DNS
Bobby Davies
I have a private small home network at home that I have installed a windows
2003 DC with AD and have not configured DNS yet.
What is the best way to do so seeing as I want to completely use my isp's
dns. I have an existing Router which also acts as my dhcp server and
gateway.
Any suggestions on how to configure my new dns server for just housing DNS
and not really handing name resolution?
Thanks
Ace Fekay [MVP]
Bobby Davies <bobby....@co.ramsey.mn.us> posted their thoughts, then I
offered mine
It is highly unlikely (almost impossible) that you setup a domain controller
for an AD domain without configuring DNS. DNS is an absolute requirement for
Active Directory, so honestly, I cannot see how your AD DC's are running
right now without a hundred errors or even the fact to be able to boot and
logon into the machine.
Please read this to understand AD's DNS requirements:
http://support.microsoft.com/?id=291382
See 99.9999% of the ISP's out there will not support AD for their customers.
This is because AD stores all of it's service and resource locations into
DNS. They have that feature turned OFF to avoid customers from doing so and
cluttering up their servers. Whenever an internal machine (DCs or clients)
need access to a domain service, guess what, they ask DNS for that
information, so the ISP's can;t answer that and all sorts of errors ensue.
So, you can't use your ISP's DNS for AD. That's pretty much defacto and a
fact. You need to have your own internal DNS and only use that DNS for your
DCs and all of your clients. Do not use the router for DNS either. That;s
just as bad. Use only your own DNS. For efficient Internet resolution,
configure a forwarder that goes to your ISP's DNS and not the router. The
router just acts as an intermediary and is a wasted step anyway. If the
option to configure a forwarder is grayed out, delete the root zone. If not
exactly sure how to do these two steps, read this article, it will show you
exactly how-to:
http://support.microsoft.com/?id=300202
Also, word of advise, using a router's DHCP service isn;'t the best either
since it does not support Option 081, registration of clients into DNS.
Microsoft's DHCP service APIs work hand in hand with Microsoft's DNS service
to ensure and support registration for clients.
In any AD environment that we've setup for clients, we always disable the
router's DHCP function and definitely do not use as a DNS address for AD.
Otherwise, I guarantee my salary that errors WILL occur and you will lose
personal time to figure out why...
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
Bill Grant
beforehand, DCPROMO will do it for you! AD cannot run without it.
To use the DNS service at your ISP, configure your local DNS to forward
to the DNS server at your ISP. Your local clients should all be configured
to use your local DNS server.
"Bobby Davies" <bobby....@co.ramsey.mn.us> wrote in message
news:OcWD#vDtDH...@tk2msftngp13.phx.gbl...
dave
I am new to windows server 2003. I've set up a dc for my
domain. my ISP host the DNS server for me. Do i need to
install dns server when i run active directory? could i
set up a dns as secondary copy of my ISP master server or
i need a new DNS server? If i set up the dns server as
secondary copy of my ISP dns server. i will got a message
shows that it can't find the DC in DNS when i run
netdiag.exe. how do i add server name if i copy DNS record
from my ISP?
THANKS
Herb Martin
news:03c901c3b9fd$73e70410$a501...@phx.gbl...
> Hi,
> I am new to windows server 2003. I've set up a dc for my
> domain. my ISP host the DNS server for me.
It is best to leave your PUBLIC DNS with the ISP (or next time
you have to move it, put it at a Registrar - bigger, faster, better
support.)
> Do i need to
> install dns server when i run active directory? could i
Yes, and since it needs to accept DYNAMIC registrations you really don't
want this to be "on the Internet".
AD requires Dynamic DNS (which should be internal to your network.)
If you used the same Domain name for the AD as for your external web
servers,
you will want to first copy the zone from the ISP (making it a secondary
works
great if the ISPs permissions allow this), then (change it to a Master) and
add
all NEW external records to BOTH internal an external. You will have to
do this manually.
You also, of course, add all internal records ONLY to the Internal DNS of
the
zone.
