Dns on 2000 member server.

[jason sigurdur]

Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 on
a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server, and have it's dns point to
itself, and have forwarder entries that would be the ISP dns?

thx jason

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi, currently I have 13 Dc's using integrated AD. I just setup a
ISA2004 on a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server, and have it's dns
point to itself, and have forwarder entries that would be the ISP dns?

If it is on a member server, the member server must use the internal DNS in
TCP/IP properties of the internal interface.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Herb Martin]

Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
on a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server,
Yes.

and have it's dns point to itself,

Not unless it can resolve "internal resource records" which
is a bad idea for such machines.

As a MEMBER machine it must be able to find the DCs to
authenticate itself -- soe that all of the features of ISA will
work, such as access security control using groups.

and have forwarder entries that would be the ISP dns?

Yes.

I have systems set up this way in fact (with my one correction):

DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
CLIENT DNS settings for that "server" set to an INTERNAL DNS
server though (and if you are forced to use a DHCP address on
the external NIC you must override the DNS setting to avoid
multiple incompatible settings.)
Internal DNS servers forward to the "firewall DNS" server.
Firewall DNS service either recurses physically OR forwards to
the ISP

 

[jason sigurdur]

Hi, thx for the reply.

If I understand correctly. I can install DNS on my ISA server.
1. The dns settings on the ISA server will point to my DC with integrated
DNS on the local subnet.
2. The dns settings on DC will have forwarding entries that point to the ISA
server.

If the above is a correct assumtion the dns on the ISA server will be no
more than a Cache dns server for external resolution.

Would it be possible to install dns on the isa server and do zone transfers
from a dc and use it for internal dns and use it's forwarding entries for
external resolution?

thx jason

Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
on a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server,
Yes.

and have it's dns point to itself,

Not unless it can resolve "internal resource records" which
is a bad idea for such machines.

As a MEMBER machine it must be able to find the DCs to
authenticate itself -- soe that all of the features of ISA will
work, such as access security control using groups.

and have forwarder entries that would be the ISP dns?

Yes.

I have systems set up this way in fact (with my one correction):

DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
CLIENT DNS settings for that "server" set to an INTERNAL DNS
server though (and if you are forced to use a DHCP address on
the external NIC you must override the DNS setting to avoid
multiple incompatible settings.)
Internal DNS servers forward to the "firewall DNS" server.
Firewall DNS service either recurses physically OR forwards to
the ISP





--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

thx jason

 

[Herb Martin]

Hi, thx for the reply.

If I understand correctly. I can install DNS on my ISA server.
1. The dns settings on the ISA server will point to my DC with integrated
DNS on the local subnet.

Yes (technically to the "internal DNS server set" which happens to be
the DC-DNS in your case.)

The reason that it must do this as a "DNS client" is that this machine is
a MEMBER of the domain. That is the only thing that really makes sense
with ISA usually because it needs to be able to take advantage of user
authenticate in order to control access to the Internet.

(You could forego such features and remove the ISA from the domain and
it would work more like 'ordinary' firewalls.)

2. The dns settings on DC will have forwarding entries that point to the
ISA server.

Yes, but let's clarify: The FORWARDING settings on the DNS service
will do this. Note the distinction between "client DNS settings" for the
ISA server, and the FORWARDING settings for the internal DNS
servers. The "client DNS" settings on the DC, and all internal or domain
machines will be similar to the ISA member server.

If the above is a correct assumtion the dns on the ISA server will be no
more than a Cache dns server for external resolution.

Correct. What else did you wish it to be?

Would it be possible to install dns on the isa server and do zone
transfers from a dc and use it for internal dns and use it's forwarding
entries for external resolution?

Yes, but now you have to deal with the issue of possibly exposing that
sensitive information to the Internet (hackers and crackers.) Why would
you wish to do this?

The KEY to the above recommendations are that you are treating the
"ISA Server" as an INTERNAL CLIENT, but using it for EXTERNAL
DNS Resolution and Gateway/Firewall access as a Server.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

thx jason

Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
on a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server,
Yes.

and have it's dns point to itself,

Not unless it can resolve "internal resource records" which
is a bad idea for such machines.

As a MEMBER machine it must be able to find the DCs to
authenticate itself -- soe that all of the features of ISA will
work, such as access security control using groups.

and have forwarder entries that would be the ISP dns?

Yes.

I have systems set up this way in fact (with my one correction):

DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
CLIENT DNS settings for that "server" set to an INTERNAL DNS
server though (and if you are forced to use a DHCP address on
the external NIC you must override the DNS setting to avoid
multiple incompatible settings.)
Internal DNS servers forward to the "firewall DNS" server.
Firewall DNS service either recurses physically OR forwards to
the ISP





--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

thx jason