My DNS NameServer IP keeps changing automatically!

[Scott M.]

I am hosting my own DNS server and have a static IP address on this box. In
my DNS, I have the NameServer listed with the public static IP address.
When I check back later at MY DNS record, the public static IP has been
replaced with the PRIVATE IP for the box!

Fist, is this ok? (The DNS is for publicly facing resources only) and if
it's not, how to correct it?

Thanks!

 

[Ace Fekay [MVP]]

In

I am hosting my own DNS server and have a static IP address on this
box. In my DNS, I have the NameServer listed with the public static
IP address. When I check back later at MY DNS record, the public
static IP has been replaced with the PRIVATE IP for the box!

Fist, is this ok? (The DNS is for publicly facing resources only) and
if it's not, how to correct it?

Thanks!

Sounds like you're using the same DNS to publish public and private records.
This means you're using it for AD and for your actual public domain name. If
so, it's recommended to ues two DNS servers, one for the public data, and
another for internal AD data. You don';t want private data published on the
Internet, for one due to security, the other due to what you are
experiencing.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Scott M.]

I really don't know why any private IP's are showing up in there. I'm not
entering them. How do I set up DNS for just public entries and keep the
private IP's from showing? (Adding a second DNS is not an option). And,
will having the private IP's showing in the public DNS affect the ability of
the DNS to point users correctly to my site/email?


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

I really don't know why any private IP's are showing up in there.
I'm not entering them. How do I set up DNS for just public entries
and keep the private IP's from showing? (Adding a second DNS is not
an option). And, will having the private IP's showing in the public
DNS affect the ability of the DNS to point users correctly to my
site/email?

They are showing up automatically as designed by AD. They auto register that
data. With MS DNS, it's not possible to host both of the data under one
zone. This is assuming your public and private domain names are the same,
which is called a "Split Horizon" scenario. With BIND DNS you can do it. It
offers a feature called "Views" which answers queries based on the querying
IP. MS DNS doesn't offer this, therefore, you'll need another DNS server.
You can use an old machine for this, one that;s been stored in a closet
that's not being used. It doesn';t have to be a performance machine for
something small as this. Matter of fact, I have an old P233 with 168megs RAM
and a 4 gig drive. Works wonders. I disabled all of the unnecesary services
on it. If you do this, just don't disable the DHCP Client service - it's
needed by DNS resolver service.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Scott M.]

I guess I'm not asking the right question....

I'm only interested in running a PUBLIC DNS, I have no need to host a
PRIVATE DNS. I only want to expose my PUBLIC web site and my PUBLIC
Exchange Server.

So, how do I set my DNS (Win 2003 & Active Directory) so that just that one
public machine is registered?

Thanks for your help Ace!


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

I guess I'm not asking the right question....

I'm only interested in running a PUBLIC DNS, I have no need to host a
PRIVATE DNS. I only want to expose my PUBLIC web site and my PUBLIC
Exchange Server.

So, how do I set my DNS (Win 2003 & Active Directory) so that just
that one public machine is registered?

Thanks for your help Ace!

I thought you wanted to host your private and public stuff on one machine?

Well, you would go to netsol.com and register your domain and register your
DNS server as a hostnameserver. You would give them the name of the machine
and your external IP. I guess you got this part out of the way already?

In NAT, setup a port remap for UDP and TCP 53 and UDP 1024 to 65535 to the
internal private IP of the server.

In DNS properties, check the nameserver tab and make sure it shows up as the
external IP and not the internal IP. Make sure all references to any data is
public only.

Is that better?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Scott M.]

"Ace Fekay [MVP]"

In Scott M. <[email protected]> posted their thoughts, then I offered mine

I thought you wanted to host your private and public stuff on one machine?

Well, you would go to netsol.com and register your domain and register your
DNS server as a hostnameserver. You would give them the name of the machine
and your external IP. I guess you got this part out of the way already?

Yes, that part is done.

In NAT, setup a port remap for UDP and TCP 53 and UDP 1024 to 65535 to the
internal private IP of the server.

