Standalone DNS Question

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

I need to set up a standalone DNS server for our customers and internal
users to augment our current DNS environment.

This is what we have today:

1) We have a W2K network using AD and DNS. All our internal users use this
DNS for name resolution and for accessing the Internet. There is a forward
lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
names. All our servers and clients are on multiple private 10net address.

2) We have about 50 customers (with many users per customer) that currently
accesses our production servers over their private frame circuit into us.
Today they access all our servers using a private 10net IP address.

All customers have their own network. Some of more sophisticated than
others and have their own director Internet connection. Some only have
dialup. Others have nothing and do not use DNS at all.

3) I'm creating a few web servers that our customers and internal users will
need to access. I do not want to modify our AD DNS to include DNS records
for any of our production servers. I do not want our customers to add host
records or anything related to our private IP address into their DNS server
(if they have one) . In fact, I do not want our customers hosting any
secondary DNS or managing anything on their end.

What I would like to do is create a standalone DNS server that has a brand
new private domain for this purpose. For example, mycompany.fubar. There
is no reason for this server to perform any TLD or secondary-domain lookups

In this case, I created a Forward lookup Zone and a Reverse lookup Zone for
this new domain. I added whatever "www" and other host records to point to
our various production servers. On this new DNS server, I changed its
TCP/IP DNS setting to point to itself.

If I bring up IE I can successfully access all our web applications/servers
using the new domain mycompany.fubar. Life is good.

Now comes the hard part --

1) I want our internal users to have access to this new domain...
mycompany.fubar. I simply want a way for our AD DNS server to look at this
new DNS server for anything it can't resolve.

2) I want all our customers to have access to this new domain...
mycompany.fubar. I do not want them to create a secondary zone or anything
of that nature on their network, as I want to keep everything manageable on
our network and all resource records hidden from them.

If customers have DNS server, I want them to have a way to go look at my DNS
server for anything it can't resolve.

If customers do not have DNS implemented in their environment, I want them
to add my DNS server's IP address to their TCP/IP settings on their client
PCs.

I do not what this new standalone server to resolve any other DNS queries
for our customers. I.E., if they browse the Internet, then they have to
have their own DNS server setup to resolve this. I do not want the extra
traffic.

If someone can explain to me the best way to accomplish this -- I would
greatly appreciate it.

Thanks for all your help
7 answers Last reply
More about standalone question
  1. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    "DavidM" <spam@spam.net> wrote in message
    news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    > I need to set up a standalone DNS server for our customers and internal
    > users to augment our current DNS environment.
    >
    > This is what we have today:
    >
    > 1) We have a W2K network using AD and DNS. All our internal users use
    this
    > DNS for name resolution and for accessing the Internet. There is a
    forward
    > lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
    > names. All our servers and clients are on multiple private 10net address.
    >
    > 2) We have about 50 customers (with many users per customer) that
    currently
    > accesses our production servers over their private frame circuit into us.
    > Today they access all our servers using a private 10net IP address.
    >
    > All customers have their own network. Some of more sophisticated than
    > others and have their own director Internet connection. Some only have
    > dialup. Others have nothing and do not use DNS at all.

    This will not work for such customers by default.
    (Individual customers may be ABLE to make it work
    for themselves however that will depend on the DNS
    software they use and their skills.)

    Those that already use a full namespace from a common
    root down (e.g., THE INTERNET) will only be able to
    find your DNS server by DEFAULT if you delegate it
    from parent on the Internet (Com. -> yourDomain.Com)


    > 3) I'm creating a few web servers that our customers and internal users
    will
    > need to access. I do not want to modify our AD DNS to include DNS records
    > for any of our production servers. I do not want our customers to add
    host
    > records or anything related to our private IP address into their DNS
    server
    > (if they have one) . In fact, I do not want our customers hosting any
    > secondary DNS or managing anything on their end.

    To be seemless your DNS will need to be delegated on
    the Internet from the parent zone -- then it will only work
    for those using the Internet name space.

    And since you don't appear to wish to use a public domain
    name, you won't be able to do this.

    For others you can setup privately but those customers
    will have to forward to your server and this will only
    work if they are not already using their forwarding value
    internally -- OR if they have a DNS server like Win2003
    (not Win2000) that allows for conditional forwarding.

    In any case, such customers (not on the Internet) will
    have to modify their DNS servers.

