DNS Forwarders Lino767 5/26/2007 12:51:01 PM Hi; Do I have to configure public DNS server address in my DHCP scop option with the internal DNS address, is it advisable to do that? I already have the public DNS ip address configurd in the forwarder.

Re: DNS Forwarders "Herb Martin" <news[ at ]learnquick.com> 5/26/2007 1:29:12 PM "Lino767" <Lino767[ at ]discussions.microsoft.com> wrote in message news:3B4BE519-1196-45A1-8A24-CC5679F27603[ at ]microsoft.com... [Quoted Text] > Hi; > > Do I have to configure public DNS server address in my DHCP scop option > with > the internal DNS address, No, that would generally be backwards. > is it advisable to do that? I already have the > public DNS ip address configurd in the forwarder. That is correct. You will configure the NIC->IP properties of ALL Internal DNS Clients (including DCs and DNS servers) with the address of ONLY the internal DNS server set. You use either your own Gateway/Firewall (caching only) DNS Servers AND/OR your ISP DNS servers for the forwarders. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)

Re: DNS Forwarders oz.ozugurlu 5/28/2007 3:32:01 AM you may want to check this out http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html on your DC/DNS server, point the DC/DNS to itself, you can use another DC/DNS server as your second DNS server if you like. You would never point your DC to your ISP DNS server, the simple reason is that your DNS server is Autherative for your DNS name space this is [ at ]mycompan.local part. Your DC has the active directory DIT database(NTDS.DIT)and windows 2000 and 2003 active directory is multimaster replication model. when a client does a query for a such resorce, lets say there is a query to locate a printer, your DC should not forward this request (ask if you will say so) to your ISP DNS servers, they will have no clue about your internal printer. ISP DNS servers are there to perform recursive queries for your domain.They dont care about your in-house task. Best oz -- Oz Ozugurlu Systems Engineer MCSE 2003| M+| S+ MCDST | Security+|Project+ oz[ at ]SMTp25.org http://smtp25.blogspot.com (Blog) "Herb Martin" wrote: [Quoted Text] > > "Lino767" <Lino767[ at ]discussions.microsoft.com> wrote in message > news:3B4BE519-1196-45A1-8A24-CC5679F27603[ at ]microsoft.com... > > Hi; > > > > Do I have to configure public DNS server address in my DHCP scop option > > with > > the internal DNS address, > > No, that would generally be backwards. > > > is it advisable to do that? I already have the > > public DNS ip address configurd in the forwarder. > > That is correct. > > You will configure the NIC->IP properties of ALL Internal DNS > Clients (including DCs and DNS servers) with the address of ONLY > the internal DNS server set. > > You use either your own Gateway/Firewall (caching only) DNS Servers > AND/OR your ISP DNS servers for the forwarders. > > -- > Herb Martin, MCSE, MVP > http://www.LearnQuick.Com > (phone on web site) > > >

Re: DNS Forwarders "Herb Martin" <news[ at ]learnquick.com> 5/28/2007 8:45:52 AM "oz.ozugurlu" <ozozugurlu[ at ]discussions.microsoft.com> wrote in message news:3DBB4F30-735A-4D9D-B1BC-F5AA7430AD26[ at ]microsoft.com... [Quoted Text] > you may want to check this out > http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html > > on your DC/DNS server, point the DC/DNS to itself, you can use another > DC/DNS server as your second DNS server if you like. This is as a DNS Client (the DC as DNS Client) and is NOT related to FORWARDERS. > You would never point your DC to your ISP DNS server, the simple reason is > that As I said (DCs are INTERNAL DNS clients too): You will configure the NIC->IP properties of ALL Internal DNS Clients (including DCs and DNS servers) with the address of ONLY the internal DNS server set. > your DNS server is Autherative for your DNS name space this is > [ at ]mycompan.local part. That isn't actually the reason. The REAL reason is that the DNS server used by the DNS clients must be able to resolve ALL of the names your internal DNS Clients will EVER need. This includes your own domain, but does not DIRECTLY require that cliens use those authoritative servers -- this is frequently an unimportant distinction but it is better to learn the REAL rules than to follow something superstitiously. So this is unrelated technically although it is going to be the common practice. > Your DC has the active directory DIT database(NTDS.DIT)and windows 2000 > and > 2003 active directory is multimaster replication model. Again, unrelated technically although it is going to be the common practice. > when a client does a query for a such resorce, lets say > there is a query to locate a printer, your DC should not forward this > request (ask if you will say so) to your ISP DNS servers, they will have > no > clue about your internal printer. YOUR DNS Server (not your DC technically even those may be the same machine) should RESOLVE it internall FIRST, and then it should try the Internet (forwarding or recursion) if that doesn't resolve the name. The real reasonyou don't use the ISP directly is that the ISP will NEVER be able to resolve the INTERNAL Names. > ISP DNS servers are there to perform recursive queries for your > domain.They > dont care about your in-house task. It's not that they "don't care" but that they cannot (in practically all real cases) resolve internal names your DNS clients need. DNS clients include both DCs and even DNS servers themselves. Your INTERNAL DNS "clients" must use strictly INTERNAL DNS servers which can resolve all of your internal resources AND all external names too. Usually the internal DNS servers do the Internet resolution by forwarding but that is not a "rule" either. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)

Re: DNS Forwarders oz.ozugurlu 5/29/2007 2:43:02 AM Martin Thanks for your comments, My initial post was for Lino767 , anyway I saw you have made bunch of comments and I wanted to write you back. “Again, unrelated technically although it is going to be the common Practice.” -----The database for AD is DIT database, everything you do practically and in reality correlates the DIT database in Active directory, and I don’t understand why you would think, this is unrelated. “YOUR DNS Server (not your DC technically even those may be the same machine) should RESOLVE it internal FIRST, and then it should try the Internet (forwarding or recursion) if that doesn't resolve the name” ----Here is the hook. Internal queries such as location a users to local to your domain, or other type of queries should stay in-house, as well as printer story just to make others understand, without being too much technical. If this was not the case “That isn't actually the reason. The REAL reason is that the DNS server used by the DNS clients must be able to resolve ALL of the names your internal DNS Clients will EVER need.” ----I was talking more about services, not name resolution. Services such as DHCP, DNS, Kerberos, and so on, which needs to happen within your DNS name space. There is no reason to carry this to an ISP DNS server (Security, waste of time etc) Carrying your internal name resolution to your ISP won’t do any good anyway. DNS servers, who are autherative for such domain needs to, perform/Answer the queries within the domain since they own the records for the DNS name space. (Active Directory inside out/TechNet), if internal queries are not being resolved within the DNS name space, then bigger problems I would say related to DNS implementation Usually the internal DNS servers do the Internet resolution by forwarding But that is not a "rule" either. ----It seems like you needed to be against most of the things I wrote here, and this is another part for some reason. For people who will be reading this treat, go to Murphy’s series Active directory inside out. Most of the knowledge is there, videos and MP3 free, I recommend everyone to take a look at all of them Thanks again for the feed back Best regards Oz -- Oz Ozugurlu Systems Engineer MCSE 2003| M+| S+ MCDST | Security+|Project+ oz[ at ]SMTp25.org http://smtp25.blogspot.com (Blog) "Herb Martin" wrote: [Quoted Text] > > "oz.ozugurlu" <ozozugurlu[ at ]discussions.microsoft.com> wrote in message > news:3DBB4F30-735A-4D9D-B1BC-F5AA7430AD26[ at ]microsoft.com... > > you may want to check this out > > http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html > > > > on your DC/DNS server, point the DC/DNS to itself, you can use another > > DC/DNS server as your second DNS server if you like. > > This is as a DNS Client (the DC as DNS Client) and is NOT related to > FORWARDERS. > > > You would never point your DC to your ISP DNS server, the simple reason is > > that > > As I said (DCs are INTERNAL DNS clients too): > > You will configure the NIC->IP properties of ALL Internal DNS > Clients (including DCs and DNS servers) with the address of ONLY > the internal DNS server set. > > > your DNS server is Autherative for your DNS name space this is > > [ at ]mycompan.local part. > > That isn't actually the reason. The REAL reason is that the DNS > server used by the DNS clients must be able to resolve ALL of the > names your internal DNS Clients will EVER need. > > This includes your own domain, but does not DIRECTLY require > that cliens use those authoritative servers -- this is frequently an > unimportant distinction but it is better to learn the REAL rules than > to follow something superstitiously. > > So this is unrelated technically although it is going to be the common > practice. > > > Your DC has the active directory DIT database(NTDS.DIT)and windows 2000 > > and > > 2003 active directory is multimaster replication model. > > Again, unrelated technically although it is going to be the common > practice. > > > when a client does a query for a such resorce, lets say > > there is a query to locate a printer, your DC should not forward this > > request (ask if you will say so) to your ISP DNS servers, they will have > > no > > clue about your internal printer. > > YOUR DNS Server (not your DC technically even those may be the same > machine) should RESOLVE it internall FIRST, and then it should try the > Internet (forwarding or recursion) if that doesn't resolve the name. > > The real reasonyou don't use the ISP directly is that the ISP will NEVER > be able to resolve the INTERNAL Names. > > > ISP DNS servers are there to perform recursive queries for your > > domain.They > > dont care about your in-house task. > > It's not that they "don't care" but that they cannot (in practically all > real cases) > resolve internal names your DNS clients need. > > DNS clients include both DCs and even DNS servers themselves. > > Your INTERNAL DNS "clients" must use strictly INTERNAL DNS servers > which can resolve all of your internal resources AND all external names too. > > Usually the internal DNS servers do the Internet resolution by forwarding > but > that is not a "rule" either. > > > -- > Herb Martin, MCSE, MVP > http://www.LearnQuick.Com > (phone on web site) > > >