You mean my router? I think this is done already, I'll check it.

In DNS properties, check the nameserver tab and make sure it shows up as the
external IP and not the internal IP. Make sure all references to any data is
public only.

This is the part I'm asking about....I keep setting the NameServer to point
to the public IP and then in a few minutes time, when I check back, the IP
has automatically switched to the internal IP of the box! How do I stop
this from happening and have the DNS record ONLY show public IP?

 

[Kevin D. Goodknecht]

In

"Ace Fekay [MVP]"

If you are only interested in running a public DNS then you've got a
problem, Active Directory requires DNS and it must resolve internally. If
you stop the registration of the private records the AD will not work. If
you want only public records in DNS then you will have to give your DC a
public IP address.

Your only choice is to demote and promote with a different AD Domain name
such as domain.local. That way the private records will be created with
that name. You can then host public DNS for the name of your choice. because
internal resolution for the public name is not required unless you need
access to the domain internally.

 

[Scott M.]

In
If you are only interested in running a public DNS then you've got a
problem, Active Directory requires DNS and it must resolve internally.

Huh, Active Directory does not require DNS. Before I went down this road I
had AD running without DNS set up on the machine.

If you stop the registration of the private records the AD will not work.

In what sense will AD not work? My user accounts will cease to function?

If you want only public records in DNS then you will have to give your DC a
public IP address.

It has one, that's my whole point.

Your only choice is to demote and promote with a different AD Domain name
such as domain.local. That way the private records will be created with
that name. You can then host public DNS for the name of your choice. because
internal resolution for the public name is not required unless you need
access to the domain internally.

I think you've missed what my question is: How do I stop AD from
automatically changing my public (static) IP associated with my DNS
NameServer to the private IP?

 

[Kevin D. Goodknecht]

In

Huh, Active Directory does not require DNS. Before I went down this
road I had AD running without DNS set up on the machine.

Active Directory does require DNS, the SRV records need to find domain
controllers are stored in DNS.

In what sense will AD not work? My user accounts will cease to
function?

Because if the DC cannot resolve its own IP it cannot be located and neither
will any machine looking for it.

It has one, that's my whole point.

Your public address is on the router not on the DC the DC has a private
address. You would have to remove the router and put the public address on
the DC.

I think you've missed what my question is: How do I stop AD from
automatically changing my public (static) IP associated with my DNS
NameServer to the private IP?

No, I have not missed the question, your DC has a private address that is
the one being registered.

If you stop the DC from registring its private address it cannot resolve to
itself by the public IP due to it being behind NAT on the router. That is
that downfall with NAT, if you want to use AD with public addresses then you
will have to run a proxy server on the DC and give the DC a public address
on its interface.

 

[Ace Fekay [MVP]]

In

Huh, Active Directory does not require DNS. Before I went down this
road I had AD running without DNS set up on the machine.

Who told you that??
YES IT DOES require DNS. That's the way the whole mess works. You must have
been using some DNS server for AD to register its info in. DNS stores ALL OF
AD's resource and service locations.

Not sure where you got your info about AD and DNS. Read this:
http://support.microsoft.com/?id=291382

In what sense will AD not work? My user accounts will cease to
function?

Not cease to function, but they won't be able to login and/or gain access to
domain resources, such as printers, authentication to folders, etc. SO in
essence, so I guess, yes, they will cease to function.

It has one, that's my whole point.


I think you've missed what my question is: How do I stop AD from
automatically changing my public (static) IP associated with my DNS
NameServer to the private IP?

You can stop it by using the registry by killing registration completey.

Now I have another question, what exact record are you saying is coming up?
Is it the LdapIpAddress? That looks like this:
(same as parent) A 192.168.1.1

Or is it the hostrecord (the A record), that looks like this:
machinename A 192.168.1.1

( I used 192.168.1.1 and "machinename" arbitrarily. Substitute your own IP)

Or both?

Can you post us your actual domain name so we can take a look at it as an
outsider?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Scott M.]