Your AD clients should configure their NIC properties to ONLY point to the
internal DNS server (set), and remember that "clients" here INCLUDES DNS
and DCs -- they are DNS clients too.
Finally, in most cases you will want to "forward" from you internal DNS
server(s)
to the ISP for efficient and some small security.
> set up a dns as secondary copy of my ISP master server or
> i need a new DNS server? If i set up the dns server as
> secondary copy of my ISP dns server. i will got a message
> shows that it can't find the DC in DNS when i run
> netdiag.exe. how do i add server name if i copy DNS record
> from my ISP?
See above. A Secondary will NOT work (except during copy/setup) because
it cannot be dynamic.
--
Herb Martin
>
> THANKS
>
>
dave
also wondering how do i make it master after i copy the
dns record from my isp? remove dns then reintall again?
>
Herb Martin
> Thanks for your help. I'll give it a try first. but i
> also wondering how do i make it master after i copy the
> dns record from my isp? remove dns then reintall again?
Change the ZONE (in the GUI properties) from Secondary to Primary.
(Or even "Active Directory Integrated" if the DNS server is also a DC.)
Either of these can be the Primary or Master of the Zone - master means
it accepts changes and is the master source of the zone.
(Technically a secondary can copy from ANY other DNS server of that zone
and refers to the source as the "master" -- in this sense 'master' is a
relative
term, since that master can be a slave to another master.)
Have you heard that the Politically Correct Police wish to change the terms
master & slave as used for IDE disk drives and such?
--
Herb Martin
Ace Fekay [MVP]
dave <anon...@discussions.microsoft.com> posted their thoughts, then I
offered mine
> Thanks for your help. I'll give it a try first. but i
> also wondering how do i make it master after i copy the
> dns record from my isp? remove dns then reintall again?
>
I'm not entirely clear on why you need to have a Secondary copy of your
public domain data on your DNS. Ideally, and recommended, that your internal
DNS only hosts the AD zone data and definitely not public data on the same
server.
Is your AD DNS domain name the same as your public domain name? If so, there
are steps to insure this to work correctly. Assuming you have a private IP
range, and the zone name is the same, then this will cause numerous issues.
If the name is the same, you can manually create a www record under your own
intenral zone name that would point to the external IP of your webserver so
the inside clients can access your coroporate website.
Either scenario, to access other outside resources (websites, etc), you
would configure a forwarder to achieve this.
Herb Martin
> > also wondering how do i make it master after i copy the
> > dns record from my isp? remove dns then reintall again?
> >
>
> I'm not entirely clear on why you need to have a Secondary copy of your
> public domain data on your DNS. Ideally, and recommended, that your
internal
> DNS only hosts the AD zone data and definitely not public data on the same
> server.
He doesn't really need a "secondary copy" on his internal server, he needs a
2nd MASTER copy - shadow DNS.
If he doesn't make the external records available on the internal DNS server
(set)
then his internal clients will not be able to reach (i.e., resolve names of)
the external
services like his web server.
Using a "secondary" is just an easy way to INITIALLY copy the records over;
then convert to Primary (or AD Int.)
--
Herb Martin
Ace Fekay [MVP]
Herb Martin <ne...@LearnQuick.com> posted their thoughts, then I offered mine
I'd just rather use a manually created zone and enter the resource records
that I need to be there. Many ISP's won't allow this anyway, which is
indicative of many Split-Horizon scenarios that we always see posted here by
many folks.
Herb Martin
> > over; then convert to Primary (or AD Int.)
>
> I'd just rather use a manually created zone and enter the resource records
> that I need to be there. Many ISP's won't allow this anyway, which is
> indicative of many Split-Horizon scenarios that we always see posted here
by
> many folks.
Well, if it doesn't work, it doesn't work, but it is certainly the easiest
way to move
one (or a few) zones when it does. There is no disadvantage when it works
and
I indicated to him that it might not be "allowed."
--
Herb Martin