    > What I would like to do is create a standalone DNS server that has a brand
    > new private domain for this purpose. For example, mycompany.fubar. There
    > is no reason for this server to perform any TLD or secondary-domain
    lookups
    >
    > In this case, I created a Forward lookup Zone and a Reverse lookup Zone
    for
    > this new domain. I added whatever "www" and other host records to point
    to
    > our various production servers. On this new DNS server, I changed its
    > TCP/IP DNS setting to point to itself.
    >
    > If I bring up IE I can successfully access all our web
    applications/servers
    > using the new domain mycompany.fubar. Life is good.
    >
    > Now comes the hard part --
    >
    > 1) I want our internal users to have access to this new domain...
    > mycompany.fubar. I simply want a way for our AD DNS server to look at
    this
    > new DNS server for anything it can't resolve.
    >
    > 2) I want all our customers to have access to this new domain...
    > mycompany.fubar. I do not want them to create a secondary zone or
    anything
    > of that nature on their network, as I want to keep everything manageable
    on
    > our network and all resource records hidden from them.
    >
    > If customers have DNS server, I want them to have a way to go look at my
    DNS
    > server for anything it can't resolve.
    >
    > If customers do not have DNS implemented in their environment, I want them
    > to add my DNS server's IP address to their TCP/IP settings on their client
    > PCs.
    >
    > I do not what this new standalone server to resolve any other DNS queries
    > for our customers. I.E., if they browse the Internet, then they have to
    > have their own DNS server setup to resolve this. I do not want the extra
    > traffic.
    >
    > If someone can explain to me the best way to accomplish this -- I would
    > greatly appreciate it.

    DNS on the Internet works because every zone/domain
    is findable by recursing downwards from the root to any
    name in that namespace.

    It is very difficult to search more than one such namespaces
    (except with something akin to conditional forwarding which
    for Microsoft only exists in Win2003 and NOT Win2000 DNS
    servers.)

    Your clients will have to take specific DNS actions in most
    cases.
    > Thanks for all your help
    >
    >


    --
    Herb Martin


    >
  2. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    I currently have a mycompany.net domain registered on the internet. My ATT
    DNS entry points to our internal 10net webserver. This way folks on
    Internet can resolve name to our internal server without adding HOSTS
    entries, etc.

    From what you're saying, it sounds like I need to delegate my mycomany.net
    domain to my DNS server (10.246.16.43) in this case. And then configure my
    internal DNS server for this domain correct?


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    > "DavidM" <spam@spam.net> wrote in message
    > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    >> I need to set up a standalone DNS server for our customers and internal
    >> users to augment our current DNS environment.
    >>
    >> This is what we have today:
    >>
    >> 1) We have a W2K network using AD and DNS. All our internal users use
    > this
    >> DNS for name resolution and for accessing the Internet. There is a
    > forward
    >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    >> Internet
    >> names. All our servers and clients are on multiple private 10net
    >> address.
    >>
    >> 2) We have about 50 customers (with many users per customer) that
    > currently
    >> accesses our production servers over their private frame circuit into us.
    >> Today they access all our servers using a private 10net IP address.
    >>
    >> All customers have their own network. Some of more sophisticated than
    >> others and have their own director Internet connection. Some only have
    >> dialup. Others have nothing and do not use DNS at all.
    >
    > This will not work for such customers by default.
    > (Individual customers may be ABLE to make it work
    > for themselves however that will depend on the DNS
    > software they use and their skills.)
    >
    > Those that already use a full namespace from a common
    > root down (e.g., THE INTERNET) will only be able to
    > find your DNS server by DEFAULT if you delegate it
    > from parent on the Internet (Com. -> yourDomain.Com)
    >
    >
    >> 3) I'm creating a few web servers that our customers and internal users
    > will
    >> need to access. I do not want to modify our AD DNS to include DNS
    >> records
    >> for any of our production servers. I do not want our customers to add
    > host
    >> records or anything related to our private IP address into their DNS
    > server
    >> (if they have one) . In fact, I do not want our customers hosting any
    >> secondary DNS or managing anything on their end.
    >
    > To be seemless your DNS will need to be delegated on
    > the Internet from the parent zone -- then it will only work
    > for those using the Internet name space.
    >
    > And since you don't appear to wish to use a public domain
    > name, you won't be able to do this.
    >
    > For others you can setup privately but those customers
    > will have to forward to your server and this will only
    > work if they are not already using their forwarding value
    > internally -- OR if they have a DNS server like Win2003
    > (not Win2000) that allows for conditional forwarding.
    >
    > In any case, such customers (not on the Internet) will
    > have to modify their DNS servers.
    >
    >> What I would like to do is create a standalone DNS server that has a
    >> brand
    >> new private domain for this purpose. For example, mycompany.fubar.
    >> There
    >> is no reason for this server to perform any TLD or secondary-domain
    > lookups
    >>
    >> In this case, I created a Forward lookup Zone and a Reverse lookup Zone
    > for
    >> this new domain. I added whatever "www" and other host records to point
    > to
    >> our various production servers. On this new DNS server, I changed its
    >> TCP/IP DNS setting to point to itself.
    >>
    >> If I bring up IE I can successfully access all our web
    > applications/servers
    >> using the new domain mycompany.fubar. Life is good.
    >>
    >> Now comes the hard part --
    >>
    >> 1) I want our internal users to have access to this new domain...
    >> mycompany.fubar. I simply want a way for our AD DNS server to look at
    > this
    >> new DNS server for anything it can't resolve.
    >>
    >> 2) I want all our customers to have access to this new domain...
    >> mycompany.fubar. I do not want them to create a secondary zone or
    > anything
    >> of that nature on their network, as I want to keep everything manageable
    > on
    >> our network and all resource records hidden from them.
    >>
    >> If customers have DNS server, I want them to have a way to go look at my
    > DNS
    >> server for anything it can't resolve.
    >>
    >> If customers do not have DNS implemented in their environment, I want
    >> them
    >> to add my DNS server's IP address to their TCP/IP settings on their
    >> client
    >> PCs.
    >>
    >> I do not what this new standalone server to resolve any other DNS queries
    >> for our customers. I.E., if they browse the Internet, then they have to
    >> have their own DNS server setup to resolve this. I do not want the extra
    >> traffic.
    >>
    >> If someone can explain to me the best way to accomplish this -- I would
    >> greatly appreciate it.
    >
    > DNS on the Internet works because every zone/domain
    > is findable by recursing downwards from the root to any
    > name in that namespace.
    >
    > It is very difficult to search more than one such namespaces
    > (except with something akin to conditional forwarding which
    > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    > servers.)
    >
    > Your clients will have to take specific DNS actions in most
    > cases.
    >> Thanks for all your help
    >>
    >>
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    "DavidM" <spam@spam.net> wrote in message
    news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
    > I currently have a mycompany.net domain registered on the internet. My
    ATT
    > DNS entry points to our internal 10net webserver. This way folks on
    > Internet can resolve name to our internal server without adding HOSTS
    > entries, etc.
    >
    > From what you're saying, it sounds like I need to delegate my mycomany.net
    > domain to my DNS server (10.246.16.43) in this case.

    Not on the Internet. No Internet user will ever be expected
    to reach that 10.246.16.43 DNS server since the address is
    not routable on the Internet.

    This would just screw with your public DNS. You also
    cannot have two DNS servers (or sets) that are reachable
    the same way (e.g., recursing the Internet) and which return
    DIFFERENT answers.

    All DNS servers used by a particular client (or other
    recursing DNS server) must return the SAME ANSWERS.

    You can only return different answers (effectively) if there
    is some way to distinguish which ones the clients will use.

    > And then configure my
    > internal DNS server for this domain correct?

    I doubt it -- based on the previous question.

    It is likely you have some basic misunderstandings of
    how DNS is resolved and this is leading you to (attempt
    to) design unworkable structures that will neither perform
    for what you have nor give you the new results.

    You can give me a call if you wish and we can talk through
    this -- the numbers are on my web site: LearnQuick.Com


    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    > > "DavidM" <spam@spam.net> wrote in message
    > > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    > >> I need to set up a standalone DNS server for our customers and internal
    > >> users to augment our current DNS environment.
    > >>
    > >> This is what we have today:
    > >>
    > >> 1) We have a W2K network using AD and DNS. All our internal users use
    > > this
    > >> DNS for name resolution and for accessing the Internet. There is a
    > > forward
    > >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    > >> Internet
    > >> names. All our servers and clients are on multiple private 10net
    > >> address.
    > >>
    > >> 2) We have about 50 customers (with many users per customer) that
    > > currently
    > >> accesses our production servers over their private frame circuit into
    us.
    > >> Today they access all our servers using a private 10net IP address.
    > >>
    > >> All customers have their own network. Some of more sophisticated than
    > >> others and have their own director Internet connection. Some only have
    > >> dialup. Others have nothing and do not use DNS at all.
    > >
    > > This will not work for such customers by default.
    > > (Individual customers may be ABLE to make it work
    > > for themselves however that will depend on the DNS
    > > software they use and their skills.)
    > >
    > > Those that already use a full namespace from a common
    > > root down (e.g., THE INTERNET) will only be able to
    > > find your DNS server by DEFAULT if you delegate it
    > > from parent on the Internet (Com. -> yourDomain.Com)
    > >
    > >
    > >> 3) I'm creating a few web servers that our customers and internal users
    > > will
    > >> need to access. I do not want to modify our AD DNS to include DNS
    > >> records
    > >> for any of our production servers. I do not want our customers to add
    > > host
    > >> records or anything related to our private IP address into their DNS
    > > server
    > >> (if they have one) . In fact, I do not want our customers hosting any
    > >> secondary DNS or managing anything on their end.
    > >
    > > To be seemless your DNS will need to be delegated on
    > > the Internet from the parent zone -- then it will only work
    > > for those using the Internet name space.
    > >
    > > And since you don't appear to wish to use a public domain
    > > name, you won't be able to do this.
    > >
    > > For others you can setup privately but those customers
    > > will have to forward to your server and this will only
    > > work if they are not already using their forwarding value
    > > internally -- OR if they have a DNS server like Win2003
    > > (not Win2000) that allows for conditional forwarding.
    > >
    > > In any case, such customers (not on the Internet) will
    > > have to modify their DNS servers.
    > >
    > >> What I would like to do is create a standalone DNS server that has a
    > >> brand
    > >> new private domain for this purpose. For example, mycompany.fubar.
    > >> There
    > >> is no reason for this server to perform any TLD or secondary-domain
    > > lookups
    > >>
    > >> In this case, I created a Forward lookup Zone and a Reverse lookup Zone
    > > for
    > >> this new domain. I added whatever "www" and other host records to
    point
    > > to
    > >> our various production servers. On this new DNS server, I changed its
    > >> TCP/IP DNS setting to point to itself.
    > >>
    > >> If I bring up IE I can successfully access all our web
    > > applications/servers
    > >> using the new domain mycompany.fubar. Life is good.
    > >>
    > >> Now comes the hard part --
    > >>
    > >> 1) I want our internal users to have access to this new domain...
    > >> mycompany.fubar. I simply want a way for our AD DNS server to look at
    > > this
    > >> new DNS server for anything it can't resolve.
    > >>
    > >> 2) I want all our customers to have access to this new domain...
    > >> mycompany.fubar. I do not want them to create a secondary zone or
    > > anything
    > >> of that nature on their network, as I want to keep everything
    manageable
    > > on
    > >> our network and all resource records hidden from them.
    > >>
    > >> If customers have DNS server, I want them to have a way to go look at
    my
    > > DNS
    > >> server for anything it can't resolve.
    > >>
    > >> If customers do not have DNS implemented in their environment, I want
    > >> them
    > >> to add my DNS server's IP address to their TCP/IP settings on their
    > >> client
    > >> PCs.
    > >>
    > >> I do not what this new standalone server to resolve any other DNS
    queries
    > >> for our customers. I.E., if they browse the Internet, then they have
    to
    > >> have their own DNS server setup to resolve this. I do not want the
    extra
    > >> traffic.
    > >>
    > >> If someone can explain to me the best way to accomplish this -- I would
    > >> greatly appreciate it.
    > >
    > > DNS on the Internet works because every zone/domain
    > > is findable by recursing downwards from the root to any
    > > name in that namespace.
    > >
    > > It is very difficult to search more than one such namespaces
    > > (except with something akin to conditional forwarding which
    > > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    > > servers.)
    > >
    > > Your clients will have to take specific DNS actions in most
    > > cases.
    > >> Thanks for all your help
    > >>
    > >>
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    Thanks for the quick response, Herb. I'll do more investigation before
    calling, if it become necessary.

    It doesn't matter to me if normal Internet users cannot connect to the 10net
    address or if its routable. I don't expect/want them to get to
    mycompany.net anyway. But my customers can connect since they have the
    frame circuit.

