DNS, tune up Chris <chrisnet46[ at ]gmail.com> 10/30/2008 8:34:38 AM Hello, I am working in a new company and I think the DNS infrastructure is messy. Since I have a very basic knowledge of Microsoft DNS, I need your help to do some cleaning : - There are 3 DNS servers. Two of them are hosted on our two DC's. Those are primary and secondary name servers. Can I just stop the third one ? Is there any settings I have to remove on the primary and secondary NS? - When I do a Nslookup ourdomain.com, should it returns only the IP that point to our primary and secondary NS. If there is any other IP listed, should I just remove the NS entry for those IP in our domain zone ? - the primary DNS is hosted on an ISA 2000 server, the external NIC ip is registered in the DNS, I think I have to prevent it from being registered, is-it correct ? Thank you Chris

Re: DNS, tune up "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/3/2008 5:33:49 AM In news:99d4c448-00ea-4875-a311-a21d82d3adec[ at ]t65g2000hsf.googlegroups.com, Chris <chrisnet46[ at ]gmail.com> requesting assistance, typed the following: [Quoted Text] > Hello, > > I am working in a new company and I think the DNS infrastructure is > messy. Since I have a very basic knowledge of Microsoft DNS, I need > your help to do some cleaning : > > - There are 3 DNS servers. > > Two of them are hosted on our two DC's. Those are primary and > secondary name servers. Can I just stop the third one ? Is there any > settings I have to remove on the primary and secondary NS? > > - When I do a Nslookup ourdomain.com, should it returns only the IP > that point to our primary and secondary NS. If there is any other IP > listed, should I just remove the NS entry for those IP in our domain > zone ? > > - the primary DNS is hosted on an ISA 2000 server, the external NIC ip > is registered in the DNS, I think I have to prevent it from being > registered, is-it correct ? > > Thank you > > Chris If two are on DCs, what is the 3rd DNS? Is the ISA a DC? When you mentioned Primary and Secondary, do you mean zone types or the position in IP properties on a client machine? If every DC is a DNS server and host AD integrated zones, one DC cannot hold a Primary zone (in the RFC sense of the description) and the other DC hold a Secondary zone and getting zone transfers from the Primary. That will cause a dupe in the AD database of the zone. Not exactly understand the infrastructure as posted, here are some suggestions: 1. Do not put DNS on a multihomed machine. 2. Never mulithome a DC, unless it's SBS, then you have no choice. 3. Do not make an ISA server a DC, unless this is SBS, which complicates things if you have additional DCs. SBS does things differently. Post to the SBS newsgroup for additional information. 4. If using AD integrated zones, I would suggest to only host DNS on the DCs. Don't use a non-DC for the same zone. It complicates things and reduces security on the zone data. So with an ISA (non-SBS), you can have the following: ISA Server: Multihomed No DNS Not a DC Internal NIC set to use one of the DC./DNS below Outside NIC set to use ISP's External NIC - Disable NetBIOS, uncheck "register this connection" External NIC is the only one with a gateway address, either to the ISP or to a firewall/router DC1: Single homed DNS with the zone as AD integrated DNS forwarder to ISP's DNS Set ip properties to point to DC2 as the first entry, then DC1 as the second entry. Gateway is the ISA DC2: Single homed DNS with AD integrated zones. DNS forwarder to ISP's DNS Set ip properties to point to DC1 as the first entry, then DC2 as the second entry. Gateway is the ISA Do you have Exchange? If so: Single homed No DNS Not an ISA Hope that helps for starters. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Re: DNS, tune up Chris <chrisnet46[ at ]gmail.com> 11/3/2008 9:44:51 AM Ace thank you for all those information. I don't know why there is a 3rd DNS server. It's installed on an old server. Maybe it was the primary DNS server some times ago. Now, it acts as a mirror of the primary/secondary DNS server. I think I can disable and stop the service but may be there are some settings to check on the other DNS servers. - our primary DC is hosting an ISA 2000 and our primary DNS, it is not an SBS server... - when I mention Primary and Secondary DNS, I mean the position in IP properties on a client machine I have to rethink all of our MS infrastructure. For now can you confirm that nslookup mydomain.com should only return IP of my primary and secondary DNS servers. Thank you. Chris On Nov 3, 6:33 am, "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastn...[ at ]hotmail.com> wrote: [Quoted Text] > Innews:99d4c448-00ea-4875-a311-a21d82d3adec[ at ]t65g2000hsf.googlegroups.com, > Chris <chrisne...[ at ]gmail.com> requesting assistance, typed the following: > > > > > Hello, > > > I am working in a new company and I think the DNS infrastructure is > > messy. Since I have a very basic knowledge of Microsoft DNS, I need > > your help to do some cleaning : > > > - There are 3 DNS servers. > > > Two of them are hosted on our two DC's. Those are primary and > > secondary name servers. Can I just stop the third one ? Is there any > > settings I have to remove on the primary and secondary NS? > > > - When I do a Nslookup ourdomain.com, should it returns only the IP > > that point to our primary and secondary NS. If there is any other IP > > listed, should I just remove the NS entry for those IP in our domain > > zone ? > > > - the primary DNS is hosted on an ISA 2000 server, the external NIC ip > > is registered in the DNS, I think I have to prevent it from being > > registered, is-it correct ? > > > Thank you > > > Chris > > If two are on DCs, what is the 3rd DNS? > Is the ISA a DC? > > When you mentioned Primary and Secondary, do you mean zone types or the > position in IP properties on a client machine? If every DC is a DNS server > and host AD integrated zones, one DC cannot hold a Primary zone (in the RFC > sense of the description) and the other DC hold a Secondary zone and getting > zone transfers from the Primary. That will cause a dupe in the AD database > of the zone. > > Not exactly understand the infrastructure as posted, here are some > suggestions: > > 1. Do not put DNS on a multihomed machine. > 2. Never mulithome a DC, unless it's SBS, then you have no choice. > 3. Do not make an ISA server a DC, unless this is SBS, which complicates > things if you have additional DCs. SBS does things differently. Post to the > SBS newsgroup for additional information. > 4. If using AD integrated zones, I would suggest to only host DNS on the > DCs. Don't use a non-DC for the same zone. It complicates things and reduces > security on the zone data. > > So with an ISA (non-SBS), you can have the following: > > ISA Server: > Multihomed > No DNS > Not a DC > Internal NIC set to use one of the DC./DNS below > Outside NIC set to use ISP's > External NIC - Disable NetBIOS, uncheck "register this connection" > External NIC is the only one with a gateway address, either to the ISP or to > a firewall/router > > DC1: > Single homed > DNS with the zone as AD integrated > DNS forwarder to ISP's DNS > Set ip properties to point to DC2 as the first entry, then DC1 as the second > entry. > Gateway is the ISA > > DC2: > Single homed > DNS with AD integrated zones. > DNS forwarder to ISP's DNS > Set ip properties to point to DC1 as the first entry, then DC2 as the second > entry. > Gateway is the ISA > > Do you have Exchange? If so: > Single homed > No DNS > Not an ISA > > Hope that helps for starters. > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT > Microsoft Certified Trainer > > For urgent issues, you may want to contact Microsoft PSS directly. > Please checkhttp://support.microsoft.comfor regional support phone > numbers.

Re: DNS, tune up "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/4/2008 5:54:46 AM In news:6f3e1e3b-911c-4ac7-aeb7-574fdb96a813[ at ]q30g2000prq.googlegroups.com, Chris <chrisnet46[ at ]gmail.com> requesting assistance, typed the following: [Quoted Text] > Ace thank you for all those information. > > I don't know why there is a 3rd DNS server. It's installed on an old > server. Maybe it was the primary DNS server some times ago. Now, it > acts as a mirror of the primary/secondary DNS server. I think I can > disable and stop the service but may be there are some settings to > check on the other DNS servers. > > - our primary DC is hosting an ISA 2000 and our primary DNS, it is not > an SBS server... > - when I mention Primary and Secondary DNS, I mean the position in IP > properties on a client machine > > I have to rethink all of our MS infrastructure. > For now can you confirm that nslookup mydomain.com should only return > IP of my primary and secondary DNS servers. > > Thank you. > > Chris > > Yes, I would re-evaluate the infrastructure and server roles, especially a DC being an ISA box because of the multihoming and other aspects involved with ISA, DNS and multihoming. When you run nslookup on mydomain.com, it should only show the two DC IPs. You may get three due ro the multihomed DC, which is not good for the clients and DCs themselves if they get the outside IP of the ISA box because they cannot connect to that IP. I would remove that additional (non-DC DNS) server. Make sure no clients or DCs are using it in their IP properties. This machine would be an excellent candidate for ISA. Ace

Re: DNS, tune up Chris <chrisnet46[ at ]gmail.com> 11/4/2008 8:44:36 AM On Nov 4, 6:54 am, "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastn...[ at ]hotmail.com> wrote: [Quoted Text] > Innews:6f3e1e3b-911c-4ac7-aeb7-574fdb96a813[ at ]q30g2000prq.googlegroups.com, > Chris <chrisne...[ at ]gmail.com> requesting assistance, typed the following: > > > > > Ace thank you for all those information. > > > I don't know why there is a 3rd DNS server. It's installed on an old > > server. Maybe it was the primary DNS server some times ago. Now, it > > acts as a mirror of the primary/secondary DNS server. I think I can > > disable and stop the service but may be there are some settings to > > check on the other DNS servers. > > > - our primary DC is hosting an ISA 2000 and our primary DNS, it is not > > an SBS server... > > - when I mention Primary and Secondary DNS,  I mean the position in IP > > properties on a client machine > > > I have to rethink all of our MS infrastructure. > > For now can you confirm that nslookup mydomain.com should only return > > IP of my primary and secondary DNS servers. > > > Thank you. > > > Chris > > Yes, I would re-evaluate the infrastructure and server roles, especially a > DC being an ISA box because of the multihoming and other aspects involved > with ISA, DNS and multihoming. > > When you run nslookup on mydomain.com, it should only show the two DC IPs.. > You may get three due ro the multihomed DC, which is not good for the > clients and DCs themselves if they get the outside IP of the ISA box because > they cannot connect to that IP. > > I would remove that additional (non-DC DNS) server. Make sure no clients or > DCs are using it in their IP properties. This machine would be an excellent > candidate for ISA. > > Ace Nslookup mydomain.com return 9 IPs, don't laugh (part1). I think it should return 4 since we have 2 NICs on the DC/DNS because we still have a token ring network, don't laugh (part2). So to do some cleaning, I have to : On the "tertiary" DNS - disable/stop the DNS service On the primary DNS (ISA) - remove all the NS entries except for my DNS1 and DNS2 - in the SOA entry / name servers, keep only DNS1 and DNS2 - in the zone properties / name servers keep only DNS1 and DNS2 - what about DomainDNSZones and ForestDNSZones, there are some IP referring to old NS server. Delete it ? - uncheck "register this connection" for the external NIC On the secondary DNS - the above settings should be automatically replicated - the settings of the zone transfer seems to be strange too : * allow zone transfers is checked and automatically notify point to a server IP that doesn't exist on our network. Should I uncheck "allow zone transfers" for this server ? Thank you for your help Ace. Chris

Re: DNS, tune up "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/6/2008 4:00:48 AM In news:28f21d9b-a9c3-4c11-8f3c-b31965aa9473[ at ]v16g2000prc.googlegroups.com, Chris <chrisnet46[ at ]gmail.com> requesting assistance, typed the following: [Quoted Text] > On Nov 4, 6:54 am, "Ace Fekay [Microsoft Certified Trainer]" > <firstnamelastn...[ at ]hotmail.com> wrote: >> Innews:6f3e1e3b-911c-4ac7-aeb7-574fdb96a813[ at ]q30g2000prq.googlegroups.com, >> Chris <chrisne...[ at ]gmail.com> requesting assistance, typed the >> following: >> >> >> >>> Ace thank you for all those information. >> >>> I don't know why there is a 3rd DNS server. It's installed on an old >>> server. Maybe it was the primary DNS server some times ago. Now, it >>> acts as a mirror of the primary/secondary DNS server. I think I can >>> disable and stop the service but may be there are some settings to >>> check on the other DNS servers. >> >>> - our primary DC is hosting an ISA 2000 and our primary DNS, it is >>> not an SBS server... >>> - when I mention Primary and Secondary DNS, I mean the position in >>> IP properties on a client machine >> >>> I have to rethink all of our MS infrastructure. >>> For now can you confirm that nslookup mydomain.com should only >>> return IP of my primary and secondary DNS servers. >> >>> Thank you. >> >>> Chris >> >> Yes, I would re-evaluate the infrastructure and server roles, >> especially a DC being an ISA box because of the multihoming and >> other aspects involved with ISA, DNS and multihoming. >> >> When you run nslookup on mydomain.com, it should only show the two >> DC IPs. You may get three due ro the multihomed DC, which is not >> good for the clients and DCs themselves if they get the outside IP >> of the ISA box because they cannot connect to that IP. >> >> I would remove that additional (non-DC DNS) server. Make sure no >> clients or DCs are using it in their IP properties. This machine >> would be an excellent candidate for ISA. >> >> Ace > > Nslookup mydomain.com return 9 IPs, don't laugh (part1). I think it > should return 4 since we have 2 NICs on the DC/DNS because we still > have a token ring network, don't laugh (part2). > > So to do some cleaning, I have to : > > On the "tertiary" DNS > > - disable/stop the DNS service > > On the primary DNS (ISA) > > - remove all the NS entries except for my DNS1 and DNS2 > - in the SOA entry / name servers, keep only DNS1 and DNS2 > - in the zone properties / name servers keep only DNS1 and DNS2 > - what about DomainDNSZones and ForestDNSZones, there are some IP > referring to old NS server. Delete it ? > - uncheck "register this connection" for the external NIC > > On the secondary DNS > > - the above settings should be automatically replicated > - the settings of the zone transfer seems to be strange too : > * allow zone transfers is checked and automatically notify point > to a server IP that doesn't exist on our network. Should I uncheck > "allow zone transfers" for this server ? > > > Thank you for your help Ace. > > Chris I promise I won't laugh. :-) On the ISA, since it is a DC, you need to make registry changes to eliminate the external NIC from registering because of two things, one, it's a DC and it will register all known interfaces into the SRV records for the LdapIpAddress, which is the "(same as parent)" host record, and two, it's a DNS server, which it will force the registration into DNS. SImply unchecking it will not work. Here's a link to a tutorial on how to control registration on a multihomed DC, which I put together in the past, available on my website (still under construction and will change domain names shortly). Search the text string "Multi-homed DCs" at this link: http://www.fekay.com/SupportBlogs.htm For the "secondary" DNS, if the zone is AD integrated, disable zone transfers on both DNS server zone properties. But all in all, my original suggestions still stand. Maybe easier to backup the ISA config on ISA, uninstall ISA, disable the outside NIC, change the internal NIC's IP to something else, and make the former 'tertiary' DNS server your ISA machine. Set the IP address on this box the same settings the original ISA had. Then install ISA and restore the firewall backup so you still have your rules. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.