Local network DNS Configuration Question

[James Howe]

Our local office is using a Win2k Server machine as it's domain
controller. We are connected to the internet via a DSL provider and we
are part of a corporate VPN. Our local network is all Win2k/XP boxes but
our corporate network includes both Windows boxes as well as various Unix
flavors. I'm trying to see if I can configure our local domain controller
so that local client machines can access these remote boxes by their name
without having to either modify a HOSTS file or to remember a particular
IP address. Currently I have the DNS on our controller set up to use
forwarding for the purposes of talking to our ISP's domain servers. In
addition, I would like to configure things so that the server makes use of
domain name servers which reside on or corporate network. I've tried
adding these servers to the forwarding list, but I'm not having any luck
getting names to resolve. We don't have any real Windows adminstration
support, at least not locally, so I'm taking on the task to learn what
needs to be done to get things to work correctly. Can anyone offer any
information on what steps I need to take to make our DNS configuration
work?

Thanks.

 

[Steve Duff [MVP]]

You've now discovered why "conditional forwarding" was added to
Win2K3 Server. Unfortunately that doesn't help you unless you
are of a mind to upgrade, which brings in a lot of other considerations.

If your corporate admins will allow you to host a secondary copy
of their zone(s), you can do it that way. Just add each corp. DNS zone
to your DNS as a "standard secondary," and specify the corporate
DNS server from which you will do the zone pulls. People on your
LAN will resolve coporate names from your DNS, and the
zone transfers insure that the information is kept up-to-date. You should
disable dymanic updates on those zones since they are essentially
read-only.

The coporate admins will have to authorize your DNS server to pull as a
secondary to do this, which normally should not be any Big Deal, but one
never knows...

If you can't do that, your only Win2K-based DNS alternative is to
manually host "shadow" copies of the corporate zone(s). Depending on
the number of names and how fluid the zone is, this can
be easy or completely impractical.

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[Kevin D. Goodknecht [MVP]]

In

Our local office is using a Win2k Server machine as it's domain
controller. We are connected to the internet via a DSL provider and
we are part of a corporate VPN. Our local network is all Win2k/XP
boxes but our corporate network includes both Windows boxes as well
as various Unix flavors. I'm trying to see if I can configure our
local domain controller so that local client machines can access
these remote boxes by their name without having to either modify a
HOSTS file or to remember a particular IP address. Currently I have
the DNS on our controller set up to use forwarding for the purposes
of talking to our ISP's domain servers. In addition, I would like to
configure things so that the server makes use of domain name servers
which reside on or corporate network. I've tried adding these
servers to the forwarding list, but I'm not having any luck getting
names to resolve. We don't have any real Windows adminstration
support, at least not locally, so I'm taking on the task to learn
what needs to be done to get things to work correctly. Can anyone
offer any information on what steps I need to take to make our DNS
configuration work?

Thanks.

If the DNS servers you are wanting to forward to have other DNS zones that
cannot be resolved from an External DNS what you would need to do is put
those DNS servers in as forwarders and remove your ISP's from the forwarding
list. Then you would need to check the box on the forwarders tab "Do not use
recursion" that will keep your DNS from using root hints to resolve names.
The corporate DNS server must allow recursive queries so your DNS to resolve
internet names then. That would be the only drawback, your DNS would rely on
the corporate DNS for its internet resolution.

If the corporate DNS servers do not do recursive lookups or if you don't
want to rely on the corporate DNS for internet resolution, your only other
choice is to run secondary zones on your DNS server from the primary zones
on the corporate DNS.

DNS would be a much more reliable and faster way of doing what you want than
a HOSTS file.

 

[James Howe]

In

Our local office is using a Win2k Server machine as it's domain
controller. We are connected to the internet via a DSL provider and
we are part of a corporate VPN. Our local network is all Win2k/XP
boxes but our corporate network includes both Windows boxes as well
as various Unix flavors. [...]

Thanks.

If the DNS servers you are wanting to forward to have other DNS zones
that cannot be resolved from an External DNS what you would need to do
is put
those DNS servers in as forwarders and remove your ISP's from the
forwarding list. [...]

I've made this change and things work mostly as I would like. There is
one other thing I would like to do, however. The machines that our client
machines need to talk to exist on different domain names. One might be
foo.xxx.yyy and another might be bar.aaa.bbb. I want to be able to enter
the name 'foo' and have it resolve to 'foo.xxx.yyy'. Likewise for bar. I
know that the client machines can configure their DNS to use different
suffixes, but I would like this to be configured at our domain server so
that all a client has to do is use the domain server as their DNS server
and the alternate suffix searching just happens. Is there a way to
configure DNS on the server to do that?

Thanks again.

 

[Kevin D. Goodknecht [MVP]]

In

In

Our local office is using a Win2k Server machine as it's domain
controller. We are connected to the internet via a DSL provider and
we are part of a corporate VPN. Our local network is all Win2k/XP
boxes but our corporate network includes both Windows boxes as well
as various Unix flavors. [...]

Thanks.

If the DNS servers you are wanting to forward to have other DNS zones
that cannot be resolved from an External DNS what you would need to
do is put
those DNS servers in as forwarders and remove your ISP's from the
forwarding list. [...]

I've made this change and things work mostly as I would like. There
is one other thing I would like to do, however. The machines that
our client machines need to talk to exist on different domain names.
One might be foo.xxx.yyy and another might be bar.aaa.bbb. I want to
be able to enter the name 'foo' and have it resolve to 'foo.xxx.yyy'.
Likewise for bar. I know that the client machines can configure
their DNS to use different suffixes, but I would like this to be
configured at our domain server so that all a client has to do is use
the domain server as their DNS server and the alternate suffix
searching just happens. Is there a way to configure DNS on the
server to do that?

Sorry that can't be done, you have to add the suffix to your search list.
You can do that with a registry script but you have to have a different
script for each OS.

 

[Jonathan de Boyne Pollard]

JH> I know that the client machines can configure their DNS to use
JH> different suffixes, but I would like this to be configured at
JH> our domain server so that all a client has to do is use the
JH> domain server as their DNS server and the alternate suffix
JH> searching just happens. Is there a way to configure DNS on
JH> the server to do that?

No.

Search paths are a function of DNS clients, not of DNS servers. The DNS
protocol (by which clients talk to servers, of course) does not deal in
anything other than fully-qualfied domain names.

 

[Jonathan de Boyne Pollard]

JH> I've tried adding these servers to the forwarding list, but
JH> I'm not having any luck getting names to resolve.

For best results, upgrade to Windows NT 2003 Server and use either
conditional forwarding or "stub" "zones". The latter are the more
preferable. There's a way to do this with Windows NT 2000, but it
is inferior.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers>