DNS & Active directory forwarding problem

S

Sudesh Bhat

Hi ALl,
To brief u about our current setup.
We have Win2k Ad Integrated DNS (3nos soread over 2
offices) wihtout any ISP forwarders specified in any. For
Win2K clients who need Internet Access we specify our DNS
IP manually in the Network TCP/IP properties. I assume
that the INternet requests are routed using the root DNS
entries in the Root hints tab in the DNS server
properties.
We are also using WINS in our offices for NAme reolution.

DNS server is only for select Win2k clients/users. NOw we
want to implement SUS for patch management and implement
Group policies for client registry changes. This is only
possible if all Win2k clients have DNS specified as WINS
is unable to do this. If we specify DNS to all it wud
mean opening Internet access to everyboy whic hwe want to
avoid.

IN this scenario what wud be the best way to restrict
Internet access and also have SUS and group policy
implementation.

We are not using any proxy server, only Firewall for NAT
purposes and it does not have any proxy facilities. Is
there any way using the WIN2k DNS to resolve this issue?
PLease advise/ guide me on this issue.THanks in advance.

Sudesh
 
K

Kevin D. Goodknecht [MVP]

In
Sudesh Bhat said:
Hi ALl,
To brief u about our current setup.
We have Win2k Ad Integrated DNS (3nos soread over 2
offices) wihtout any ISP forwarders specified in any. For
Win2K clients who need Internet Access we specify our DNS
IP manually in the Network TCP/IP properties. I assume
that the INternet requests are routed using the root DNS
entries in the Root hints tab in the DNS server
properties.
We are also using WINS in our offices for NAme reolution.

DNS server is only for select Win2k clients/users. NOw we
want to implement SUS for patch management and implement
Group policies for client registry changes. This is only
possible if all Win2k clients have DNS specified as WINS
is unable to do this. If we specify DNS to all it wud
mean opening Internet access to everyboy whic hwe want to
avoid.

IN this scenario what wud be the best way to restrict
Internet access and also have SUS and group policy
implementation.

We are not using any proxy server, only Firewall for NAT
purposes and it does not have any proxy facilities. Is
there any way using the WIN2k DNS to resolve this issue?
PLease advise/ guide me on this issue.THanks in advance.

Sudesh
Click to expand...

It is a bad idea to try this with DNS because the results would be
unreliable and inconsistent. Proxy servers are inexpensive and more reliable
because you can assign the proxy through group policy and prevent users from
changing your settings.
Your way would require two DNS servers one for those who do and one for
those who don't and they could still have a limited amount of access by
using IP addresses, limited only by the number of sites that require host
headers.
 
M

Michael Johnston [MSFT]

DNS cannot be use to restrict Internet access. You will need a proxy server or firewall that allows these types of restrictions.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.
 
S

Sudesh Bhat

HI kevin,

You had replied saying that Proxy can be assigned using
group policy. How is this possible?

I have added the inetres.adm to the group policy for a
test OU, but the clients dont see,d to pick up this
policy.

Please advise.

THanks

Sudesh Bhat
 
K

Kevin D. Goodknecht [MVP]

In
Sudesh Bhat said:
HI kevin,

You had replied saying that Proxy can be assigned using
group policy. How is this possible?

I have added the inetres.adm to the group policy for a
test OU, but the clients dont see,d to pick up this
policy.

Please advise.

THanks

Sudesh Bhat
Click to expand...

You can do this in either the default domain group policy or OU group
policy.
The default domain policy is in ADUC, right click on the domain object, then
choose properties, select the group policy tab, edit, user configuration,
Windows Settings, Internet Explorer Maintenance, Connection, Proxy Settings.

To keep users from modifying the proxy settings, in the policy, expand
computer configuration, Administrative templates, Windows components,
Internet Explorer.
 
R

Rishi Lukka RL

IN this scenario what wud be the best way to restrict
Internet access and also have SUS and group policy
implementation.
Click to expand...

Hi,

Not sure what your budget is like, but some 3rd Party software is also
a cheap possibility and there are many out there that will accomplish
what you are looking for.

We do a product called Browse Control which may be of interest to you
so check it out:
http://www.browsecontrol.com

It really depends on what sort of Internet control you wish to
enforce, but BC is a really cheap and easy way of doing things.

Hope this helps,
~Rishi Lukka
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

W2K DNS Forwarding 14
Question on DNS Forwarders 7
DNS - AD - problem connecting new machines to domain 2
preparing DNS for Active Directory 7
DNS help 4
DNS Errors 3
Resolving DNS from remote subnets 5
Slow DNS lookup 11

Top