Hi, how does 'netmask ordering' work on windows 2000 server?

My question is in regards to the following:

13 windows 2000 sites, each site contains a 2000 server dc/dns ad
integrated. We are installing an isa server at each site. I would like to
have proxy autodetect through dns.
i.e have all wpad.domain.org point to 13 different a records.

Would dns resolution for a particular site resolve as per the subnet the
client resides?

thx jason

No.
What you can do, is have 13 dhcp scopes that point you to 13 different DNS
servers, which have their own different A-records for wpad.domain.org, but
when you do this, you cannot have AD-integrated zones.
It would be easier to assign proxy servers through group policies on the
different sites.
Peter

"jason sigurdur" <(E-Mail Removed)> wrote in message
news:O2SSzm%(E-Mail Removed)...
> Hi, how does 'netmask ordering' work on windows 2000 server?
>
> My question is in regards to the following:
>
> 13 windows 2000 sites, each site contains a 2000 server dc/dns ad
> integrated. We are installing an isa server at each site. I would like to
> have proxy autodetect through dns.
> i.e have all wpad.domain.org point to 13 different a records.
>
> Would dns resolution for a particular site resolve as per the subnet the
> client resides?
>
> thx jason
>

Peter Demeyer wrote:
> No.
> What you can do, is have 13 dhcp scopes that point you to 13
> different DNS servers, which have their own different A-records for
> wpad.domain.org, but when you do this, you cannot have AD-integrated
> zones.

Peter, if you don't mind I can give a little input, you can use an AD
integrated zone for domain.org, create a delegation in the zone for wpad and
point the delegation to all 13 DNS servers, then create a standard primary
zone named wpad.domain.org on each of the 13 DNS servers with a single (same
as parent folder) record with the local IP address for the proxy. This way
the delegation is replicated but the wpad.domain.org is not and each DNS
server will hold its own authority for the name. The drawback is, that 13
different wpad.domain.org zones will need to be created and maintained. He
would also have to make the TTL of each of these records to a low enough
value so if a user moves from one site to another the record would be
expired from the Client DNS cache.

> It would be easier to assign proxy servers through group policies on
> the different sites.

Yes, he could use the group policy, but this would create a problem for
mobile laptop users. So the laptop users would need two accounts, a domain
account, and a local computer account, each with its own profile so when
they are off site they can bypass the proxy. This would also create a
problem for mobile users that move between sites and get the same GPO at all
sites.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

What is "netmask ordering" , and how does it work?

jason
"Kevin D. Goodknecht Sr. [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Peter Demeyer wrote:
>> No.
>> What you can do, is have 13 dhcp scopes that point you to 13
>> different DNS servers, which have their own different A-records for
>> wpad.domain.org, but when you do this, you cannot have AD-integrated
>> zones.
>
> Peter, if you don't mind I can give a little input, you can use an AD
> integrated zone for domain.org, create a delegation in the zone for wpad
> and
> point the delegation to all 13 DNS servers, then create a standard primary
> zone named wpad.domain.org on each of the 13 DNS servers with a single
> (same
> as parent folder) record with the local IP address for the proxy. This way
> the delegation is replicated but the wpad.domain.org is not and each DNS
> server will hold its own authority for the name. The drawback is, that 13
> different wpad.domain.org zones will need to be created and maintained. He
> would also have to make the TTL of each of these records to a low enough
> value so if a user moves from one site to another the record would be
> expired from the Client DNS cache.
>
>> It would be easier to assign proxy servers through group policies on
>> the different sites.
>
> Yes, he could use the group policy, but this would create a problem for
> mobile laptop users. So the laptop users would need two accounts, a domain
> account, and a local computer account, each with its own profile so when
> they are off site they can bypass the proxy. This would also create a
> problem for mobile users that move between sites and get the same GPO at
> all
> sites.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>

jason sigurdur wrote:
> What is "netmask ordering" , and how does it work?

Do a search in DNS help for prioritizing local subnets, you'll get a much
better explanation. It is controlled by a number of factors having to with
the client subnet, combined with the subnet mask of the requesting client
and getting the closest subnet match. If there's no match, then DNS
randomizes the results or round robin kicks in.

Prioritizing local subnets
http://technet2.microsoft.com/Window...9fdcd1033.mspx

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

hi,

so if i had wpad.domain.org and
A 10.100.0.1/24
A 10.100.4.1/24
A 10.100.8.1/24

if a client in 10.100.0.0/24 requested wpad.domain.org
it should get 10.100.0.1 ?

js
"Kevin D. Goodknecht Sr. [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> jason sigurdur wrote:
>> What is "netmask ordering" , and how does it work?
>
> Do a search in DNS help for prioritizing local subnets, you'll get a much
> better explanation. It is controlled by a number of factors having to with
> the client subnet, combined with the subnet mask of the requesting client
> and getting the closest subnet match. If there's no match, then DNS
> randomizes the results or round robin kicks in.
>
> Prioritizing local subnets
> http://technet2.microsoft.com/Window...9fdcd1033.mspx
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>

jason sigurdur wrote:
> hi,
>
> so if i had wpad.domain.org and
> A 10.100.0.1/24
> A 10.100.4.1/24
> A 10.100.8.1/24
>
> if a client in 10.100.0.0/24 requested wpad.domain.org
> it should get 10.100.0.1 ?

That's the way it is supposed to work in theory.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

I'm going to jump in here because I have solved the same problem by using
netmask ordering. If netmask ordering is enabled and round-robin is
disabled, then If a server has three IP addresses, say 10.1.0.1, 10.2.0.1,
10.3.0.1 all /16, and a computer at 10.2.0.100 does a lookup for
"mydomain.com", assuming the DNS server is the DNS server for the domain, it
should always resolve to 10.2.0.1. Case in point, back in MS class I took on
an intern project where three departments all had to log into the same
domain and get to files on the server (which was DC, DNS and file server),
but could not have access to other segments. I VLAN'd them off with
different subnets on each VLAN, and 3 NICs on the server, one on each VLAN.
I had problems with logons, and figured out that the domain was resolving to
an IP address on the wrong subnet. After researching, I found an MS article
that said to enable netmask ordering and disable round-robin. It did the
trick.

....kurt

"Kevin D. Goodknecht Sr. [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> jason sigurdur wrote:
>> hi,
>>
>> so if i had wpad.domain.org and
>> A 10.100.0.1/24
>> A 10.100.4.1/24
>> A 10.100.8.1/24
>>
>> if a client in 10.100.0.0/24 requested wpad.domain.org
>> it should get 10.100.0.1 ?
>
> That's the way it is supposed to work in theory.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>