First, let me say thanks for all your help Ace.

I'm soooooo frustrated at this point, it's actually hurting my head!!!!

The domain is: MarcusNet.us

I tried NOT integrating AD with DNS and found that DNS does hold on to my
static IP of my server, but logging in to my system became painfully
sloooooowww. So I turned AD integration back on.

I'm a real newbie to this so maybe it would be better to state what I'm
shooting for and you could tell me what direction I need to go in.

Win 2003 Server (domain is: MarcusNet.us)
Exchange 2003 Server (running on machine: DomainServer.MarcusNet.us)
Windos XP Pro clients
Public web site www.MarcusNet.us

My router (residential gateway) is 69.37.4.150 (static) and I have mapped
the router so that private IP:
192.168.1.145 maps to public (static) 69.37.4.145 (the web server/Exchange
box in my system).

I want the web site and the Exchange server accesible to the public. I only
have one server, so setting up a second one (at this time) is not an option.

I am using as the second NameServer (for InterNic registration purposes) a
dynamic IP service nameserver that I have an account with. Allthough I
started using them when I had a dynamic IP, their servers can still be used
with a static IP.

Ugh!


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

First, let me say thanks for all your help Ace.

I'm soooooo frustrated at this point, it's actually hurting my
head!!!!

The domain is: MarcusNet.us

I tried NOT integrating AD with DNS and found that DNS does hold on
to my static IP of my server, but logging in to my system became
painfully sloooooowww. So I turned AD integration back on.

I'm a real newbie to this so maybe it would be better to state what
I'm shooting for and you could tell me what direction I need to go in.

Win 2003 Server (domain is: MarcusNet.us)
Exchange 2003 Server (running on machine: DomainServer.MarcusNet.us)
Windos XP Pro clients
Public web site www.MarcusNet.us

My router (residential gateway) is 69.37.4.150 (static) and I have
mapped the router so that private IP:
192.168.1.145 maps to public (static) 69.37.4.145 (the web
server/Exchange box in my system).

I want the web site and the Exchange server accesible to the public.
I only have one server, so setting up a second one (at this time) is
not an option.

I am using as the second NameServer (for InterNic registration
purposes) a dynamic IP service nameserver that I have an account
with. Allthough I started using them when I had a dynamic IP, their
servers can still be used with a static IP.

Ugh!

I see. So you have two public IP addresses. Your site resolves to
69.37.4.4.145.

Actually, with what you're trying to do, you'll need two nameservers.

As for the long logon times, make sure you do NOT use any external DNS
addresses in your IP properties on ANY internal machines. Using any other
DNS then the one that hosts your AD data will cause numerous numerous
problems, one of which is a long logon times. What;'s in your Event viewer?
ANy errors? Configure a forwarder for efficient Internet resolution. If the
Forwarding option is grayed out, delete the Root zone and try again. This
article shows how:
http://support.microsoft.com/?id=300202

Also, doing an nslookup on your domain shows tzo.com as authorative and NOT
your server. I'm assuming that you're going to change that to your servers?
You said in an ealier post that was taken care of?
From your post:
==========================

Well, you would go to netsol.com and register your domain and register your
DNS server as a hostnameserver. You would give them the name of the machine
and your external IP. I guess you got this part out of the way already?

Yes, that part is done.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In Scott M. <[email protected]> posted their thoughts, then I offered mine

Oops, hit send too soon before I was done the other post..,.


I looked up your domain at netsol.com and got this below. It does NOT show
your DNS servers as authorative, just as the nslookup didn't show it, so not
sure what you have done to this point to make it work for what you want to
do.
========================================
marcusnet.us


Registrant:
Technical Training Solutions, LLC. (BAHPWZIMVD)
25 Standish Rd
Ellington, CT 06029
US

Domain Name: MARCUSNET.US

Administrative Contact, Technical Contact:
Technical Training Solutions, LLC. (20277371O)
(e-mail address removed)
25 Standish Rd
Ellington, CT 06029
US
(860) 871-5410 fax: 123 123 1234

Record expires on 11-Apr-2006.
Record created on 12-Apr-2003.
Database last updated on 26-Oct-2003 17:32:21 EST.

