W2K DNS Forwarding

[knsljo]

I could do with some help regarding DNS!

We have 12 offices each on their own domain (192.168.1.0,192.168.2.0, etc)
These offices are connected via vpn links. There is a server at each office
that is responsible for DNS & DHCP, and are DC's among other things. The
majority of the servers are running W2K Server and two or three W2003.
At HQ we have a W2k Server that is the DC and responsible for DNS and DHCP.
We also have a W2k server that is also responsible for DNS (secondary) and is
also a mail server. We also have another W2k winproxy server which clients
from all offices access the internet through via the vpns to HQ.
We have just purchased a piece of software called Servicedesk that we use to
scan workstations on our network. It uses DNS to do this. This is fine on our
HQ network but over the VPN's it fails.
What i want to know is if i configure the HQ DC to use DNS forwarding, and
apply the remote branch office servers IP addresses, will i be able to
resolve the workstations names back at HQ?
I can ping all the servers and workstations from HQ but cannot resolve
computer names.
I hope this is a clear explaination of what i need to do and will be happy to
answer any questions that might help!!

 

[Kurt]

I could do with some help regarding DNS!

We have 12 offices each on their own domain (192.168.1.0,192.168.2.0, etc)
These offices are connected via vpn links. There is a server at each office
that is responsible for DNS & DHCP, and are DC's among other things. The
majority of the servers are running W2K Server and two or three W2003.
At HQ we have a W2k Server that is the DC and responsible for DNS and DHCP.
We also have a W2k server that is also responsible for DNS (secondary) and is
also a mail server. We also have another W2k winproxy server which clients
from all offices access the internet through via the vpns to HQ.
We have just purchased a piece of software called Servicedesk that we use to
scan workstations on our network. It uses DNS to do this. This is fine on our
HQ network but over the VPN's it fails.
What i want to know is if i configure the HQ DC to use DNS forwarding, and
apply the remote branch office servers IP addresses, will i be able to
resolve the workstations names back at HQ?
I can ping all the servers and workstations from HQ but cannot resolve
computer names.
I hope this is a clear explaination of what i need to do and will be happy to
answer any questions that might help!!

You can create a secondary zone on the HQ DNS Server for each of the
other sites.

Kurt

 

[knsljo via WinServerKB.com]

I could do with some help regarding DNS!

[quoted text clipped - 16 lines]

I hope this is a clear explaination of what i need to do and will be happy to
answer any questions that might help!!

You can create a secondary zone on the HQ DNS Server for each of the
other sites.

Kurt

Thanks for your comment, would i create a new standard primary zone? or an
Active directory integrated zone? also would i need to copy the DNS records
from the branch office servers to the new zones? and would i need to create a
zone for each of the domains? and lastly would i still need to have
forwarding pointed to each of the DNS servers to service DNS requests
regarding their domains from HQ. Thanks again!!

 

[knsljo via WinServerKB.com]

[quoted text clipped - 6 lines]

Kurt

Thanks for your comment, would i create a new standard primary zone? or an
Active directory integrated zone? also would i need to copy the DNS records
from the branch office servers to the new zones? and would i need to create a
zone for each of the domains? and lastly would i still need to have
forwarding pointed to each of the DNS servers to service DNS requests
regarding their domains from HQ. Thanks again!!

Sorry but would i also need to create new zones for each domain in the
forward AND reverse lookup zones?

 

[Kurt]

I could do with some help regarding DNS!

[quoted text clipped - 6 lines]

Kurt

Thanks for your comment, would i create a new standard primary zone? or an
Active directory integrated zone? also would i need to copy the DNS records
from the branch office servers to the new zones? and would i need to create a
zone for each of the domains? and lastly would i still need to have
forwarding pointed to each of the DNS servers to service DNS requests
regarding their domains from HQ. Thanks again!!

Sorry but would i also need to create new zones for each domain in the
forward AND reverse lookup zones?

You would create standard secondary zones (because you said each site is
it's own domain). You can create both forward and reverse lookup zones
as secondaries, just make sure you list the HQ DNS server as an
authorized device to do a zone transfer to.

