Removing NS Record for a Windows 2000 GC in a Unix Environment

[Guest]

I have a Win2k GC which is behins a firewall and has a provate IP address. This means its not able to route beyond our network. Trouble is its tring to answer DNS requests outside our network but of course can't

How can I stop our Wink2 GC / DNS server stop answering DNS requests as we have Unix BIND servers doing thi
When I take out the GC name out of the NS record tab and also remove from the SOA it just goes straight back in there and running a dig command indicates that my Win2k GC / DNS server is still answering DNS requests

Can this be disbale

Any help is much appreciated

 

[Ace Fekay [MVP]]

In

I have a Win2k GC which is behins a firewall and has a provate IP
address. This means its not able to route beyond our network. Trouble
is its tring to answer DNS requests outside our network but of course
can't.

How can I stop our Wink2 GC / DNS server stop answering DNS requests
as we have Unix BIND servers doing this
When I take out the GC name out of the NS record tab and also remove
from the SOA it just goes straight back in there and running a dig
command indicates that my Win2k GC / DNS server is still answering
DNS requests.

Can this be disbaled

Any help is much appreciated

Well, not sure about your topology, so need to know, does the W2k DNS hold the AD records and you are using that DNS for AD or are you using BIND for AD?

Think about it, if you have DNS installed, then it's going to listen. Period. It's a service designed to listen to requets. If you don't, uninstall it and use the BIND server and follow the procedure so it can host the AD zone name. If you need instructions, let me know.

The GC is registered automatically along with the rest of the SRV records, by the netlogon service and is by design and default and *required* by AD and pretty much how it works...... So why would you want to kill the GC entry? AD **NEEDS** that!

If BIND is not hosting AD stuff and you want to continue W2k DNS to host the required AD data, and you don't want it to query the outside world, configure a forwarder from the W2k DNS to the BIND DNS, assuming BIND is doing outside resolution. ALso in this scenario, you would want to disable Recursion under the forwarders tab (bottom checkbox) so it doesn't query the Root Hints if the BIND server doesn't respond or have an answer. Maybe that's what your talking about, since the Roots are always queried if the server doesn.t have an answer (that's the way ANY DNS server works, W2k or BIND).


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

I definately want DNS running on my GC

I just want to remove the NS which is the GC from the NS name servers tab.
But when I do this and do a refresh and reload the DNS zone the GC NS record re-appears

Is it possible to have the GC still running DNS but not have it actually listed in the Name Servers Tab

I did what you said and disabled recursion under the forwarders tab and in root hints I have the 2 BIND servers listed

But when I run a dig command the GC still attempts to answer

 

[Ace Fekay [MVP]]

In

I definately want DNS running on my GC.

I just want to remove the NS which is the GC from the NS name servers
tab.
But when I do this and do a refresh and reload the DNS zone the GC NS
record re-appears.

Is it possible to have the GC still running DNS but not have it
actually listed in the Name Servers Tab?

I did what you said and disabled recursion under the forwarders tab
and in root hints I have the 2 BIND servers listed.

But when I run a dig command the GC still attempts to answer.

Just want to get the terminology straight here for all of us.... maybe that
is what's confusing me with what you're trying to accomplish.....
So you're saying that it's not the GC SRV record you want to get rid of, but
rather the NS record in the nameserver tab, but this machine just *happens*
to be a GC?

May I ask why?

Since the machine is a DNS server, it will always register itself as a
nameserver in the nameserver list, that's be default, to identify itself.

So you're saying when you run a DIG query, this DNS server is answering?
WHere are you running this from? Unix/Linus or W2k? When you run DIG or
nslookup, it will use whatever server is listed in your ip config
properties.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

I was asked from oner of the Unix Admins because they don't want my Win2k GC / DNS server attempting to answer external DNS queries as its returning a lot of errors because my Win2k GC / DNS server cannot route externally it has a provaite IP. So to stop these errors I was asked to see if I could resolve the problem by removing the NS records from the name servers tab in DNS on my Win2k GC / DNS server but obviously its not possible

Okay so what your saying is as long as my GC called ADMINCAT01 is a DNS server it will always appear in the nameserves tab. No problems

The IP address of the Win2kGC called admincat01 is a private IP address of 172.20.3.1

I work at University of Wollongong Australia and our 2 main UOW DNS Servers are bind server
Their IP addresses are 130.130.68.1 and 130.130.64.
This is whats in my DNS config on my client machine as is all our Windows machines in our AD domain

So I guess its basically impossible to stop my Win2k GC / DNS server from answering DNS requests outside the UOW Network. We have 2 firewalls a Boarder firewall at the perimiter of the UOW Network proecting us from the Inertnet and an internal firewall for our Windows / Unix Servers. We have backend Arm Windows VLAN foe things like AD GC's, SQL Servers etc and a Front End Arm for things like Web Services and File sharing

Results from my di

;; ANSWER SECTION
adm.uow.edu.au. 1H IN NS admincat01.adm.uow.edu.au
adm.uow.edu.au. 1H IN NS dns1.uow.edu.au
adm.uow.edu.au. 1H IN NS dns.its.uow.edu.au

;; ADDITIONAL SECTION
admincat01.adm.uow.edu.au. 1H IN A 172.20.3.1

;; Total query time: 31 mse
;; FROM: snoopy to SERVER: 172.20.3.1
;; WHEN: Thu Mar 11 12:39:49 200
;; MSG SIZE sent: 32 rcvd: 11

 

[Guest]

Your comment
"Think about it, if you have DNS installed, then it's going to listen. Period. It's a service designed to listen to requets. If you don't, uninstall it and use the BIND server and follow the procedure so it can host the AD zone name. If you need instructions, let me know.

Could you send me some instructions please on using BIND to host the AD zone please.

Thank

Peter Birkl

 

[Guest]

I work with Peter and he asked me to see if I could make the problem we're trying to solve clearer

We have a domain adm.uow.edu.au which is an active directory domain, delegated to the domain controlle
admincat01.adm.uow.edu.au. The DC is on a private address. Our two public addresses dns servers are acting a
secondaries for the adm.uow.edu.au zone

The problem occurs when anyone external to our network attempts to resolve an address in the adm.uow.edu.au zone
eg. computera.adm.uow.edu.au. computera is on a public address. The external client or their dns server when trying t
resolve computera.adm.uow.edu.au will, on average one time out of three, attempt to connect t
admincat01.adm.uow.edu.au which will fail (or possibly connect to a host on their own private network with the same I
address) Once this times out, it should then connect to one of our two public dns servers and everything works from there

It's the delay, due to timeout then failover, that we're trying to remove

The way we fix the problem in our unix/bind environment is to not have an NS record for the master for its zones, ofte
referred to as a "Hidden Master" arrangement. We were hoping to do the same thing with our windows environment, bu
whenever the NS record for the master is removed, it's replaced next reload, and xfer'd back to the secondaries

 

[Ace Fekay [MVP]]

In

Your comments
"Think about it, if you have DNS installed, then it's going to
listen. Period. It's a service designed to listen to requets. If you
don't, uninstall it and use the BIND server and follow the procedure
so it can host the AD zone name. If you need instructions, let me
know."

Could you send me some instructions please on using BIND to host the
AD zone please.

Thanks

Peter Birkle

Sure, here you go. Tell you the truth, and this is pretty much the consensus
among the engineers, it;s easier to use Windows DNS for AD and just do zone
transfers to the BIND server for the zone and let your users use the BIND
server. BIND is recommended to be at least 8.2.3 to support most of the
features. There are no Secure Updates as of yet between BIND and Windows, as
far as I know.

