DNS Forwarding, don't understand it.

[mthaler 0]

Please bear with my ignorance on this one:

One server, using Windows2K, Active Directory. It was set up as the only server in the domain. Let's call it. yada.yada.local

It is set up with a connection to a DSL router.

The machines can connect fine to the internet using the gateway set to the router, and the two sets of DNS numbers provided by DSL provider.

The problem with this is logon to server is slow. People here told me that you need to set the FIRST DNS to the server's IP address if you don't want to wait a minute each time you logon.

Unfortunately it does not seem to be forwarding the DNS from the DSL provider.

Where does this need to be put in the DNS service to forward properly?

Thanks, and sorry for missing something which is probably quite obvious.

[clutch 1]

It's obvious to most people only after they have done it. First, you have to understand that any machine that has an outside DNS server's IP setup as a DNS box can contaminate its name resolution. For example, let's say you had yada.yada.local as a real name on the outside world, and as your LAN domain (not gonna happen, but this is just for theory). Now, on a given client you have your internal DNS box as DNS server one, and an outside DNS server box as DNS server two. Now, when the client needs to authenticate, the first thing it's gonna do is try to resolve the current domain that it's in, and find the first available DC to authenticate it. It will try the first DNS server, and hopefully get in contact with it. Now, in a low demand environment where the server is ALWAYS available, the problem would never manifest, but you will see the "rub" soon enough. Now, let's say it's booting up, and the first server isn't available. Well, since it's a fresh boot there will not be any sort of DNS resolver cache to fall back on, so it will hit the DNS boxes. Next, the first is a no-show, so it goes for number two. Number says that yada.yada.local is your *outside* (real) IP, and it will hand that info back to your client. Now, the client will keep hitting the outside IP thinking it has the proper information for your domain, and will keep hitting your outside IP (probably on the other end of a router or NAT system, right?) until it gives up, then moves down the resolution chain. Unfortunately, this is where you see a lot of AD errors and timeouts; simple name resolution.

 

So, what do I do about it you ask? Simple, you setup internal DNS box(es) that handle all name resolution for your clients, and only those clients. The forwarders are there so the DNS server that you setup can get info on other domains besides the one setup locally on it (it doesn't mystically pickup every single domain ever listed unless you try to sync it with a root server, and you *really* don't want that) and can then help clients get to where they are going. Normally, I suggest putting your ISP's DNS servers on there, as they are faster to get to (hop-wise). You can use root hints to bypass the ISP's servers and go straight to the source, but I never bother.

 

This is what I do. I setup the DNS box for my domain, and enter static assignments for my servers and other fixed IPs (printers and such). I also enter WWW, FTP, SMTP, and MX records as needed. Then, I enter all the official DNS boxes on my network into the DNS Servers tab, and then instruct them to only replicate with servers listed on that tab (that way your boxes don't arbitrarily receive traffic from the outside and try to replicate junk data from your non-routable IPs to the outside world). I also enable WINS and WINS-R lookups and point them to my WINS server (yeah, it's supposed to be dead but sometimes you still need it).

 

If you need more info, let me know. But, this should be enough to get you going. You can also do a search here using my name and "DNS" for other explanations on this.

[mthaler 0]

Well I wish I understood this better.

Let's clarify a couple things.

1. They can't afford more than one server, so any DNS servers are going to be on the one and only server on this network.

2. The server's IP is set to a local IP 192.168.1.20 and there IS a NAT router that is NOT doing DHCP (the server has that set up).

 

So if I look in the Administrative Tools/DNS it lists the server and I do properties and it says for Name Servers, it has the server name and the IP address for the server. The General Tab is set to Allow only Secure Dynamic Updates. and Active Directory-integrated. The WINS server is setup and WINS Lookup is enabled.

 

Should the DNS servers provided by the DSL ISP be listed there (in the forward lookup zone) as well?

[clutch 1]

Here is another link that I posted before, and it might be simpler to follow.

 

http://www.iisanswers.com/articles/dns_for_iis.htm

 

But essentially, it sounds like you are close. Just so you know, AD is designed to work with 2 or more DCs, and can be quirky when running solo. Also, as a side note, you can setup a DNS server in Linux or BSD to handle those duties. I haven't done this, but it is feasible from what I have read. Just remember, you want all of the of the internal workstations and servers to point to your internal DNS server for name resolution, and this includes the NIC on the server itself.