....kurt

 

[knsljo via WinServerKB.com]

[quoted text clipped - 9 lines]

Sorry but would i also need to create new zones for each domain in the
forward AND reverse lookup zones?

You would create standard secondary zones (because you said each site is
it's own domain). You can create both forward and reverse lookup zones
as secondaries, just make sure you list the HQ DNS server as an
authorized device to do a zone transfer to.

...kurt

How do i do this? I have tried and keep getting an error when i create the
zone it says that:

"The DNS server encountered an error while attempting to load the zone. The
transfer of zone data from the Master server failed."

I can't see where Ilist the HQ DNS server as an authorized device to do a
zone transfer to?

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

I could do with some help regarding DNS!

[quoted text clipped - 16 lines]

I hope this is a clear explaination of what i need to do and will
be happy to answer any questions that might help!!

You can create a secondary zone on the HQ DNS Server for each of the
other sites.

Kurt

Thanks for your comment, would i create a new standard primary zone?
or an Active directory integrated zone? also would i need to copy the
DNS records from the branch office servers to the new zones? and
would i need to create a zone for each of the domains? and lastly
would i still need to have
forwarding pointed to each of the DNS servers to service DNS requests
regarding their domains from HQ. Thanks again!!

By following Kurt's recommendation, the only forwarding you may want would
be to your ISP's DNS servers, because by having Secondary zones for each
remote domain on each DNS server, all DNS server will be able to resolve all
domains without forwarding.

It is not a good idea to forward back and forth between DNS servers because
if you aren't careful, you could start DNS looping. DNS loops occur when two
or more DNS servers forward to each other, with each telling the other to
resolve unknown names.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[knsljo via WinServerKB.com]

Read inline please.

In [quoted text clipped - 14 lines]

forwarding pointed to each of the DNS servers to service DNS requests
regarding their domains from HQ. Thanks again!!

By following Kurt's recommendation, the only forwarding you may want would
be to your ISP's DNS servers, because by having Secondary zones for each
remote domain on each DNS server, all DNS server will be able to resolve all
domains without forwarding.

It is not a good idea to forward back and forth between DNS servers because
if you aren't careful, you could start DNS looping. DNS loops occur when two
or more DNS servers forward to each other, with each telling the other to
resolve unknown names.

I have tried to set up a secondary zone on the main HQ DNS server's forward
lookup zone and reverse lookup zone for one of the remote domains but get
this error:
"The DNS server encountered an error while attempting to load the zone. The
transfer of zone data from the Master server failed."
It creates the zone but no zone data from the remote domain's DNS server gets
entered. How do i get this to work? Do i also need to create a secondary zone
for the HQ DNS servers on the remote domains?

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

I could do with some help regarding DNS!

[quoted text clipped - 14 lines]

forwarding pointed to each of the DNS servers to service DNS
requests regarding their domains from HQ. Thanks again!!

By following Kurt's recommendation, the only forwarding you may want
would be to your ISP's DNS servers, because by having Secondary
zones for each remote domain on each DNS server, all DNS server will
be able to resolve all domains without forwarding.

It is not a good idea to forward back and forth between DNS servers
because if you aren't careful, you could start DNS looping. DNS
loops occur when two or more DNS servers forward to each other, with
each telling the other to resolve unknown names.

I have tried to set up a secondary zone on the main HQ DNS server's
forward lookup zone and reverse lookup zone for one of the remote
domains but get this error:
"The DNS server encountered an error while attempting to load the
zone. The transfer of zone data from the Master server failed."
It creates the zone but no zone data from the remote domain's DNS
server gets entered. How do i get this to work?

On the primary zones, you need to allow zone transfers to the IP addresses
of the servers with the secondaries.

Do i also need to
create a secondary zone for the HQ DNS servers on the remote domains?

I would on the Win2k servers, it isn't necessary to create secondary zones
on the Win2k3 servers, on those servers you can add Conditional forwarders,
with "Do not use recursion for this domain" for their remote domains.

By configuring the servers this way, you can forward internet requests to
your ISP's DNS servers.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[knsljo via WinServerKB.com]

Read inline please.
[quoted text clipped - 19 lines]

It creates the zone but no zone data from the remote domain's DNS
server gets entered. How do i get this to work?