255913 - Integrating Windows 2000 DNS into an Existing BIND or Windows NT
4.0-Based DNS Namespace:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255913

Configuring Berkeley Internet Name Domain (BIND) to Support Active
Directory:
http://www.microsoft.com/technet/tr...net/prodtechnol/iis/deploy/depovg/cfgbind.asp

Support WebCast Microsoft Windows 2000 DNS and UNIX BIND DNS
Interoperability:
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022602/wcblurb022602.asp

324858 - WebCast Microsoft Windows 2000 DNS and UNIX BIND DNS
Interoperability:
http://support.microsoft.com/?id=324858

BIND Your Windows 2000 DNS - from MCP Mag:
http://www.mcpmag.com/features/article.asp?EditorialsID=273



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

I work with Peter and he asked me to see if I could make the problem
we're trying to solve clearer.

We have a domain adm.uow.edu.au which is an active directory domain,
delegated to the domain controller admincat01.adm.uow.edu.au. The DC
is on a private address. Our two public addresses dns servers are
acting as
secondaries for the adm.uow.edu.au zone.

The problem occurs when anyone external to our network attempts to
resolve an address in the adm.uow.edu.au zone,
eg. computera.adm.uow.edu.au. computera is on a public address. The
external client or their dns server when trying to resolve
computera.adm.uow.edu.au will, on average one time out of three,
attempt to connect to
admincat01.adm.uow.edu.au which will fail (or possibly connect to a
host on their own private network with the same IP address) Once this
times out, it should then connect to one of our two public dns
servers and everything works from there.

It's the delay, due to timeout then failover, that we're trying to
remove.

The way we fix the problem in our unix/bind environment is to not
have an NS record for the master for its zones, often referred to as
a "Hidden Master" arrangement. We were hoping to do the same thing
with our windows environment, but whenever the NS record for the
master is removed, it's replaced next reload, and xfer'd back to the
secondaries.

I see. If you go into the nameserver tab and remove it, it always comes
back. What seems to be happening with the BIND servers I believe is covered
under this article:

Explanation of how BIND chooses among multiple authoritative name servers
(RTT):
http://www.acmebw.com/askmrdns/archive.php?question=3

I have to find out specifically how to stop that, but look at this article
in the section called WriteAuthorityNs and test it out
198409 - Microsoft DNS Server Registry Parameters, Part 2 of 3:
http://support.microsoft.com/?id=198409

Let me know if it works



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

I tried your recommendation. Doesn't wor

I have to find out specifically how to stop that, but look at this articl
in the section called WriteAuthorityNs and test it ou
198409 - Microsoft DNS Server Registry Parameters, Part 2 of 3
http://support.microsoft.com/?id=19840

Didn't work !

The ADMINCAT01 NS record keeps comming back in the name servers tab and so keeps trying to answer DNS requests

Also tried setting registry value to 0 and 1 still keeps comming back

I guess its just not possible to have a Win2k DNS Server not attemp to answer DNS request because its meant to by default
Any other idea'

 

[William Stacey [MVP]]

I may not totally understand all your needs, but here is a shot from what I
glean from the post.
1) Don't host adm.uow.edu.au as a secondary on your BIND servers. You bind
servers are public, keep them that way without any knowledge of private IPs
(this is one of the problems and will continue to be a problem if using
secondaries for internal zone.) If you actually *need public IPs in the
adm.uow.edu.au zone, then create an external primary on your Bind server and
populate with required public A records (etc.) Now any external request
gets answered by your Bind server (setup a secondary on the other bind
server.) This is also called a split-horizon or split dns.

2) Have all your internal AD servers and clients point to your internal DNS
server(s) *only. If you need external rez for the clients (i.e. INET rez)
setup Forwarder to Bind server(s) for external rez. Now internal clients
will register into private space and not effect what is going on externally.
You have strong separation of duty here and boundaries. External and
internal do not mess with each other in this config.

If I am missing your problem, please set me straight and we can help you
find a solution to meet your needs. I would definitely keep w2k/w3k DNS for
your internal AD space if possible.

