Sign in with
Sign up | Sign in
Your question

Pri & Sec DNS questions

Last response: in Windows 2000/NT
Share
August 3, 2004 8:36:37 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Would somebody please give me the step by step and detail info about how to
set up Pri & Sec DNS server Without AD and just stand alone servers (no DC)
????
Thanks.

--
Regards,
Joe

More about : pri sec dns questions

Anonymous
August 3, 2004 9:22:38 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Joe" <joebio91@hotmail.com> wrote in message
news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> Would somebody please give me the step by step and detail info about how
to
> set up Pri & Sec DNS server Without AD and just stand alone servers (no
DC)
> ????
> Thanks.

The primary is the ONLY DNS server (in the set) that can change
a specific zone. Secondaries pull changes from their primary
or another secondary (aka, "the master" to be generic.)

DNS server has two major functions:

1) Help your users resolve resources through the namespace
(including perhaps the INTERNET)

2) Help "other" users resolve YOUR RESOURCES.

Although many DNS servers do both, it is important to know
which you wish to accomplish -- or both -- and in some sense
to approach the setup as if the two jobs are separate (mostly
they are in fact.)

When speaking of Primary/Secondary we are talking about
#1 -- Primary and Secondary are terms ONLY on the DNS
server and refer to their responsibility for one particular
zone which lists YOUR RESOURCES.

As to the setup, with the GUI it is pretty trivial -- install
the DNS server (on a server), right click on the Server\Forward
zones and create the new zone (following the wizard) as a
Primary. Add records as necessary (more right clicking)

For the Secondary, repeat the process on the "second" server
except select Secondary in the wizard and point it to the
Primary you created on the previous server.

Of course if you wish the Internet to be able to resolve YOUR
RESOURCES, you have to register with the parent zone/domain
(e.g., .Com)

--
Herb Martin


>
> --
> Regards,
> Joe
>
>
>
August 4, 2004 2:16:38 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the clarification.
We want to accomplish both (1 & 2) but especially for internet, because this
DNS server will be used mainly for hosting client's domain that hosting
their websites in our web servers.

More detail to the technical setup, I would like to know:

Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com

1. So for the msi.com at the registrar we have to change the nameserver to
pointing to the IP address of these new DNS servers, isn't it?!

2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP setting
including the DNS & alternate dns setting for Pri & Sec DNS?

3. For pri DNS server, the other NIC is using to connect to other
subnet/network so this VPN server which will be installed with DNS, able to
connect remote user to the other network. Is the setting at #2 still the
same, if that the case?

4. For sec DNS server, the other NIC is using to connect to other
subnet/network so this Backup server which will be installed with DNS, able
to backup all servers from other network too. Is the setting at #2 still the
same, if that the case?

5. If I would setup to just listen on "The following IP" at NS properties
and use forwarder to ISP DNS, but from the Monitoring tab....the query test
and recursive Both failed, why is that??

6. In the msi.com zone file "Name Server" tab, it just show the ns1.msi.com
only, do I have to add the A record for ns2.msi.com also??

7. What's the problem if in the Pri DNS for all zone the "Name server" tab
the ns1.msi.com doesn't able to resolve (IP adress Unkown)??

Thanks

--
Regards,
Joe


"Herb Martin" <news@LearnQuick.com> wrote in message
news:o lc1FkaeEHA.3148@TK2MSFTNGP10.phx.gbl...
> "Joe" <joebio91@hotmail.com> wrote in message
> news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> > Would somebody please give me the step by step and detail info about how
> to
> > set up Pri & Sec DNS server Without AD and just stand alone servers (no
> DC)
> > ????
> > Thanks.
>
> The primary is the ONLY DNS server (in the set) that can change
> a specific zone. Secondaries pull changes from their primary
> or another secondary (aka, "the master" to be generic.)
>
> DNS server has two major functions:
>
> 1) Help your users resolve resources through the namespace
> (including perhaps the INTERNET)
>
> 2) Help "other" users resolve YOUR RESOURCES.
>
> Although many DNS servers do both, it is important to know
> which you wish to accomplish -- or both -- and in some sense
> to approach the setup as if the two jobs are separate (mostly
> they are in fact.)
>
> When speaking of Primary/Secondary we are talking about
> #1 -- Primary and Secondary are terms ONLY on the DNS
> server and refer to their responsibility for one particular
> zone which lists YOUR RESOURCES.
>
> As to the setup, with the GUI it is pretty trivial -- install
> the DNS server (on a server), right click on the Server\Forward
> zones and create the new zone (following the wizard) as a
> Primary. Add records as necessary (more right clicking)
>
> For the Secondary, repeat the process on the "second" server
> except select Secondary in the wizard and point it to the
> Primary you created on the previous server.
>
> Of course if you wish the Internet to be able to resolve YOUR
> RESOURCES, you have to register with the parent zone/domain
> (e.g., .Com)
>
> --
> Herb Martin
>
>
> >
> > --
> > Regards,
> > Joe
> >
> >
> >
>
>
Related resources
Anonymous
August 4, 2004 3:37:53 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Joe" <joebio91@hotmail.com> wrote in message
news:o LffI1ieEHA.3348@TK2MSFTNGP09.phx.gbl...
> Thanks for the clarification.
> We want to accomplish both (1 & 2) but especially for internet, because
this
> DNS server will be used mainly for hosting client's domain that hosting
> their websites in our web servers.
>
> More detail to the technical setup, I would like to know:
>
> Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com

Those are just "domain names" unless you put a dot. on the end. <grin.>

> 1. So for the msi.com at the registrar we have to change the nameserver to
> pointing to the IP address of these new DNS servers, isn't it?!

