|
|
I am looking for a white paper that says in plain English that when setting
up DHCP, you don't need to add the ISP's DNS server as a secondary DNS. It
is best to use one of the many internal DNS's, and then use forwarders. I
can't seem to find a document that spells that out. This is in a medium
sized AD environment.
|
|
Hello Barry,
See here:
http://support.microsoft.com/kb/323380
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[Quoted Text] > I am looking for a white paper that says in plain English that when
> setting up DHCP, you don't need to add the ISP's DNS server as a
> secondary DNS. It is best to use one of the many internal DNS's, and
> then use forwarders. I can't seem to find a document that spells that
> out. This is in a medium sized AD environment.
>
|
|
Thanks, but that doesn't really spell it out. I am having a hard time
finding something that says never set a secondary DNS server on a Windows
domain client to an external DNS server. I need something I can show that
says only use internal DNS servers and this is why you don't use external.
"Meinolf Weber" wrote:
[Quoted Text] > Hello Barry, > > See here: > http://support.microsoft.com/kb/323380> > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > I am looking for a white paper that says in plain English that when > > setting up DHCP, you don't need to add the ISP's DNS server as a > > secondary DNS. It is best to use one of the many internal DNS's, and > > then use forwarders. I can't seem to find a document that spells that > > out. This is in a medium sized AD environment. > > > > > |
|
I was really looking for something about workstations and desktops. I am in
a tough situation here, at odds with superiors. I was looking for something
that says do not assign users a secondary DNS server that points to your
ISP's DNS server. There is no need. I don't know if that will be enough,
they are dug in. Thanks for the help.
"Meinolf Weber" wrote:
[Quoted Text] > Hello Barry, > > This states, NOT to configure the ISP's DNS server on the NIC. What else > do you need? > > "If this server needs to resolve names from its Internet service provider > (ISP), you must configure a forwarder." > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Thanks, but that doesn't really spell it out. I am having a hard time > > finding something that says never set a secondary DNS server on a > > Windows domain client to an external DNS server. I need something I > > can show that says only use internal DNS servers and this is why you > > don't use external. > > > > "Meinolf Weber" wrote: > > > >> Hello Barry, > >> > >> See here: > >> http://support.microsoft.com/kb/323380> >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> >>> I am looking for a white paper that says in plain English that when > >>> setting up DHCP, you don't need to add the ISP's DNS server as a > >>> secondary DNS. It is best to use one of the many internal DNS's, > >>> and then use forwarders. I can't seem to find a document that > >>> spells that out. This is in a medium sized AD environment. > >>> > > > |
|
Thanks, I guess that will have to do. Do you know of any negative impacts
from setting a secondary to an external DNS server? Obviously loss of
resources if the primary goes down, but what about security?
"Meinolf Weber" wrote:
[Quoted Text] > Hello Barry, > > Maybe this one is better for you: > Do not configure the client DNS settings to point to your ISP's DNS servers. > If you do so, you may experience issues when you try to join the Windows > 2000-based or Windows Server 2003-based server to the domain, or when you > try to log on to the domain from that computer. Instead, the internal DNS > server should forward to the ISP's DNS servers to resolve external names. > > From "Windows 2000 Server and Windows Server 2003 member servers", you can > see a member server like a normal client: > http://support.microsoft.com/kb/825036> > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > I was really looking for something about workstations and desktops. I > > am in a tough situation here, at odds with superiors. I was looking > > for something that says do not assign users a secondary DNS server > > that points to your ISP's DNS server. There is no need. I don't know > > if that will be enough, they are dug in. Thanks for the help. > > > > "Meinolf Weber" wrote: > > > >> Hello Barry, > >> > >> This states, NOT to configure the ISP's DNS server on the NIC. What > >> else do you need? > >> > >> "If this server needs to resolve names from its Internet service > >> provider (ISP), you must configure a forwarder." > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> >>> Thanks, but that doesn't really spell it out. I am having a hard > >>> time finding something that says never set a secondary DNS server on > >>> a Windows domain client to an external DNS server. I need something > >>> I can show that says only use internal DNS servers and this is why > >>> you don't use external. > >>> > >>> "Meinolf Weber" wrote: > >>> > >>>> Hello Barry, > >>>> > >>>> See here: > >>>> http://support.microsoft.com/kb/323380> >>>> Best regards > >>>> Meinolf Weber > >>>> Disclaimer: This posting is provided "AS IS" with no warranties, > >>>> and > >>>> confers > >>>> no rights. > >>>> ** Please do NOT email, only reply to Newsgroups > >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> >>>>> I am looking for a white paper that says in plain English that > >>>>> when setting up DHCP, you don't need to add the ISP's DNS server > >>>>> as a secondary DNS. It is best to use one of the many internal > >>>>> DNS's, and then use forwarders. I can't seem to find a document > >>>>> that spells that out. This is in a medium sized AD environment. > >>>>> > > > |
|
thanks, a bunch.