--
William Stacey, MS MVP

I work with Peter and he asked me to see if I could make the problem we're trying to solve clearer.

We have a domain adm.uow.edu.au which is an active directory domain,

delegated to the domain controller

admincat01.adm.uow.edu.au. The DC is on a private address. Our two public

addresses dns servers are acting as

secondaries for the adm.uow.edu.au zone.

The problem occurs when anyone external to our network attempts to resolve

an address in the adm.uow.edu.au zone,

eg. computera.adm.uow.edu.au. computera is on a public address. The

external client or their dns server when trying to

resolve computera.adm.uow.edu.au will, on average one time out of three, attempt to connect to
admincat01.adm.uow.edu.au which will fail (or possibly connect to a host

on their own private network with the same IP

address) Once this times out, it should then connect to one of our two

public dns servers and everything works from there.

It's the delay, due to timeout then failover, that we're trying to remove.

The way we fix the problem in our unix/bind environment is to not have an

NS record for the master for its zones, often

referred to as a "Hidden Master" arrangement. We were hoping to do the

same thing with our windows environment, but

whenever the NS record for the master is removed, it's replaced next

reload, and xfer'd back to the secondaries.

 

[Ace Fekay [MVP]]

In

I may not totally understand all your needs, but here is a shot from
what I glean from the post.
1) Don't host adm.uow.edu.au as a secondary on your BIND servers.
You bind servers are public, keep them that way without any knowledge
of private IPs (this is one of the problems and will continue to be a
problem if using secondaries for internal zone.) If you actually
*need public IPs in the adm.uow.edu.au zone, then create an external
primary on your Bind server and populate with required public A
records (etc.) Now any external request gets answered by your Bind
server (setup a secondary on the other bind server.) This is also
called a split-horizon or split dns.

2) Have all your internal AD servers and clients point to your
internal DNS server(s) *only. If you need external rez for the
clients (i.e. INET rez) setup Forwarder to Bind server(s) for
external rez. Now internal clients will register into private space
and not effect what is going on externally. You have strong
separation of duty here and boundaries. External and internal do not
mess with each other in this config.

If I am missing your problem, please set me straight and we can help
you find a solution to meet your needs. I would definitely keep
w2k/w3k DNS for your internal AD space if possible.

Hmm, I think that's a great suggestion William, and may help with all the
problems. After all, what's going on here maybe what we usually preach not
to mix private and public data or let private data be accessible from the
Internet.

I hope Christian would agree.

There are however, specific registry entries that I can provide to kill
registration completely and then of course, the necessary records would have
to be manually made for the AD domain. I was trying to keep from posting
them because of the administrative overhead it would cause. Those entries I
usually post in conjunction with stopping mutli registration with dual NICs,
and such, and may help here, but would have to go a step further to stop all
registration, which I don;t think Christian would like, because I know I
wouldn't like it!!!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[William Stacey [MVP]]

them because of the administrative overhead it would cause. Those entries I
usually post in conjunction with stopping mutli registration with dual NICs,
and such, and may help here, but would have to go a step further to stop all
registration, which I don;t think Christian would like, because I know I
wouldn't like it!!!

I would agree fully Ace. I tend not to recommend forcing such changes to
the native logic as you have to remember them and remember you did it 6
months from now when you have some problem related to that change and, in
this case, I don't think it is nessasarry as a better solution exists that I
think you agree with. The big issue, I see, is having those private IPs in
the public zone and the issues this can and does raise as Peter detailed.
My montra is Keep it simple and keep em seperate. You eliminate a lot of
mojo and confusion that way and you have clear diag and management
boundaries. Look forward to Peter's reply.