Right. For external DNS servers that offer your external (view of )
resources,
you register them with the Registar and make sure they are publicly
routable.

If you move them, you update the registrar. Best practice* is to just let
the Registrar PROVIDE them to you so that changes are seldom necessary.
(* Unless you are a large company with many redundent public servers
and your own 24/7 support staff that.)

Register.com (and many others) do this as part of the yearly registration
fee.

> 2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP setting
> including the DNS & alternate dns setting for Pri & Sec DNS?

If you intend to use the SAME DNS server for both the internal and
external views of the domain this is GENERALLY a very bad idea.

It can be done; it's non-trivial; it's fraught with both design and
security concerns -- and again, sending the PUBLIC DNS back
to the registrar is almost always better.


> 3. For pri DNS server, the other NIC is using to connect to other
> subnet/network so this VPN server which will be installed with DNS, able
to
> connect remote user to the other network. Is the setting at #2 still the
> same, if that the case?

I did not understand the above paragraph.

What does VPN have to do with the design?
(Note, do NOT CONSIDER irrelevant details when doing initial
design -- you can combine services and servers afterwards once
the design is understood.)

"Setting at #2" ???? Nic settings for DNS server have NOTHING
to do with the functioning of the machine AS A DNS Server.

Those are it's own client settings and need to (both/all) be set to
the correct server set for the machine's own needs. (e.g., a
DNS server in a domain needs to point itself to the internal DNS
server set even if it is NOT one of them itself -- or an internal
DNS server points to itself perhaps.)


> 4. For sec DNS server, the other NIC is using to connect to other
> subnet/network so this Backup server which will be installed with DNS,
able
> to backup all servers from other network too. Is the setting at #2 still
the
> same, if that the case?

Again, you seem to be mixing purposes and even different services.

> 5. If I would setup to just listen on "The following IP" at NS properties
> and use forwarder to ISP DNS, but from the Monitoring tab....the query
test
> and recursive Both failed, why is that??

An external DNS server should only offer the service on the external
NIC.

An internal DNS server should be totally internal (in most all cases.)

> 6. In the msi.com zone file "Name Server" tab, it just show the
ns1.msi.com
> only, do I have to add the A record for ns2.msi.com also??

If it is a server for the zone you do.

Also the NS records for it.

> 7. What's the problem if in the Pri DNS for all zone the "Name server" tab
> the ns1.msi.com doesn't able to resolve (IP adress Unkown)??

DNS servers resolve in one of three/four ways (plus combinations):

1) From the zones they hold
2) From cache of things they have resolved external to themselves
(see #3 and#4)
3) By recursing from the TOP (usually the Root) of the namespace
down
4) By forwarding to another DNS server that does these

Usually #3 & #4 are mutually exclusive but that is not a rule.

Root hints (or "cache file" in Unix terminology) sets up #3.
Forwarders tab sets up number #4.
Zones take care of #1 and #2 is automatic if either #3 or #4 work.

Do you have AD? If so, you have more problems that you are
discussing so far....

