Dynamic Updates" imply an encryption protocol like IPSec is running on the
servers? I don't have it enabled at this point. Or, does it mean that the
updates must come from Win2K servers in the domain?

 

[Herb Martin]

Thanks Herb. To be a bit more specific, does "Secure Updates" for "Allow
Dynamic Updates" imply an encryption protocol like IPSec is running on the
servers? I don't have it enabled at this point. Or, does it mean that the
updates must come from Win2K servers in the domain?

No. Sort of. It means that the clients must authenticate (Kerberos,
NTLM) in the domain/forest/trust relationship to be allowed to update;
and (I believe) they might use a secure channel similar to when machines
contact DCs to send user credentials/authenticate but that is not something
that ever really worried me enough to check.

In most cases it means the machines have be from your domain/forest.

 

[Brian Rodeck]

Thanks again, Herb. Good answer, and it sets my mind at rest!