On the primary zones, you need to allow zone transfers to the IP addresses
of the servers with the secondaries.

The current zones that have been created both forward and reverse are AD integrated will this be a problem? I take it "allow zone transfers" is an option under the properties of the forward and reverse lookup zones?

I would on the Win2k servers, it isn't necessary to create secondary zones
on the Win2k3 servers, on those servers you can add Conditional forwarders,
with "Do not use recursion for this domain" for their remote domains.

I have looked into "Conditional forwarding" it looks like that would be the solution to all my problems - if only we had 2003 on all servers. I will use this where i can.

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Read inline please.

I could do with some help regarding DNS!

[quoted text clipped - 19 lines]

It creates the zone but no zone data from the remote domain's DNS
server gets entered. How do i get this to work?

On the primary zones, you need to allow zone transfers to the IP
addresses
of the servers with the secondaries.

The current zones that have been created both forward and reverse
are AD integrated will this be a problem?

Not if the ADI zones are actual replicas replicated through AD (Available on
Win2k3 DNS servers in a single Forest, or Win2k DCs in the same domain)

Win2k does not support cross domain replication, and therefore must use
Secondary zones for other domains. IF you try to create ADI zones for other
Domains on a Win2k DNS, it has no relationship with ADI zones in other
Domains and will not get updated. You need to use secondary zones on Win2k
to resolve other AD Domains.



I take it "allow zone
Yes, on the Zone Transfers tab.



Yes, Conditional forwarding comes in handy for resolving external domains
using a particular DNS server.





Not true for proxy servers, when a browser or an application is configured
to use a proxy, that application, actually gets the name resolve by the
proxy server, and completely bypasses the DNS Client configuration. The only
sites that are resolved by the local DNS Client, are the names configured to
bypass the proxy. If a client needs DNS only for web browsing, and that
client uses a Proxy server, it does not need DNS servers in TCP/IP
properties.
Of course Active Directory is not Proxy-abled, so the client needs DNS
servers for AD, but not for web browsing.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[knsljo via WinServerKB.com]

Read inline please.

In

Read inline please.
[quoted text clipped - 10 lines]
The current zones that have been created both forward and reverse
are AD integrated will this be a problem?

Not if the ADI zones are actual replicas replicated through AD (Available on
Win2k3 DNS servers in a single Forest, or Win2k DCs in the same domain)

Win2k does not support cross domain replication, and therefore must use
Secondary zones for other domains. IF you try to create ADI zones for other
Domains on a Win2k DNS, it has no relationship with ADI zones in other
Domains and will not get updated. You need to use secondary zones on Win2k
to resolve other AD Domains.

I take it "allow zone
Yes, on the Zone Transfers tab.

Yes, Conditional forwarding comes in handy for resolving external domains
using a particular DNS server.

Not true for proxy servers, when a browser or an application is configured
to use a proxy, that application, actually gets the name resolve by the
proxy server, and completely bypasses the DNS Client configuration. The only
sites that are resolved by the local DNS Client, are the names configured to
bypass the proxy. If a client needs DNS only for web browsing, and that
client uses a Proxy server, it does not need DNS servers in TCP/IP
properties.
Of course Active Directory is not Proxy-abled, so the client needs DNS
servers for AD, but not for web browsing.

I created a test zone on the HQ DNS server and allowed zone transfers from
one of the remote DNS servers only but it failed again i got "The DNS server
encountered an error while attempting to load the zone. The transfer of zone
data from the Master server failed."
I created a test zone on one of our remote domains to transfer zone data from
the HQ DNS server, but allowed from all addresses which worked it transferd
the zone data. I will try this on the HQ server on wednesday when i'm back in
the office and let you know if it works!!
Can i transfer from data from all our remote domains into thisnew single zone
or do i need to create a new zone for each?
Thanks for all your comments by the way it has helped me no end and giving me
a much better understanding of what the DNS servers are capable of.

 

[knsljo via WinServerKB.com]

Read inline please.

[quoted text clipped - 40 lines]

Of course Active Directory is not Proxy-abled, so the client needs DNS
servers for AD, but not for web browsing.