Domain servers in listed order:

NS.TZO.COM 140.239.225.194
NS2.TZO.COM 216.55.0.21
NS3.TZO.COM 66.152.192.119
========================================


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Scott M.]

Yes, I've temporarily changed the NameServers back to the ones that I know
work for now. I've got to be able to get my email while I do all this
stuff.

I don't have any errors in my DNS event log and the long log in times issue
is now fixed (since I told my DNS to integrate with AD [I had turned that
off and that is what caused the long log in times]).

At this point, because hosting 2 DNS is not a possibility, I think I will
continue to go with the DNS Hosting service that I've got in place (my head
hurts too much from trying to figure all this out).

Thanks again so much for your help and patience!


"Ace Fekay [MVP]"

 

[Scott M.]

What does "authoritative" mean with regard to this?

Because the nameservers I have listed now correctly point to my static IP of
my Exchange server, I am now receiving mail again.

Can you get to www.MarcusNet.us? (I assume you can but because my DNS takes
me right to it via the local IP setting, I can't verify that the outside
world can get to it.)


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

What does "authoritative" mean with regard to this?

Authorative means what DNS server owns the zone name. It's your hosting
company right now.

Because the nameservers I have listed now correctly point to my
static IP of my Exchange server, I am now receiving mail again.
Good


Can you get to www.MarcusNet.us? (I assume you can but because my
DNS takes me right to it via the local IP setting, I can't verify
that the outside world can get to it.)

Actually yes I can. The underwater videos wouldn't run. It just tries to
connect...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Yes, I've temporarily changed the NameServers back to the ones that I
know work for now. I've got to be able to get my email while I do
all this stuff.

I don't have any errors in my DNS event log and the long log in times
issue is now fixed (since I told my DNS to integrate with AD [I had
turned that off and that is what caused the long log in times]).

FYI: Actually whether the zone is a Primary or AD Integrated, it wouldn't
cause what you're describing. The difference is that a Primary zone stores
it's data as a text file with a .dns extension in the system32\dns folder.
An AD Integrated zone stores it in the actual physical AD database. It's
just a way of storing the zone file is all that means.

Now the long logon times are due to what I described in my previous post.

At this point, because hosting 2 DNS is not a possibility, I think I
will continue to go with the DNS Hosting service that I've got in
place (my head hurts too much from trying to figure all this out).

You know what, it's usually alot easier if you let them host it. If not
totally familiar with the fundamentals and how it works in any size
infrastructure, it's usually best left to let them host it, as long as you
have access to be able to change records and such. Besides, they have
mutliple DNS servers with fault tolerance and backup.

Thanks again so much for your help and patience!

No problem!



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht]

In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:

In

Authorative means what DNS server owns the zone name. It's your
hosting company right now.


Actually yes I can. The underwater videos wouldn't run. It just tries
to connect...

Actually the video does work it's just a 31MB download, Ace.
BTW, it's a good quality video with good resolution. I guess that why it is
so large, but I would think about storing it on your ISP if they have the
service. Your upstream seems to be limited to about 170k, which is pretty
good but if someone is downloading it it will keep your upstream pipe full
for too long.

 

[Ace Fekay [MVP]]

In

Actually the video does work it's just a 31MB download, Ace.
BTW, it's a good quality video with good resolution. I guess that why
it is so large, but I would think about storing it on your ISP if
they have the service. Your upstream seems to be limited to about
170k, which is pretty good but if someone is downloading it it will
keep your upstream pipe full for too long.

I forgot about the site but when I went back to it, I found it playing. Boy
that's a big file to be doing that with. Yes, the ISP's would be a better
idea, or even chopping it down in multiple pieces with a warning or
something or using some other codec (one that I don't want to mention here)
or save it using a lower resolution.

Nice video btw, wish I was there...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory