Windows servers need internet access

[david]

We have 4 servers in place, all win2k, and have just
purchased a T1 line. We would like to grant internet
access to the servers for updating purposes and email.

We have DNS installed on the AD server.

Server 1 Role AD & file sharing
Server 2 Role Exchange 2000
Server 3 Role SQL
Server 4 Role Applications (which use SQL)

The IP scheme is 192.168.1.x w/ 255.255.255.0, the
gateway is set to the router's address (192.168.1.1), and
the DNS on the 3 app servers is set to the AD server
(192.168.1.2). The AD server has the two external DNS
servers listed in the Network properties.

With this setup, The AD server is the only one with
internet access.

If I set the other 3 servers DNS to the external
addresses, it works. But the problem is that one of the
applications (microsoft CRM) needs the DNS to be the AD
controller--so that server (server 4) has to have
192.168.1.2 as the DNS server.

How can I have all 4 servers have internet access, as
well as satisfy the need for the CRM application? I've
seen the feature 'forwarders' mentioned in other posts--
but that option is not available on the AD server.

We are a very small company with some understanding of
networking, but not alot.

Any help will be appreciated.

 

[Danny Sanders]

Set up forwarders on your AD DNS server. To enable forwarders you need to
delete the "." (dot) forward lookup zone that is created by default.

hth
DDS W 2k MVP MCSE

 

[david]

Is that all? does this work with the workstations also?

Just to clarify:

-I will remove the . forward lookup in the DNS on the AD
-I will click the box for 'enable forwarders' (is there
any other setting?
-I will code the NICs for the other 3 servers to point to
192.168.1.2 (the AD server) as the primary DNS--there
will be no secondary DNS

Thanks for your help.

 

[Danny Sanders]

-I will remove the . forward lookup in the DNS on the AD


Yes open the DNS snapin and delete the "." (dot) FLZ. Your AD DNS server
should point to 192.168.1.2 (itself) for DNS in the properties of TCP/IP.

-I will click the box for 'enable forwarders' (is there
any other setting?

You will need to input your ISP's DNS servers as the forwarders. You may
have to close and reopen the DNS snapin to have forwarders enabled.

-I will code the NICs for the other 3 servers to point to
192.168.1.2 (the AD server) as the primary DNS--there
will be no secondary DNS

Point them to the AD DNS server only. Anything that your AD DNS server can
not resolve (the entire Internet) gets forwarded to your ISP's DNS servers
for resolution.


Basically ALL AD clients and servers point to the AD DNS server only. For
Internet access set up forwarding on the AD DNS server.

hth
DDS W 2k MVP MCSE

 

[SaltPeter]

Is that all? does this work with the workstations also?

Just to clarify:

-I will remove the . forward lookup in the DNS on the AD
-I will click the box for 'enable forwarders' (is there
any other setting?
-I will code the NICs for the other 3 servers to point to
192.168.1.2 (the AD server) as the primary DNS--there
will be no secondary DNS

Thanks for your help.

I'll second Danny's procedure. To explain the issue, deleting the "." zone
tells your DNS server thats its not the final authority for the global
worlwide www namespace.

The advantage of such a scenario is that your private DNS server is
authoritative for your private namespace only and any request to resolve an
external name needs to be "forwarded" on behalf of a client. The private DNS
server then knows when to query up the DNS hierachy(ie: whenever a query is
attempting to resolve an ip or name thats outside your domain). Thats the
only time the private DNS server forwards the request to ISP's DNS.

This effectively means:
a) a client's query is cached by the local, private DNS server. A duplicate
of the same query needs not be forwarded.
b) it reduces unneccessary traffic and open connections through a router
between a client and an external DNS server.
c) which therefore eliminates a potential security hole.

I'ld strongly suggest downloading the DNS whitepaper since DNS is a critical
component of any W2K domain.
(sorry for lengthy URL)
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/name
adrmgmt/w2kdns.asp

I'll second Danny's procedure. To explain the issue, deleting the "." zone
tells your DNS server thats its not the final authority for the global
worlwide www namespace. Therefore imposing a dns hierarchy that correctly
disperses the namespace authorities.

The advantage of such a scenario is that your private DNS server is
authoritative for your private namespace only and any request to resolve an
external name needs to be "forwarded" on behalf of a client. The private DNS
server then knows when to query up the DNS hierachy(ie: whenever a query is
attempting to resolve an ip or name thats outside your domain). Thats the
only time the private DNS server forwards the request to ISP's DNS.

This effectively means:
a) a client's query is cached by the local, private DNS server. A duplicate
of the same query needs not be forwarded.
b) it reduces unneccessary traffic and open connections through a router
between a client and an external DNS server.
c) which therefore eliminates a potential security hole.

I'ld strongly suggest downloading the DNS whitepaper since DNS is a critical
component of any W2K domain.
(sorry for lengthy URL)
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/name
adrmgmt/w2kdns.asp