--
Herb Martin


>
> Thanks
>
> --
> Regards,
> Joe
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:o lc1FkaeEHA.3148@TK2MSFTNGP10.phx.gbl...
> > "Joe" <joebio91@hotmail.com> wrote in message
> > news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > Would somebody please give me the step by step and detail info about
how
> > to
> > > set up Pri & Sec DNS server Without AD and just stand alone servers
(no
> > DC)
> > > ????
> > > Thanks.
> >
> > The primary is the ONLY DNS server (in the set) that can change
> > a specific zone. Secondaries pull changes from their primary
> > or another secondary (aka, "the master" to be generic.)
> >
> > DNS server has two major functions:
> >
> > 1) Help your users resolve resources through the namespace
> > (including perhaps the INTERNET)
> >
> > 2) Help "other" users resolve YOUR RESOURCES.
> >
> > Although many DNS servers do both, it is important to know
> > which you wish to accomplish -- or both -- and in some sense
> > to approach the setup as if the two jobs are separate (mostly
> > they are in fact.)
> >
> > When speaking of Primary/Secondary we are talking about
> > #1 -- Primary and Secondary are terms ONLY on the DNS
> > server and refer to their responsibility for one particular
> > zone which lists YOUR RESOURCES.
> >
> > As to the setup, with the GUI it is pretty trivial -- install
> > the DNS server (on a server), right click on the Server\Forward
> > zones and create the new zone (following the wizard) as a
> > Primary. Add records as necessary (more right clicking)
> >
> > For the Secondary, repeat the process on the "second" server
> > except select Secondary in the wizard and point it to the
> > Primary you created on the previous server.
> >
> > Of course if you wish the Internet to be able to resolve YOUR
> > RESOURCES, you have to register with the parent zone/domain
> > (e.g., .Com)
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > --
> > > Regards,
> > > Joe
> > >
> > >
> > >
> >
> >
>
>
August 4, 2004 9:18:21 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uYZb4FkeEHA.2852@tk2msftngp13.phx.gbl...
> "Joe" <joebio91@hotmail.com> wrote in message
> news:o LffI1ieEHA.3348@TK2MSFTNGP09.phx.gbl...
> > Thanks for the clarification.
> > We want to accomplish both (1 & 2) but especially for internet, because
> this
> > DNS server will be used mainly for hosting client's domain that hosting
> > their websites in our web servers.
> >
> > More detail to the technical setup, I would like to know:
> >
> > Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com
>
> Those are just "domain names" unless you put a dot. on the end. <grin.>
>
> > 1. So for the msi.com at the registrar we have to change the nameserver
to
> > pointing to the IP address of these new DNS servers, isn't it?!
>
> Right. For external DNS servers that offer your external (view of )
> resources,
> you register them with the Registar and make sure they are publicly
> routable.
>
> If you move them, you update the registrar. Best practice* is to just let
> the Registrar PROVIDE them to you so that changes are seldom necessary.
> (* Unless you are a large company with many redundent public servers
> and your own 24/7 support staff that.)
>
> Register.com (and many others) do this as part of the yearly registration
> fee.
>
> > 2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP setting
> > including the DNS & alternate dns setting for Pri & Sec DNS?
>
> If you intend to use the SAME DNS server for both the internal and
> external views of the domain this is GENERALLY a very bad idea.
>
> It can be done; it's non-trivial; it's fraught with both design and
> security concerns -- and again, sending the PUBLIC DNS back
> to the registrar is almost always better.
>
I am quite new with setup DNS so probably my understanding still quite not
right. Please correct it if any.
Basically this is related with #3 & #4, because the server that my boss
wants to use are (we don't have any other servers avail for these purposes):
for Pri DNS: already use as an VPN server and has 2 NIC (with two different
NAT IP address, different gateway) to connect two network (network A & B),
so remote admin could connect vpn to this server and remote access to the
other network also.

for Sec DNS: already use as a Backup server and has 2 NIC (with two
different NAT IP address, different gateway) to connect two network (network
A & B), so able to mapping and backup all servers.

I read somewhere that for dual homed DNS, ALL of the dns settng in the
TCP/IP properties needs to point to internal IP, if that's true...which IP
do I have to use IP NIC connect to network A or B??

Also as far as I know the external NIC need to enable TCP/IP only and
internal NIC could have more protocols and services installed. Is that true?

The other servers now is using ISP DNS in their dns in TCPIp properties,
later on after the new pri & sec DNS works fine, should I change all the
server to use this new pri & sec DNS in the dns setting in TCP IP
properties? Or just leave it as is?? What the advantage and disadvantage?

>
> > 3. For pri DNS server, the other NIC is using to connect to other
> > subnet/network so this VPN server which will be installed with DNS, able
> to
> > connect remote user to the other network. Is the setting at #2 still the
> > same, if that the case?
>
> I did not understand the above paragraph.
>
> What does VPN have to do with the design?
> (Note, do NOT CONSIDER irrelevant details when doing initial
> design -- you can combine services and servers afterwards once
> the design is understood.)
>
> "Setting at #2" ???? Nic settings for DNS server have NOTHING
> to do with the functioning of the machine AS A DNS Server.
>
> Those are it's own client settings and need to (both/all) be set to
> the correct server set for the machine's own needs. (e.g., a
> DNS server in a domain needs to point itself to the internal DNS
> server set even if it is NOT one of them itself -- or an internal
> DNS server points to itself perhaps.)
>
>
> > 4. For sec DNS server, the other NIC is using to connect to other
> > subnet/network so this Backup server which will be installed with DNS,
> able
> > to backup all servers from other network too. Is the setting at #2 still
> the
> > same, if that the case?
>
> Again, you seem to be mixing purposes and even different services.
>
> > 5. If I would setup to just listen on "The following IP" at NS
properties
> > and use forwarder to ISP DNS, but from the Monitoring tab....the query
> test
> > and recursive Both failed, why is that??
>
> An external DNS server should only offer the service on the external
> NIC.
>
> An internal DNS server should be totally internal (in most all cases.)
>
> > 6. In the msi.com zone file "Name Server" tab, it just show the
> ns1.msi.com
> > only, do I have to add the A record for ns2.msi.com also??
>
> If it is a server for the zone you do.
>
> Also the NS records for it.
>
> > 7. What's the problem if in the Pri DNS for all zone the "Name server"
tab
> > the ns1.msi.com doesn't able to resolve (IP adress Unkown)??
>
> DNS servers resolve in one of three/four ways (plus combinations):
>
> 1) From the zones they hold
> 2) From cache of things they have resolved external to themselves
> (see #3 and#4)
> 3) By recursing from the TOP (usually the Root) of the namespace
> down
> 4) By forwarding to another DNS server that does these
>
> Usually #3 & #4 are mutually exclusive but that is not a rule.
>
> Root hints (or "cache file" in Unix terminology) sets up #3.
> Forwarders tab sets up number #4.
> Zones take care of #1 and #2 is automatic if either #3 or #4 work.
>
> Do you have AD? If so, you have more problems that you are
> discussing so far....
>
No, i don't have AD

> --
> Herb Martin
>
>
> >
> > Thanks
> >
> > --
> > Regards,
> > Joe
> >
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:o lc1FkaeEHA.3148@TK2MSFTNGP10.phx.gbl...
> > > "Joe" <joebio91@hotmail.com> wrote in message
> > > news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > > Would somebody please give me the step by step and detail info about
> how
> > > to
> > > > set up Pri & Sec DNS server Without AD and just stand alone servers
> (no
> > > DC)
> > > > ????
> > > > Thanks.
> > >
> > > The primary is the ONLY DNS server (in the set) that can change
> > > a specific zone. Secondaries pull changes from their primary
> > > or another secondary (aka, "the master" to be generic.)
> > >
> > > DNS server has two major functions:
> > >
> > > 1) Help your users resolve resources through the namespace
> > > (including perhaps the INTERNET)
> > >
> > > 2) Help "other" users resolve YOUR RESOURCES.
> > >
> > > Although many DNS servers do both, it is important to know
> > > which you wish to accomplish -- or both -- and in some sense
> > > to approach the setup as if the two jobs are separate (mostly
> > > they are in fact.)
> > >
> > > When speaking of Primary/Secondary we are talking about
> > > #1 -- Primary and Secondary are terms ONLY on the DNS
> > > server and refer to their responsibility for one particular
> > > zone which lists YOUR RESOURCES.
> > >
> > > As to the setup, with the GUI it is pretty trivial -- install
> > > the DNS server (on a server), right click on the Server\Forward
> > > zones and create the new zone (following the wizard) as a
> > > Primary. Add records as necessary (more right clicking)
> > >
> > > For the Secondary, repeat the process on the "second" server
> > > except select Secondary in the wizard and point it to the
> > > Primary you created on the previous server.
> > >
> > > Of course if you wish the Internet to be able to resolve YOUR
> > > RESOURCES, you have to register with the parent zone/domain
> > > (e.g., .Com)
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > --
> > > > Regards,
> > > > Joe
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
August 5, 2004 3:20:05 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

[The entire previous post is below my signature in case it is
needed for context (e.g., reference to #3 or #4 etc...) but here
is the outline....]

> > DNS servers resolve in one of three/four ways (plus combinations):
> >
> > 1) From the zones they hold
> > 2) From cache of things they have resolved external to themselves
> > (see #3 and#4)
> > 3) By recursing from the TOP (usually the Root) of the namespace
> > down
> > 4) By forwarding to another DNS server that does these

> I am quite new with setup DNS so probably my understanding still quite not
> right. Please correct it if any.

No, problem and it's usually useful since it (correcting misuse of terms)
avoids adding confusing to an already confusing topic.

> Basically this is related with #3 & #4, because the server that my boss
> wants to use are (we don't have any other servers avail for these
purposes):

This is ONE of the main reasons for NOT providing your own
external DNS -- doesn't require trying to use the "same server"
and avoids adding other servers for just this purpose.

RECOMMENDATION: Put your EXTERNAL DNS zone (back) at your
registrar or move it to one like Register.com.


> for Pri DNS: already use as an VPN server and has 2 NIC (with two
different
> NAT IP address, different gateway) to connect two network (network A & B),
> so remote admin could connect vpn to this server and remote access to the
> other network also.

This vastly complicates trying to get the DNS right (it's even
difficult for you to explain clearly above.)

RECOMMENDATION: Move your INTERNAL DNS back (completely)
INTERNAL to your network where both internal and VPN clients
can access it.

> for Sec DNS: already use as a Backup server and has 2 NIC (with two
> different NAT IP address, different gateway) to connect two network
(network
> A & B), so able to mapping and backup all servers.
>
> I read somewhere that for dual homed DNS, ALL of the dns settng in the
> TCP/IP properties needs to point to internal IP, if that's true...which IP
> do I have to use IP NIC connect to network A or B??

RECOMMENDATION: Separate the "I am a DNS server" function
(in your mind and design) from the "I am a DNS client" function.


> Also as far as I know the external NIC need to enable TCP/IP only and
> internal NIC could have more protocols and services installed. Is that
true?

I don't even understand the DISTINCTIONS you are making above.

Any machine must have IP (correctly) configured on any NIC (or
other interface, e.g., RAS or VPN) where it will do IP.

Generally the CLIENT DNS settings should be the SAME on all
NICs (or at least point to the same "set of" DNS servers.)

Remember that DNS Clients PRESUME that all DNS servers they
can connect will return the SAME ANSWERS (and correct answers
of course.)

> The other servers now is using ISP DNS in their dns in TCPIp properties,
> later on after the new pri & sec DNS works fine, should I change all the
> server to use this new pri & sec DNS in the dns setting in TCP IP
> properties? Or just leave it as is?? What the advantage and disadvantage?

You are mostly confusing yourself by considering Server and Client
DNS issues at the same time; and by confusing External and Internal
DNS servers as well.

Separate both the function AND the consideration to simplify.

DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

Typically the internal DNS server will "forward" to the ISP (or
gateway) DNS for external (public Internet) resolution on behalf
of the clients.

Typically the EXTERNAL DNS resources records will be published
via a completely public DNS server located OUTSIDE your network;
the best choice for most small companies is AT THE REGISTRAR.


If you are still not getting it you can CALL ME -- my phone number
is on my web site: LearnQuick.Com

--
Herb Martin


"Joe" <joebio91@hotmail.com> wrote in message
news:eLs0ygmeEHA.1692@tk2msftngp13.phx.gbl...
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:uYZb4FkeEHA.2852@tk2msftngp13.phx.gbl...
> > "Joe" <joebio91@hotmail.com> wrote in message
> > news:o LffI1ieEHA.3348@TK2MSFTNGP09.phx.gbl...
> > > Thanks for the clarification.
> > > We want to accomplish both (1 & 2) but especially for internet,
because
> > this
> > > DNS server will be used mainly for hosting client's domain that
hosting
> > > their websites in our web servers.
> > >
> > > More detail to the technical setup, I would like to know:
> > >
> > > Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com
> >
> > Those are just "domain names" unless you put a dot. on the end. <grin.>
> >
> > > 1. So for the msi.com at the registrar we have to change the
nameserver
> to
> > > pointing to the IP address of these new DNS servers, isn't it?!
> >
> > Right. For external DNS servers that offer your external (view of )
> > resources,
> > you register them with the Registar and make sure they are publicly
> > routable.
> >
> > If you move them, you update the registrar. Best practice* is to just
let
> > the Registrar PROVIDE them to you so that changes are seldom necessary.
> > (* Unless you are a large company with many redundent public servers
> > and your own 24/7 support staff that.)
> >
> > Register.com (and many others) do this as part of the yearly
registration
> > fee.
> >
> > > 2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP
setting
> > > including the DNS & alternate dns setting for Pri & Sec DNS?
> >
> > If you intend to use the SAME DNS server for both the internal and
> > external views of the domain this is GENERALLY a very bad idea.
> >
> > It can be done; it's non-trivial; it's fraught with both design and
> > security concerns -- and again, sending the PUBLIC DNS back
> > to the registrar is almost always better.
> >
> I am quite new with setup DNS so probably my understanding still quite not
> right. Please correct it if any.
> Basically this is related with #3 & #4, because the server that my boss
> wants to use are (we don't have any other servers avail for these
purposes):
> for Pri DNS: already use as an VPN server and has 2 NIC (with two
different
> NAT IP address, different gateway) to connect two network (network A & B),
> so remote admin could connect vpn to this server and remote access to the
> other network also.
>
> for Sec DNS: already use as a Backup server and has 2 NIC (with two
> different NAT IP address, different gateway) to connect two network
(network
> A & B), so able to mapping and backup all servers.
>
> I read somewhere that for dual homed DNS, ALL of the dns settng in the
> TCP/IP properties needs to point to internal IP, if that's true...which IP
> do I have to use IP NIC connect to network A or B??
>
> Also as far as I know the external NIC need to enable TCP/IP only and
> internal NIC could have more protocols and services installed. Is that
true?
>
> The other servers now is using ISP DNS in their dns in TCPIp properties,
> later on after the new pri & sec DNS works fine, should I change all the
> server to use this new pri & sec DNS in the dns setting in TCP IP
> properties? Or just leave it as is?? What the advantage and disadvantage?
>
> >
> > > 3. For pri DNS server, the other NIC is using to connect to other
> > > subnet/network so this VPN server which will be installed with DNS,
able
> > to
> > > connect remote user to the other network. Is the setting at #2 still
the
> > > same, if that the case?
> >
> > I did not understand the above paragraph.
> >
> > What does VPN have to do with the design?
> > (Note, do NOT CONSIDER irrelevant details when doing initial
> > design -- you can combine services and servers afterwards once
> > the design is understood.)
> >
> > "Setting at #2" ???? Nic settings for DNS server have NOTHING
> > to do with the functioning of the machine AS A DNS Server.
> >
> > Those are it's own client settings and need to (both/all) be set to
> > the correct server set for the machine's own needs. (e.g., a
> > DNS server in a domain needs to point itself to the internal DNS
> > server set even if it is NOT one of them itself -- or an internal
> > DNS server points to itself perhaps.)
> >
> >
> > > 4. For sec DNS server, the other NIC is using to connect to other
> > > subnet/network so this Backup server which will be installed with DNS,
> > able
> > > to backup all servers from other network too. Is the setting at #2
still
> > the
> > > same, if that the case?
> >
> > Again, you seem to be mixing purposes and even different services.
> >
> > > 5. If I would setup to just listen on "The following IP" at NS
> properties
> > > and use forwarder to ISP DNS, but from the Monitoring tab....the query
> > test
> > > and recursive Both failed, why is that??
> >
> > An external DNS server should only offer the service on the external
> > NIC.
> >
> > An internal DNS server should be totally internal (in most all cases.)
> >
> > > 6. In the msi.com zone file "Name Server" tab, it just show the
> > ns1.msi.com
> > > only, do I have to add the A record for ns2.msi.com also??
> >
> > If it is a server for the zone you do.
> >
> > Also the NS records for it.
> >
> > > 7. What's the problem if in the Pri DNS for all zone the "Name server"
> tab
> > > the ns1.msi.com doesn't able to resolve (IP adress Unkown)??
> >
> > DNS servers resolve in one of three/four ways (plus combinations):
> >
> > 1) From the zones they hold
> > 2) From cache of things they have resolved external to themselves
> > (see #3 and#4)
> > 3) By recursing from the TOP (usually the Root) of the namespace
> > down
> > 4) By forwarding to another DNS server that does these
> >
> > Usually #3 & #4 are mutually exclusive but that is not a rule.
> >
> > Root hints (or "cache file" in Unix terminology) sets up #3.
> > Forwarders tab sets up number #4.
> > Zones take care of #1 and #2 is automatic if either #3 or #4 work.
> >
> > Do you have AD? If so, you have more problems that you are
> > discussing so far....
> >
> No, i don't have AD
>
> > --
> > Herb Martin
> >
> >
> > >
> > > Thanks
> > >
> > > --
> > > Regards,
> > > Joe
> > >
> > >
> > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > news:o lc1FkaeEHA.3148@TK2MSFTNGP10.phx.gbl...
> > > > "Joe" <joebio91@hotmail.com> wrote in message
> > > > news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > > > Would somebody please give me the step by step and detail info
about
> > how
> > > > to
> > > > > set up Pri & Sec DNS server Without AD and just stand alone
servers
> > (no
> > > > DC)
> > > > > ????
> > > > > Thanks.
> > > >
> > > > The primary is the ONLY DNS server (in the set) that can change
> > > > a specific zone. Secondaries pull changes from their primary
> > > > or another secondary (aka, "the master" to be generic.)
> > > >
> > > > DNS server has two major functions:
> > > >
> > > > 1) Help your users resolve resources through the namespace
> > > > (including perhaps the INTERNET)
> > > >
> > > > 2) Help "other" users resolve YOUR RESOURCES.
> > > >
> > > > Although many DNS servers do both, it is important to know
> > > > which you wish to accomplish -- or both -- and in some sense
> > > > to approach the setup as if the two jobs are separate (mostly
> > > > they are in fact.)
> > > >
> > > > When speaking of Primary/Secondary we are talking about
> > > > #1 -- Primary and Secondary are terms ONLY on the DNS
> > > > server and refer to their responsibility for one particular
> > > > zone which lists YOUR RESOURCES.
> > > >
> > > > As to the setup, with the GUI it is pretty trivial -- install
> > > > the DNS server (on a server), right click on the Server\Forward
> > > > zones and create the new zone (following the wizard) as a
> > > > Primary. Add records as necessary (more right clicking)
> > > >
> > > > For the Secondary, repeat the process on the "second" server
> > > > except select Secondary in the wizard and point it to the
> > > > Primary you created on the previous server.
> > > >
> > > > Of course if you wish the Internet to be able to resolve YOUR
> > > > RESOURCES, you have to register with the parent zone/domain
> > > > (e.g., .Com)
> > > >
> > > > --
> > > > Herb Martin
> > > >
> > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Joe
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
August 9, 2004 8:15:39 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks Herb for the detail explanation, really helpfull.

--
Regards,
Joe


"Herb Martin" <news@LearnQuick.com> wrote in message
news:eBFNEPqeEHA.3428@TK2MSFTNGP11.phx.gbl...
> [The entire previous post is below my signature in case it is
> needed for context (e.g., reference to #3 or #4 etc...) but here
> is the outline....]
>
> > > DNS servers resolve in one of three/four ways (plus combinations):
> > >
> > > 1) From the zones they hold
> > > 2) From cache of things they have resolved external to themselves
> > > (see #3 and#4)
> > > 3) By recursing from the TOP (usually the Root) of the namespace
> > > down
> > > 4) By forwarding to another DNS server that does these
>
> > I am quite new with setup DNS so probably my understanding still quite
not
> > right. Please correct it if any.
>
> No, problem and it's usually useful since it (correcting misuse of terms)
> avoids adding confusing to an already confusing topic.
>
> > Basically this is related with #3 & #4, because the server that my boss
> > wants to use are (we don't have any other servers avail for these
> purposes):
>
> This is ONE of the main reasons for NOT providing your own
> external DNS -- doesn't require trying to use the "same server"
> and avoids adding other servers for just this purpose.
>
> RECOMMENDATION: Put your EXTERNAL DNS zone (back) at your
> registrar or move it to one like Register.com.
>
>
> > for Pri DNS: already use as an VPN server and has 2 NIC (with two
> different
> > NAT IP address, different gateway) to connect two network (network A &
B),
> > so remote admin could connect vpn to this server and remote access to
the
> > other network also.
>
> This vastly complicates trying to get the DNS right (it's even
> difficult for you to explain clearly above.)
>
> RECOMMENDATION: Move your INTERNAL DNS back (completely)
> INTERNAL to your network where both internal and VPN clients
> can access it.
>
> > for Sec DNS: already use as a Backup server and has 2 NIC (with two
> > different NAT IP address, different gateway) to connect two network
> (network
> > A & B), so able to mapping and backup all servers.
> >
> > I read somewhere that for dual homed DNS, ALL of the dns settng in the
> > TCP/IP properties needs to point to internal IP, if that's true...which
IP
> > do I have to use IP NIC connect to network A or B??
>
> RECOMMENDATION: Separate the "I am a DNS server" function
> (in your mind and design) from the "I am a DNS client" function.
>
>
> > Also as far as I know the external NIC need to enable TCP/IP only and
> > internal NIC could have more protocols and services installed. Is that
> true?
>
> I don't even understand the DISTINCTIONS you are making above.
>
> Any machine must have IP (correctly) configured on any NIC (or
> other interface, e.g., RAS or VPN) where it will do IP.
>
> Generally the CLIENT DNS settings should be the SAME on all
> NICs (or at least point to the same "set of" DNS servers.)
>
> Remember that DNS Clients PRESUME that all DNS servers they
> can connect will return the SAME ANSWERS (and correct answers
> of course.)
>
> > The other servers now is using ISP DNS in their dns in TCPIp properties,
> > later on after the new pri & sec DNS works fine, should I change all the
> > server to use this new pri & sec DNS in the dns setting in TCP IP
> > properties? Or just leave it as is?? What the advantage and
disadvantage?
>
> You are mostly confusing yourself by considering Server and Client
> DNS issues at the same time; and by confusing External and Internal
> DNS servers as well.
>
> Separate both the function AND the consideration to simplify.
>
> DNS
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS client NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
>
> Restart NetLogon on any DC if you change any of the above that
> affects a DC.
>
> Typically the internal DNS server will "forward" to the ISP (or
> gateway) DNS for external (public Internet) resolution on behalf
> of the clients.
>
> Typically the EXTERNAL DNS resources records will be published
> via a completely public DNS server located OUTSIDE your network;
> the best choice for most small companies is AT THE REGISTRAR.
>
>
> If you are still not getting it you can CALL ME -- my phone number
> is on my web site: LearnQuick.Com
>
> --
> Herb Martin
>
>
> "Joe" <joebio91@hotmail.com> wrote in message
> news:eLs0ygmeEHA.1692@tk2msftngp13.phx.gbl...
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:uYZb4FkeEHA.2852@tk2msftngp13.phx.gbl...
> > > "Joe" <joebio91@hotmail.com> wrote in message
> > > news:o LffI1ieEHA.3348@TK2MSFTNGP09.phx.gbl...
> > > > Thanks for the clarification.
> > > > We want to accomplish both (1 & 2) but especially for internet,
> because
> > > this
> > > > DNS server will be used mainly for hosting client's domain that
> hosting
> > > > their websites in our web servers.
> > > >
> > > > More detail to the technical setup, I would like to know:
> > > >
> > > > Let say the fqdn for the DNS servers are ns1.msi.com & ns2.msi.com
> > >
> > > Those are just "domain names" unless you put a dot. on the end.
<grin.>
> > >
> > > > 1. So for the msi.com at the registrar we have to change the
> nameserver
> > to
> > > > pointing to the IP address of these new DNS servers, isn't it?!
> > >
> > > Right. For external DNS servers that offer your external (view of )
> > > resources,
> > > you register them with the Registar and make sure they are publicly
> > > routable.
> > >
> > > If you move them, you update the registrar. Best practice* is to just
> let
> > > the Registrar PROVIDE them to you so that changes are seldom
necessary.
> > > (* Unless you are a large company with many redundent public servers
> > > and your own 24/7 support staff that.)
> > >
> > > Register.com (and many others) do this as part of the yearly
> registration
> > > fee.
> > >
> > > > 2. If the DNS using dual homed (2 NICs), how to setup the TCP/IP
> setting
> > > > including the DNS & alternate dns setting for Pri & Sec DNS?
> > >
> > > If you intend to use the SAME DNS server for both the internal and
> > > external views of the domain this is GENERALLY a very bad idea.
> > >
> > > It can be done; it's non-trivial; it's fraught with both design and
> > > security concerns -- and again, sending the PUBLIC DNS back
> > > to the registrar is almost always better.
> > >
> > I am quite new with setup DNS so probably my understanding still quite
not
> > right. Please correct it if any.
> > Basically this is related with #3 & #4, because the server that my boss
> > wants to use are (we don't have any other servers avail for these
> purposes):