"Meinolf Weber" wrote:
[Quoted Text] > Hello Barry, > > Maybe this one is better for you: > Do not configure the client DNS settings to point to your ISP's DNS servers. > If you do so, you may experience issues when you try to join the Windows > 2000-based or Windows Server 2003-based server to the domain, or when you > try to log on to the domain from that computer. Instead, the internal DNS > server should forward to the ISP's DNS servers to resolve external names. > > From "Windows 2000 Server and Windows Server 2003 member servers", you can > see a member server like a normal client: > http://support.microsoft.com/kb/825036> > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > I was really looking for something about workstations and desktops. I > > am in a tough situation here, at odds with superiors. I was looking > > for something that says do not assign users a secondary DNS server > > that points to your ISP's DNS server. There is no need. I don't know > > if that will be enough, they are dug in. Thanks for the help. > > > > "Meinolf Weber" wrote: > > > >> Hello Barry, > >> > >> This states, NOT to configure the ISP's DNS server on the NIC. What > >> else do you need? > >> > >> "If this server needs to resolve names from its Internet service > >> provider (ISP), you must configure a forwarder." > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> >>> Thanks, but that doesn't really spell it out. I am having a hard > >>> time finding something that says never set a secondary DNS server on > >>> a Windows domain client to an external DNS server. I need something > >>> I can show that says only use internal DNS servers and this is why > >>> you don't use external. > >>> > >>> "Meinolf Weber" wrote: > >>> > >>>> Hello Barry, > >>>> > >>>> See here: > >>>> http://support.microsoft.com/kb/323380> >>>> Best regards > >>>> Meinolf Weber > >>>> Disclaimer: This posting is provided "AS IS" with no warranties, > >>>> and > >>>> confers > >>>> no rights. > >>>> ** Please do NOT email, only reply to Newsgroups > >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> >>>>> I am looking for a white paper that says in plain English that > >>>>> when setting up DHCP, you don't need to add the ISP's DNS server > >>>>> as a secondary DNS. It is best to use one of the many internal > >>>>> DNS's, and then use forwarders. I can't seem to find a document > >>>>> that spells that out. This is in a medium sized AD environment. > >>>>> > > > |
|
In news:E99EFDFF-933D-4CCA-A1EB-243864879B6F[ at ]microsoft.com,
Barry Alan <BarryAlan[ at ]discussions.microsoft.com> requesting assistance,
typed the following:
[Quoted Text] > thanks, a bunch.
>
Barry, the reason behind it is the DNS client side resolver service and how
it treats multiple entries. The resolver service works exactly the same on a
client machine or a server, DC, etc. Each entry is checked, if one gets a
response, then that's it, it will not go to the next in the series. So if it
is on the one with an external DNS, and it asks where is my AD domain
resources, the external one will not have an answer. Because it is a
response, it will not check the other. If one is down or times out, it will
go to the next. The TTL for this resets every 15 minutes. So if you have a
client machine trying to logon or trying to access a printer, and queries
DNS to find a DC to authenticate and the external one is the one that
responds, guess what happens?
The following is a better explanation with actual links explaining the
resolver service from my blog at my website:
http://fekay.com/SupportBlogs.htm
=====================================
DNS Client side Query Process
If the server gets a response, even if it is a negative ('not found')
response, it's a response and will not go to the alternate. If after the
query to the first one times out (after 3 tries), it removes it from the
'eligible' resolvers list and then goes to the next one in the order listed.
It will not go back to the first one until a specified timeout period
(forget how long) unless one of three other things happen: restart the
machine, restart the DNS Client Service or DHCP Client Service, or set a reg
entry to force the TTL to reset the list after each query.
Sorry about all the links. They all give little but in some cases not the
whole picture. The DNS Whitepaper is pretty good to start with.