Re: DNS Forwarders "Herb Martin" <news[ at ]learnquick.com> 5/29/2007 9:15:19 AM "oz.ozugurlu" <ozozugurlu[ at ]discussions.microsoft.com> wrote in message news:CB00FE83-5386-48A3-9E4D-231CB7799E8F[ at ]microsoft.com... [Quoted Text] > Martin > Thanks for your comments, My initial post was for Lino767 , anyway I saw > you > have made bunch of comments and I wanted to write you back. > > > "Again, unrelated technically although it is going to be the common > Practice." > -----The database for AD is DIT database, everything you do practically > and > in reality correlates the DIT database in Active directory, and I don't > understand why you would think, this is unrelated. Because the "type of database" or the name of the "ntds.dit" FILE is really not at all important to understanding 99% of AD. Just call it Active Directory as there is no additional distinction needed for the DIT (file). > "YOUR DNS Server (not your DC technically even those may be the same > machine) should RESOLVE it internal FIRST, and then it should try the > Internet (forwarding or recursion) if that doesn't resolve the name" > ----Here is the hook. Internal queries such as location a users to local > to > your domain, or other type of queries should stay in-house, as well as > printer story just to make others understand, without being too much > technical. If this was not the case No, queries should not "stay" in house, they must be made TO INTERNAL DNS Servers which can resolve both internal and external names. You aren't saying it precisely correctly and that is obscuring the key point for you and anyone you help. > "That isn't actually the reason. The REAL reason is that the DNS server > used by the DNS clients must be able to resolve ALL of the names your > internal DNS Clients will EVER need." > > ----I was talking more about services, not name resolution. Services such > as This thread is about name resolution, DNS name resolution. > DHCP, DNS, Kerberos, and so on, which needs to happen within your DNS name > space. There is no reason to carry this to an ISP DNS server (Security, > waste > of time etc) No, none of this happens "within the DNS namespace" -- it sometimes require DNS name resolution of internal names so clients must use ONLY internal DNS servers which can resolve (all) the names the clients will need. DHCP doesn't use "names". It has nothing to do with the ISP DNS not because "there is no reason" but because you must use strictly the INTERNAL DNS on internal DNS clients, including DCs and DNS Servers for their NIC->IP->Properties. > Carrying your internal name resolution to your ISP won't do any good > anyway. It will happen anyway every time an internal name is not properly registered. This is NOT something the DNS CLIENTS can control, nor really the DNS Servers either, other than by having all of the names properly registered but since this is also dependent on the DCs etc registering themselves properly this is part of the reason that even DCs must be set to use strictly the internal DNS Servers. > DNS servers, who are autherative for such domain needs to, perform/Answer > the > queries within the domain since they own the records for the DNS name > space. True but it is NOT technically true (just common) that the DNS clients need to be pointed to THOSE Authoritative servers -- certainly NOT because they are authoritative. They must instead be pointed to a DNS server which can FIND ALL of the internal DNS zones, i.e., the internal authoritative DNS Server. Clients do NOT have to do this directly -- it won't even work when the clients live in a multi-zone (multiple domain forest) environment. > (Active Directory inside out/TechNet), if internal queries are not being > resolved within the DNS name space, This use of the word "name space" (and the one above) is just another misunderstand that you will have to research on your own -- a name space is actually a group of names that can be found by searching from the top down -- sometimes this is important to internal DNS considerations but much of the time it is just a misuse of the terminology. A misuse which is propagated even by otherwise excellent books and otherwise knowledgeable people. > then bigger problems I would say related > to DNS implementation Ok, but that doesn't anything USEFUL. > Usually the internal DNS servers do the Internet resolution by forwarding > But that is not a "rule" either. > ----It seems like you needed to be against most of the things I wrote > here, It is not useful to post a technically inaccurate followup to a post that already explained it correctly.