Proper way to set up DNS for AD and Internet access for Internal c

[Guest]

I want to make sure I am properly setting up DNS for AD domain and Internal
users.

I set up AD domain name as company.local on dc1.company.local (192.168.0.1)-
set up local DNS, active directory integrated Zone.
They all share access to broadband connection (512Kbps FTTH connection) to
Internet through Linksys router
I set all clients primary DNS to 192.168.0.1, this is the only DNS entry for
clients. I then go to DNS server - Forwarders TAB and put the DNS ip
addresses for my ISP

Logins work good, GPO's process and users have Internet access

Users then started to complain about web pages being kind of slow to load.

Should I add a ISP dns entry in each client as a secondary DNS server?

Does the forwarding from the inside DNS server to ISP dns server tend to
slow browsing?

Thanks for you time

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I want to make sure I am properly setting up DNS for AD
domain and Internal users.

I set up AD domain name as company.local on
dc1.company.local (192.168.0.1)- set up local DNS, active
directory integrated Zone.
They all share access to broadband connection (512Kbps
FTTH connection) to Internet through Linksys router
I set all clients primary DNS to 192.168.0.1, this is the
only DNS entry for clients. I then go to DNS server -
Forwarders TAB and put the DNS ip addresses for my ISP

Logins work good, GPO's process and users have Internet
access

Users then started to complain about web pages being kind
of slow to load.

How many users are sharing this 512Kbps link?
Mine is 800Kbps which isn't considered fast these days, when my son is
playing XBox Live it slows me down a lot even though it only uses 112Kbps of
bandwidth.
If even one user is using internet radio you'll see a dramatic slowdown.

Should I add a ISP dns entry in each client as a
secondary DNS server?

Absolutely not. This is how clients access domain resources, and the ISP
doesn't know anything about your local network, if it answers it will be
wrong and cause network errors.

Does the forwarding from the inside DNS server to ISP dns
server tend to slow browsing?

You haven't really provided any evidence to prove this is DNS related. But
you should really use the router as your forwarder, instead.

 

[Herb Martin]

I want to make sure I am properly setting up DNS for AD domain and Internal
users.

** See below for full summary...

I set up AD domain name as company.local on dc1.company.local (192.168.0.1)-
set up local DNS, active directory integrated Zone.

They all share access to broadband connection (512Kbps FTTH connection) to
Internet through Linksys router
I set all clients primary DNS to 192.168.0.1, this is the only DNS entry for
clients.

That is actually the "Preferred DNS" (or Alternated) as the
words Primary and Secondary have technical meanings on
DNS (as types of servers.)

You setup is correct. Internal clients must use STRICTLY
the Internal DNS.

I then go to DNS server - Forwarders TAB and put the DNS ip
addresses for my ISP

Good. That is correct.

You could also use a "caching only" DNS server at the firewall/DMZ
but it is NOT necessary. This would however eliminate the need for
the DC/DNS server to go out to the Internet.

OPTIONAL: IF your ISP DNS is reliable, then you might
benefit from checking "Do not use Recursion" (ONLY) on
the Forwarders tab.

This will keep your DC/DNS from trying to visit the ENTIRE
Internet but it will make it dependent on the ISP DNS for
Internet resolution. (I usually do this.)

Logins work good, GPO's process and users have Internet access
Users then started to complain about web pages being kind of slow to load.

Should I add a ISP dns entry in each client as a secondary DNS server?

NO.

Definitly NOT. This will screw up your clients (i.e., make
them erratic when they latch onto the wrong DNS server.)

It might not (probably won't) even improve performance.
Once a web site is in the DNS cache of the DNS/DC even
if another machine put it there (most people tend to visit
the same sites) then it will be there for everyone.

Some people have reported that the "Do not use Recursion"
(on forwarder tab) has improved such systems BUT I can
logically figure out why that would be the case.

Does the forwarding from the inside DNS server to ISP dns server tend to
slow browsing?

No. Not in general. You would benefit more from a caching
(web) proxy. ISA (but it costs money.)


**DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]