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the
Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx
DNS Resolver Cache Service [incvluding NetFailureCacheTime and
NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
286834 - DNS Client Service Doesn't Revert to Using First Server in List
[explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 - Explanation of the Server List Management Feature in the Domain
Name Resolver Client:
http://support.microsoft.com/?id=261968
DNS Client Side Resolver (bottom paragraph):
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_ovr_ClientFeatures.htm
DNSQueryTimeouts and how to set on client side to reset DNS query list,
Appendix C, Windows Sockets and DNS Registry Parameters:
http://technet2.microsoft.com/WindowsServer/en/library/94d21089-411b-4bce-a823-49a77a46e7661033.mspx?mfr=true
SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver
uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
--Â
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.
|
|
|
[Quoted Text] >>>Obviously loss of resources if the primary goes down,
That is the least of your problems. The main reason you don't want you use
ISP DNS ANYWHERE in your INTERNAL TCP/IP configuration is simply because the
ISP DNS Server does NOT typically contain the zone information for your
internal domain. So, if your internal client/server asks the ISP server for
the Domain Controller for your internal domain, where will the ISP find the
information? Of course the ISP DNS server can't find the record unless your
ISP Server is ALSO hosting your internal domain info, or your internal
domain records are published externally for all the world to see.
It is very simple to explain to the "superior" in question. DNS servers help
clients find records. ISP DNS servers have no knowledge of your internal
records, so if you configure your clients to ask an ISP DNS server, then the
client will NEVER be able locate the records it is looking for. Can't locate
DCs or file server, can't login or access resources.
Deji
"Barry Alan" <BarryAlan[ at ]discussions.microsoft.com> wrote in message
news:64859766-5838-49C0-A2BD-1F2797B68682[ at ]microsoft.com...
> Thanks, I guess that will have to do. Do you know of any negative impacts
> from setting a secondary to an external DNS server? Obviously loss of
> resources if the primary goes down, but what about security?
>
> "Meinolf Weber" wrote:
>
>> Hello Barry,
>>
>> Maybe this one is better for you:
>> Do not configure the client DNS settings to point to your ISP's DNS
>> servers.
>> If you do so, you may experience issues when you try to join the Windows
>> 2000-based or Windows Server 2003-based server to the domain, or when you
>> try to log on to the domain from that computer. Instead, the internal DNS
>> server should forward to the ISP's DNS servers to resolve external names.
>>
>> From "Windows 2000 Server and Windows Server 2003 member servers", you
>> can
>> see a member server like a normal client:
>> http://support.microsoft.com/kb/825036
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > I was really looking for something about workstations and desktops. I
>> > am in a tough situation here, at odds with superiors. I was looking
>> > for something that says do not assign users a secondary DNS server
>> > that points to your ISP's DNS server. There is no need. I don't know
>> > if that will be enough, they are dug in. Thanks for the help.
>> >
>> > "Meinolf Weber" wrote:
>> >
>> >> Hello Barry,
>> >>
>> >> This states, NOT to configure the ISP's DNS server on the NIC. What
>> >> else do you need?
>> >>
>> >> "If this server needs to resolve names from its Internet service
>> >> provider (ISP), you must configure a forwarder."
>> >>
>> >> Best regards
>> >>
>> >> Meinolf Weber
>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >> confers
>> >> no rights.
>> >> ** Please do NOT email, only reply to Newsgroups
>> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>> Thanks, but that doesn't really spell it out. I am having a hard
>> >>> time finding something that says never set a secondary DNS server on
>> >>> a Windows domain client to an external DNS server. I need something
>> >>> I can show that says only use internal DNS servers and this is why
>> >>> you don't use external.
>> >>>
>> >>> "Meinolf Weber" wrote:
>> >>>
>> >>>> Hello Barry,
>> >>>>
>> >>>> See here:
>> >>>> http://support.microsoft.com/kb/323380
>> >>>> Best regards
>> >>>> Meinolf Weber
>> >>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>> >>>> and
>> >>>> confers
>> >>>> no rights.
>> >>>> ** Please do NOT email, only reply to Newsgroups
>> >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>>>> I am looking for a white paper that says in plain English that
>> >>>>> when setting up DHCP, you don't need to add the ISP's DNS server
>> >>>>> as a secondary DNS. It is best to use one of the many internal
>> >>>>> DNS's, and then use forwarders. I can't seem to find a document
>> >>>>> that spells that out. This is in a medium sized AD environment.
>> >>>>>
>>
>>
>>
|
|
|