    I'm just trying to make accessing our internal production servers simple for
    our customers and minimize any configuration that they will have to do;
    since I can't expect them to keep up with all the changes we make to our
    servers and ip addresses, etc.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
    > "DavidM" <spam@spam.net> wrote in message
    > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
    >> I currently have a mycompany.net domain registered on the internet. My
    > ATT
    >> DNS entry points to our internal 10net webserver. This way folks on
    >> Internet can resolve name to our internal server without adding HOSTS
    >> entries, etc.
    >>
    >> From what you're saying, it sounds like I need to delegate my
    >> mycomany.net
    >> domain to my DNS server (10.246.16.43) in this case.
    >
    > Not on the Internet. No Internet user will ever be expected
    > to reach that 10.246.16.43 DNS server since the address is
    > not routable on the Internet.
    >
    > This would just screw with your public DNS. You also
    > cannot have two DNS servers (or sets) that are reachable
    > the same way (e.g., recursing the Internet) and which return
    > DIFFERENT answers.
    >
    > All DNS servers used by a particular client (or other
    > recursing DNS server) must return the SAME ANSWERS.
    >
    > You can only return different answers (effectively) if there
    > is some way to distinguish which ones the clients will use.
    >
    >> And then configure my
    >> internal DNS server for this domain correct?
    >
    > I doubt it -- based on the previous question.
    >
    > It is likely you have some basic misunderstandings of
    > how DNS is resolved and this is leading you to (attempt
    > to) design unworkable structures that will neither perform
    > for what you have nor give you the new results.
    >
    > You can give me a call if you wish and we can talk through
    > this -- the numbers are on my web site: LearnQuick.Com
    >
    >
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    >> > "DavidM" <spam@spam.net> wrote in message
    >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    >> >> I need to set up a standalone DNS server for our customers and
    >> >> internal
    >> >> users to augment our current DNS environment.
    >> >>
    >> >> This is what we have today:
    >> >>
    >> >> 1) We have a W2K network using AD and DNS. All our internal users use
    >> > this
    >> >> DNS for name resolution and for accessing the Internet. There is a
    >> > forward
    >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    >> >> Internet
    >> >> names. All our servers and clients are on multiple private 10net
    >> >> address.
    >> >>
    >> >> 2) We have about 50 customers (with many users per customer) that
    >> > currently
    >> >> accesses our production servers over their private frame circuit into
    > us.
    >> >> Today they access all our servers using a private 10net IP address.
    >> >>
    >> >> All customers have their own network. Some of more sophisticated than
    >> >> others and have their own director Internet connection. Some only
    >> >> have
    >> >> dialup. Others have nothing and do not use DNS at all.
    >> >
    >> > This will not work for such customers by default.
    >> > (Individual customers may be ABLE to make it work
    >> > for themselves however that will depend on the DNS
    >> > software they use and their skills.)
    >> >
    >> > Those that already use a full namespace from a common
    >> > root down (e.g., THE INTERNET) will only be able to
    >> > find your DNS server by DEFAULT if you delegate it
    >> > from parent on the Internet (Com. -> yourDomain.Com)
    >> >
    >> >
    >> >> 3) I'm creating a few web servers that our customers and internal
    >> >> users
    >> > will
    >> >> need to access. I do not want to modify our AD DNS to include DNS
    >> >> records
    >> >> for any of our production servers. I do not want our customers to
    >> >> add
    >> > host
    >> >> records or anything related to our private IP address into their DNS
    >> > server
    >> >> (if they have one) . In fact, I do not want our customers hosting any
    >> >> secondary DNS or managing anything on their end.
    >> >
    >> > To be seemless your DNS will need to be delegated on
    >> > the Internet from the parent zone -- then it will only work
    >> > for those using the Internet name space.
    >> >
    >> > And since you don't appear to wish to use a public domain
    >> > name, you won't be able to do this.
    >> >
    >> > For others you can setup privately but those customers
    >> > will have to forward to your server and this will only
    >> > work if they are not already using their forwarding value
    >> > internally -- OR if they have a DNS server like Win2003
    >> > (not Win2000) that allows for conditional forwarding.
    >> >
    >> > In any case, such customers (not on the Internet) will
    >> > have to modify their DNS servers.
    >> >
    >> >> What I would like to do is create a standalone DNS server that has a
    >> >> brand
    >> >> new private domain for this purpose. For example, mycompany.fubar.
    >> >> There
    >> >> is no reason for this server to perform any TLD or secondary-domain
    >> > lookups
    >> >>
    >> >> In this case, I created a Forward lookup Zone and a Reverse lookup
    >> >> Zone
    >> > for
    >> >> this new domain. I added whatever "www" and other host records to
    > point
    >> > to
    >> >> our various production servers. On this new DNS server, I changed its
    >> >> TCP/IP DNS setting to point to itself.
    >> >>
    >> >> If I bring up IE I can successfully access all our web
    >> > applications/servers
    >> >> using the new domain mycompany.fubar. Life is good.
    >> >>
    >> >> Now comes the hard part --
    >> >>
    >> >> 1) I want our internal users to have access to this new domain...
    >> >> mycompany.fubar. I simply want a way for our AD DNS server to look at
    >> > this
    >> >> new DNS server for anything it can't resolve.
    >> >>
    >> >> 2) I want all our customers to have access to this new domain...
    >> >> mycompany.fubar. I do not want them to create a secondary zone or
    >> > anything
    >> >> of that nature on their network, as I want to keep everything
    > manageable
    >> > on
    >> >> our network and all resource records hidden from them.
    >> >>
    >> >> If customers have DNS server, I want them to have a way to go look at
    > my
    >> > DNS
    >> >> server for anything it can't resolve.
    >> >>
    >> >> If customers do not have DNS implemented in their environment, I want
    >> >> them
    >> >> to add my DNS server's IP address to their TCP/IP settings on their
    >> >> client
    >> >> PCs.
    >> >>
    >> >> I do not what this new standalone server to resolve any other DNS
    > queries
    >> >> for our customers. I.E., if they browse the Internet, then they have
    > to
    >> >> have their own DNS server setup to resolve this. I do not want the
    > extra
    >> >> traffic.
    >> >>
    >> >> If someone can explain to me the best way to accomplish this -- I
    >> >> would
    >> >> greatly appreciate it.
    >> >
    >> > DNS on the Internet works because every zone/domain
    >> > is findable by recursing downwards from the root to any
    >> > name in that namespace.
    >> >
    >> > It is very difficult to search more than one such namespaces
    >> > (except with something akin to conditional forwarding which
    >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    >> > servers.)
    >> >
    >> > Your clients will have to take specific DNS actions in most
    >> > cases.
    >> >> Thanks for all your help
    >> >>
    >> >>
    >> >
    >> >
    >> > --
    >> > Herb Martin
    >> >
    >> >
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    "DavidM" <spam@spam.net> wrote in message
    news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
    > Thanks for the quick response, Herb. I'll do more investigation before
    > calling, if it become necessary.
    >
    > It doesn't matter to me if normal Internet users cannot connect to the
    10net
    > address or if its routable. I don't expect/want them to get to
    > mycompany.net anyway.

