netmask ordering

J

jason sigurdur

Hi, how does 'netmask ordering' work on windows 2000 server?

My question is in regards to the following:

13 windows 2000 sites, each site contains a 2000 server dc/dns ad
integrated. We are installing an isa server at each site. I would like to
have proxy autodetect through dns.
i.e have all wpad.domain.org point to 13 different a records.

Would dns resolution for a particular site resolve as per the subnet the
client resides?

thx jason
 
P

Peter Demeyer

No.
What you can do, is have 13 dhcp scopes that point you to 13 different DNS
servers, which have their own different A-records for wpad.domain.org, but
when you do this, you cannot have AD-integrated zones.
It would be easier to assign proxy servers through group policies on the
different sites.
Peter
 
K

Kevin D. Goodknecht Sr. [MVP]

Peter said:
No.
What you can do, is have 13 dhcp scopes that point you to 13
different DNS servers, which have their own different A-records for
wpad.domain.org, but when you do this, you cannot have AD-integrated
zones.
Click to expand...

Peter, if you don't mind I can give a little input, you can use an AD
integrated zone for domain.org, create a delegation in the zone for wpad and
point the delegation to all 13 DNS servers, then create a standard primary
zone named wpad.domain.org on each of the 13 DNS servers with a single (same
as parent folder) record with the local IP address for the proxy. This way
the delegation is replicated but the wpad.domain.org is not and each DNS
server will hold its own authority for the name. The drawback is, that 13
different wpad.domain.org zones will need to be created and maintained. He
would also have to make the TTL of each of these records to a low enough
value so if a user moves from one site to another the record would be
expired from the Client DNS cache.
It would be easier to assign proxy servers through group policies on
the different sites.
Click to expand...

Yes, he could use the group policy, but this would create a problem for
mobile laptop users. So the laptop users would need two accounts, a domain
account, and a local computer account, each with its own profile so when
they are off site they can bypass the proxy. This would also create a
problem for mobile users that move between sites and get the same GPO at all
sites.
 
K

Kevin D. Goodknecht Sr. [MVP]

jason said:
What is "netmask ordering" , and how does it work?
Click to expand...

Do a search in DNS help for prioritizing local subnets, you'll get a much
better explanation. It is controlled by a number of factors having to with
the client subnet, combined with the subnet mask of the requesting client
and getting the closest subnet match. If there's no match, then DNS
randomizes the results or round robin kicks in.

Prioritizing local subnets
http://technet2.microsoft.com/Windo...dd7fb19c-f923-4769-b506-908e7509fdcd1033.mspx
 
J

jason sigurdur

hi,

so if i had wpad.domain.org and
A 10.100.0.1/24
A 10.100.4.1/24
A 10.100.8.1/24

if a client in 10.100.0.0/24 requested wpad.domain.org
it should get 10.100.0.1 ?

js
 
K

Kevin D. Goodknecht Sr. [MVP]

jason said:
hi,

so if i had wpad.domain.org and
A 10.100.0.1/24
A 10.100.4.1/24
A 10.100.8.1/24

if a client in 10.100.0.0/24 requested wpad.domain.org
it should get 10.100.0.1 ?
Click to expand...

That's the way it is supposed to work in theory.
 
K

Kurt

I'm going to jump in here because I have solved the same problem by using
netmask ordering. If netmask ordering is enabled and round-robin is
disabled, then If a server has three IP addresses, say 10.1.0.1, 10.2.0.1,
10.3.0.1 all /16, and a computer at 10.2.0.100 does a lookup for
"mydomain.com", assuming the DNS server is the DNS server for the domain, it
should always resolve to 10.2.0.1. Case in point, back in MS class I took on
an intern project where three departments all had to log into the same
domain and get to files on the server (which was DC, DNS and file server),
but could not have access to other segments. I VLAN'd them off with
different subnets on each VLAN, and 3 NICs on the server, one on each VLAN.
I had problems with logons, and figured out that the domain was resolving to
an IP address on the wrong subnet. After researching, I found an MS article
that said to enable netmask ordering and disable round-robin. It did the
trick.

....kurt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Netmask Ordering 1
Dynamic DNS (Netmask Ordering) 3
Netmask Ordering and Active Directory 1
DNS: I should stop/start for a domain! 6
DNS forwarding loop 0
DNS name resolution slow - the first time... 1
AD Sync problem 1
Dns on 2000 member server. 4

Top