> > for Pri DNS: already use as an VPN server and has 2 NIC (with two
> different
> > NAT IP address, different gateway) to connect two network (network A &
B),
> > so remote admin could connect vpn to this server and remote access to
the
> > other network also.
> >
> > for Sec DNS: already use as a Backup server and has 2 NIC (with two
> > different NAT IP address, different gateway) to connect two network
> (network
> > A & B), so able to mapping and backup all servers.
> >
> > I read somewhere that for dual homed DNS, ALL of the dns settng in the
> > TCP/IP properties needs to point to internal IP, if that's true...which
IP
> > do I have to use IP NIC connect to network A or B??
> >
> > Also as far as I know the external NIC need to enable TCP/IP only and
> > internal NIC could have more protocols and services installed. Is that
> true?
> >
> > The other servers now is using ISP DNS in their dns in TCPIp properties,
> > later on after the new pri & sec DNS works fine, should I change all the
> > server to use this new pri & sec DNS in the dns setting in TCP IP
> > properties? Or just leave it as is?? What the advantage and
disadvantage?
> >
> > >
> > > > 3. For pri DNS server, the other NIC is using to connect to other
> > > > subnet/network so this VPN server which will be installed with DNS,
> able
> > > to
> > > > connect remote user to the other network. Is the setting at #2 still
> the
> > > > same, if that the case?
> > >
> > > I did not understand the above paragraph.
> > >
> > > What does VPN have to do with the design?
> > > (Note, do NOT CONSIDER irrelevant details when doing initial
> > > design -- you can combine services and servers afterwards once
> > > the design is understood.)
> > >
> > > "Setting at #2" ???? Nic settings for DNS server have NOTHING
> > > to do with the functioning of the machine AS A DNS Server.
> > >
> > > Those are it's own client settings and need to (both/all) be set to
> > > the correct server set for the machine's own needs. (e.g., a
> > > DNS server in a domain needs to point itself to the internal DNS
> > > server set even if it is NOT one of them itself -- or an internal
> > > DNS server points to itself perhaps.)
> > >
> > >
> > > > 4. For sec DNS server, the other NIC is using to connect to other
> > > > subnet/network so this Backup server which will be installed with
DNS,
> > > able
> > > > to backup all servers from other network too. Is the setting at #2
> still
> > > the
> > > > same, if that the case?
> > >
> > > Again, you seem to be mixing purposes and even different services.
> > >
> > > > 5. If I would setup to just listen on "The following IP" at NS
> > properties
> > > > and use forwarder to ISP DNS, but from the Monitoring tab....the
query
> > > test
> > > > and recursive Both failed, why is that??
> > >
> > > An external DNS server should only offer the service on the external
> > > NIC.
> > >
> > > An internal DNS server should be totally internal (in most all cases.)
> > >
> > > > 6. In the msi.com zone file "Name Server" tab, it just show the
> > > ns1.msi.com
> > > > only, do I have to add the A record for ns2.msi.com also??
> > >
> > > If it is a server for the zone you do.
> > >
> > > Also the NS records for it.
> > >
> > > > 7. What's the problem if in the Pri DNS for all zone the "Name
server"
> > tab
> > > > the ns1.msi.com doesn't able to resolve (IP adress Unkown)??
> > >
> > > DNS servers resolve in one of three/four ways (plus combinations):
> > >
> > > 1) From the zones they hold
> > > 2) From cache of things they have resolved external to themselves
> > > (see #3 and#4)
> > > 3) By recursing from the TOP (usually the Root) of the namespace
> > > down
> > > 4) By forwarding to another DNS server that does these
> > >
> > > Usually #3 & #4 are mutually exclusive but that is not a rule.
> > >
> > > Root hints (or "cache file" in Unix terminology) sets up #3.
> > > Forwarders tab sets up number #4.
> > > Zones take care of #1 and #2 is automatic if either #3 or #4 work.
> > >
> > > Do you have AD? If so, you have more problems that you are
> > > discussing so far....
> > >
> > No, i don't have AD
> >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > Thanks
> > > >
> > > > --
> > > > Regards,
> > > > Joe
> > > >
> > > >
> > > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > news:o lc1FkaeEHA.3148@TK2MSFTNGP10.phx.gbl...
> > > > > "Joe" <joebio91@hotmail.com> wrote in message
> > > > > news:o x7pykZeEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > > > > Would somebody please give me the step by step and detail info
> about
> > > how
> > > > > to
> > > > > > set up Pri & Sec DNS server Without AD and just stand alone
> servers
> > > (no
> > > > > DC)
> > > > > > ????
> > > > > > Thanks.
> > > > >
> > > > > The primary is the ONLY DNS server (in the set) that can change
> > > > > a specific zone. Secondaries pull changes from their primary
> > > > > or another secondary (aka, "the master" to be generic.)
> > > > >
> > > > > DNS server has two major functions:
> > > > >
> > > > > 1) Help your users resolve resources through the namespace
> > > > > (including perhaps the INTERNET)
> > > > >
> > > > > 2) Help "other" users resolve YOUR RESOURCES.
> > > > >
> > > > > Although many DNS servers do both, it is important to know
> > > > > which you wish to accomplish -- or both -- and in some sense
> > > > > to approach the setup as if the two jobs are separate (mostly
> > > > > they are in fact.)
> > > > >
> > > > > When speaking of Primary/Secondary we are talking about
> > > > > #1 -- Primary and Secondary are terms ONLY on the DNS
> > > > > server and refer to their responsibility for one particular
> > > > > zone which lists YOUR RESOURCES.
> > > > >
> > > > > As to the setup, with the GUI it is pretty trivial -- install
> > > > > the DNS server (on a server), right click on the Server\Forward
> > > > > zones and create the new zone (following the wizard) as a
> > > > > Primary. Add records as necessary (more right clicking)
> > > > >
> > > > > For the Secondary, repeat the process on the "second" server
> > > > > except select Secondary in the wizard and point it to the
> > > > > Primary you created on the previous server.
> > > > >
> > > > > Of course if you wish the Internet to be able to resolve YOUR
> > > > > RESOURCES, you have to register with the parent zone/domain
> > > > > (e.g., .Com)
> > > > >
> > > > > --
> > > > > Herb Martin
> > > > >
> > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > > Joe
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
!