 

[Guest]

William

I spoke to Christian who looks after our Unix and DNS environment at UOW not all by himself mind you Simon also is our Unix Support Engineer. Christian said if we give our Windows Servers that currently have a private IP, a public IP address also this could work except that applications may get confused when trying to resolve adm.uow.edu.au

It would be better to direct your questions to Christian as my understanding of DNS and BIND aren't as good as his
Basically what William is saying is don't host the adm.uow.edu.au zone as a secondary on the BIND end but create external primary zone and put the A records in for the ad,.uow.edu.au domain in there

Would this be correct

So for exampl

serverx has internal private address of 172.20.3.11 and is called serverx.adm.uow.edu.a
ON the BIND side we would create an A record and would look like this serverx.its.uow.edu.a
The .its.uow.edu.au is public resolveabl

Would my understanding be correct
If not please excuse my ignorance

Pete

 

[William Stacey [MVP]]

You got it. For security and name rez issues, you don't want private IPs in
your public zones - as people can't reach them anyway. Change is easy and
should clear up a few things for you guys. Cheers!

--
William Stacey, MVP

William,

I spoke to Christian who looks after our Unix and DNS environment at UOW

not all by himself mind you Simon also is our Unix Support Engineer.
Christian said if we give our Windows Servers that currently have a private
IP, a public IP address also this could work except that applications may
get confused when trying to resolve adm.uow.edu.au.

It would be better to direct your questions to Christian as my

understanding of DNS and BIND aren't as good as his.

Basically what William is saying is don't host the adm.uow.edu.au zone as

a secondary on the BIND end but create external primary zone and put the A
records in for the ad,.uow.edu.au domain in there.

 

[Ace Fekay [MVP]]

In

I would agree fully Ace. I tend not to recommend forcing such
changes to the native logic as you have to remember them and remember
you did it 6 months from now when you have some problem related to
that change and, in this case, I don't think it is nessasarry as a
better solution exists that I think you agree with. The big issue, I
see, is having those private IPs in the public zone and the issues
this can and does raise as Peter detailed. My montra is Keep it
simple and keep em seperate. You eliminate a lot of mojo and
confusion that way and you have clear diag and management boundaries.
Look forward to Peter's reply.

Sometimes it's nice to get a second opinion or just a lookover incase
someone missed something.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Guys

Thanks a Million for all you help

Wow this has been a long thread :

I have learn't alot about DNS in a short time

I guess the golden rule about DNS Don't mix Private with Public addresses

Cheers

Peter Birkle

 

[Ace Fekay [MVP]]

In

Guys,

Thanks a Million for all you help.

Wow this has been a long thread

I have learn't alot about DNS in a short time.

I guess the golden rule about DNS Don't mix Private with Public
addresses.

Cheers,

Peter Birkle

There you go!
Cheers!



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

Guys,

Thanks a Million for all you help.

Wow this has been a long thread

I have learn't alot about DNS in a short time.

I guess the golden rule about DNS Don't mix Private with Public
addresses.

Yep, pretty much true, the only exception is if you have an internal zone
with a public name such as if your AD name is the same as your public name
and your website is hosted elsewhere you need a www record with the websites
public address.

If you host public zone locally, don't use any private records in the public
zone.

 

[Guest]

Just to let everyone know how we're going to approach this now

Any server in the adm.uow.edu.au domain that needs to be accessed from outside our network will not only have a publi
IP address (which they do now), but also a 'public name', which is served authoritatively from our public dns servers
The only problem we'll have to overcome is when an application uses the machines dns domain name, or ad dns domai
name to generate a reference to itself and uses the adm.uow.edu.au address instead

eg. computera.adm.uow.edu.au hosts a website. It's accessed by everyone as computera.its.uow.edu.au so all is well an
good for name resolution. The webserver needs to generate a self-referential URL, and uses its local name
computera.adm.uow.edu.au. (I know apache and IIS won't do this, but it's a generic example) An external client could stil
encounter the dns problem we've been trying to fix. If this is unfixable in any required app, we'll look at changing the host'
dns domain name to its.uow.edu.au and see if that breaks anything with domain membership

Thankyou all for your help
Christia