problems with AD internal domain name, DNS root setting, etc.
Jeff
have some problems with the current setup of Active Directory and DNS.
The primary problem is that there is an "." entry in the forward
lookup area of the DNS mgr. This is a problem b/c our xp pro boxes
take forever to login, and I mean forever.
Now my big concern is twofold.
A. How will the deletion of "." affect the current domain and the
users/groups established therein.
B. Our domain has the name xyz.org as it appears in the forward lookup
table, but unfortunately, xyz.org has to resolve to an external
webserver to our web browsers on the internal network.
Exchange is setup on this server, which adds another layer of
complexity to the domain naming issue, if it is one...
I was under the impression that your domain should be something along
the lines of private.xyz.org or internal.xyz.org, not something that
resolves externally...
I could use some guidance here on how to proceed. I have put together
a hack on the xp pro client boxes which speeds up the login, but it is
only that, a hack and I want to configure this server appropriately.
Thanks a million for your ideas.
Ron Lowe
news:6dd26f56.03050...@posting.google.com...
You are on the right path.
1) Firstly, here's my usual lecture on setting up AD DNS:
XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:
How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861
If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )
1.1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.
( you should use the DHCP server to push out the local DNS server
address. )
1.2) Ensure DNS server on win2k is configured to permit dynamic updates.
1.3) Ensure the win2k server points to itself as a DNS server.
1.4) For external ( internet ) name resolution, specify your ISP's DNS
server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.
On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers.
Accept any nags etc, and let it delete any corresponding reverse lookuop
zones if it asks.
The following articles may assist you in setting up DNS correctly:
Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202
2) Your choice of AD domain name is a potential minefield.
There is more than one way to do this, and the best solution depends on
where your externally-visibly Internet Domain is hosted, ( specifically, who
has admin controll of the DNS for the Internet Domain.. ) and how you want
to handle the relationship between your externally-visible DNS and your
internal DNS. There are entire books devoted to this topic, so I can only
give broad advice here. Even so, I seem to have run to a lengthy lecture
:-)
Situation 1
======
For example, lets say you have an Internet domain, xyz.org.
Usually, this will not be served in-house.
You will have an external company providing the hosting.
Perhaps you have a webserver for the public to look at, www.xyz.org.
There must be a DNS server somewhere which already contains the xyz.org zone
files.
This is called the 'authoratative' DNS server for the xyz.org domain.
What that means is that this is the DNS server that the parent domain
(.org ) will direct queries to.
It will typically not contain many things. Only those things which the
public need to know about. So there will be entries for www, ftp, and an MX
record or two.
This will be usually be set up by whoever administers your xyx.org domain.
So if we assume the external Internet domain xyz.org already exists, and
there's a DNS server for it at our web hosting company, how do we name our
new internal AD domain?
Solution 1.1
========
If we name the AD domain the same as the external Internet domain, then
there are 2 different DNS servers both holding zone files for xyx.org. An
external one, whic the public will get. ( Because that's the one .org knows
about. ) It can resolve only those things like www.xyz.org, and ftp.xyz.org.
which are listed on the external DNS server. There is also an Internal DNS
srever which reckons it knows about the xyz.org domain. It contains all
the xyz.org internal AD Domain hosts, but knows nothing about the external
xyz.org Internet Domain. So if an internal client goes looking for
www.xyz.org, the local DNS server will say 'hey, that's my zone', look in
the internal xyz.org zone file and come up empty. He will NOT forward the
request out to the internet, because as far as he's concerned, he has found
the xyz.org zone, and needs to go no further.
In this case, you must manually add Host (A) records for the hosts www and
ftp in the xyz.org zone of the local DNS server , and point them at the
proper IP addrerss of the externally-hosted website.
Solution 1.2
========
In this case, we name the internal domain as a child domain of the Internet
Domain.
Perhaps ad.xyz.org. ( AD for Active Directory. )
Now, the local DNS server holds a zone called ad.xyz.org.
All the domain machines have names like dc-1.ad.xyz.org.
Internal clients will find internal domain machines correctly as before.
But now, an internal machine looking for www.xyz.org will cause the internal
DNS server to look locally, find no such zone, and then perform an external
lookup, and it will hit the external DNS server, and return the correct
external IP address.
In this case, there is no need to manually add the external hosts to the
internal DNS zone, begause they do not share the same name.
Note that an external client machine on the internet cannot resolve any of
your internal ad.xyz.org machines, because the external DNS server knows
nothing about the ad.xyz.org 'child' domain. Only the internal machines
can resolve the child domain, because only the internal DNS server knows
about it. The child domain is 'disconnected' from the external DNS
heirarchy.
This solution works well where you have an externally hosted Internet
Domain, and an internal AD domain.
There's no name conflict for the internal machines to worry about.
Situation 2
========
In this situation, you are a bigger organisation, and have a fat pipe to the
Internet.
You want to host your own WWW and FTP sites internally, and you run your own
internet-exposed authoratative DNS servers for xyz.org Internet Domain.
We now want to set up an AD domain.
Now, even if we have direct admin controll of the public xyz.org DNS, I'd
still be inclined to run a seperate DNS server for the AD domain. This is
because I would not want my internal structure to be queryable on a
public-facing DNS server.
We then have the same 'split brains' issue I described above.
So, we have the same options.
2.1: Interet Name = AD name. Internal Clients point to Internal AD DNS,
External visitors hit external facing DNS which has typically only www and
ftp hosts listed. Administrator must manually add any such sites from
external DNS into Internal DNS.
2.2: Different names: No issue to resolve, as before.
Like I say, there's more than one way to skin this particular cat.
You may wish to consider getting professional advice.
--
Best Regards
Ron Lowe
MVP - Windows Networking
Jeff
ad server and do a response.redirect to the "www.xyz.org" for a
request that is made to "xyz.org" (total hack I know...). A
reeducation program for our users could be implemented to inform them
of the fact that xyz.org might not be supported anymore to reach our
website.
My biggest concern at this point is the "." dns entry. Is deleting
this going to affect my xyz.org entry in the forward lookup zones, or
affect the domain/groups/users in any way?
Sorry to be a bit of a neophyte here, but I am enjoying learning about
this.
Jeff
"Ron Lowe" <ron.lowe@{DELETE}btopenworld.com> wrote in message news:<esjxO9hF...@TK2MSFTNGP12.phx.gbl>...
Ron Lowe
Your DNS server is not a root nameserver.
--
Best Regards
Ron Lowe
MVP - Windows Networking
"Jeff" <tiv...@yahoo.com> wrote in message
news:6dd26f56.03051...@posting.google.com...