I created a test zone on the HQ DNS server and allowed zone transfers from
one of the remote DNS servers only but it failed again i got "The DNS server
encountered an error while attempting to load the zone. The transfer of zone
data from the Master server failed."
I created a test zone on one of our remote domains to transfer zone data from
the HQ DNS server, but allowed from all addresses which worked it transferd
the zone data. I will try this on the HQ server on wednesday when i'm back in
the office and let you know if it works!!
Can i transfer from data from all our remote domains into thisnew single zone
or do i need to create a new zone for each?
Thanks for all your comments by the way it has helped me no end and giving me
a much better understanding of what the DNS servers are capable of.

I also need to mention that we have a secondary DNS server at HQ on our mail
server, do i need to create the new zone\zones on this also or will the
primary do all the work needed? And do I need to transfer the zone data of
this server to the remote domain servers? - it should have pretty much all
the same data as the primary.
Thanks again!!

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

I created a test zone on the HQ DNS server and allowed zone transfers
from one of the remote DNS servers only but it failed again i got
"The DNS server encountered an error while attempting to load the
zone. The transfer of zone data from the Master server failed."

When allowing zone transfers, you allow zone transfers to the IP that the
Primary sees when the transfer is requested.

I created a test zone on one of our remote domains to transfer zone
data from the HQ DNS server, but allowed from all addresses which
worked it transferd the zone data. I will try this on the HQ server
on wednesday when i'm back in the office and let you know if it
works!!

Can i transfer from data from all our remote domains into thisnew
single zone or do i need to create a new zone for each?

Single Zone?
In your original post you stated each of the Remote domains had their own
domain name. If this is true then you need a secondary of each domain name,
they will not be in a single zone.

Thanks for all your comments by the way it has helped me no end and
giving me a much better understanding of what the DNS servers are
capable of.

Don't let DNS intimidate you, DNS is no more difficult than using a
Telephone book.
The Root Zone, (Which you don't usually see) is the publisher of the Book,
the TLD is like the City the book covers, and the second level domain
compares to the last name of the person you are looking for, and the host is
like the person's first name.

All DNS queries actually start at the Root, usually the ICANN Root, there
are 13 servers at the root, and they give you the IP of the DNS servers for
a particular TLD, for instance "com", there are another 13 servers servicing
the com TLD, and they give the IP address of the DNS servers for a domain,
e.g. microsoft.com. Once you have the IP addresses of the microsoft.com DNS
servers, you server can go to those servers and get the IP of a host in
microsoft.com, e.g. www.microsoft.com, or get the location of where
www.microsoft.com can be found.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[knsljo via WinServerKB.com]

Read inline please.

In

When allowing zone transfers, you allow zone transfers to the IP that the
Primary sees when the transfer is requested.


Single Zone?
In your original post you stated each of the Remote domains had their own
domain name. If this is true then you need a secondary of each domain name,
they will not be in a single zone.


Don't let DNS intimidate you, DNS is no more difficult than using a
Telephone book.
The Root Zone, (Which you don't usually see) is the publisher of the Book,
the TLD is like the City the book covers, and the second level domain
compares to the last name of the person you are looking for, and the host is
like the person's first name.

All DNS queries actually start at the Root, usually the ICANN Root, there
are 13 servers at the root, and they give you the IP of the DNS servers for
a particular TLD, for instance "com", there are another 13 servers servicing
the com TLD, and they give the IP address of the DNS servers for a domain,
e.g. microsoft.com. Once you have the IP addresses of the microsoft.com DNS
servers, you server can go to those servers and get the IP of a host in
microsoft.com, e.g. www.microsoft.com, or get the location of where
www.microsoft.com can be found.

Hi there

I have managed to now implement your sugestions and it is all now working
like a charm!!
I created secondary forward/reverse lookup zone for each of the remote
domains on the on the HQ primary and secondary DNS servers, and i also
created a secondary forward/reverse lookup zone for the HQ DNS server on each
of the remote domains.
The whole aim of this was to allow our Servicedesk to perform automated
scheduled scans of remote servers and clients to keep our inventory up to
date and to monitor software changes etc. I have tested this and it is now
able to do everything we require.

I knew what the cause of the problem was, but i don't i would have been able
to figure this out, this will save me so much time and effort. Thanks alot!!