    Ok, then that MIGHT be different. So what you would
    really do is just alter THOSE EXISTING DNS servers
    to return the correct addresses.

    > But my customers can connect since they have the
    > frame circuit.


    > I'm just trying to make accessing our internal production servers simple
    for
    > our customers and minimize any configuration that they will have to do;
    > since I can't expect them to keep up with all the changes we make to our
    > servers and ip addresses, etc.
    >


    --
    Herb Martin


    >
    >
    >
    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
    > > "DavidM" <spam@spam.net> wrote in message
    > > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
    > >> I currently have a mycompany.net domain registered on the internet. My
    > > ATT
    > >> DNS entry points to our internal 10net webserver. This way folks on
    > >> Internet can resolve name to our internal server without adding HOSTS
    > >> entries, etc.
    > >>
    > >> From what you're saying, it sounds like I need to delegate my
    > >> mycomany.net
    > >> domain to my DNS server (10.246.16.43) in this case.
    > >
    > > Not on the Internet. No Internet user will ever be expected
    > > to reach that 10.246.16.43 DNS server since the address is
    > > not routable on the Internet.
    > >
    > > This would just screw with your public DNS. You also
    > > cannot have two DNS servers (or sets) that are reachable
    > > the same way (e.g., recursing the Internet) and which return
    > > DIFFERENT answers.
    > >
    > > All DNS servers used by a particular client (or other
    > > recursing DNS server) must return the SAME ANSWERS.
    > >
    > > You can only return different answers (effectively) if there
    > > is some way to distinguish which ones the clients will use.
    > >
    > >> And then configure my
    > >> internal DNS server for this domain correct?
    > >
    > > I doubt it -- based on the previous question.
    > >
    > > It is likely you have some basic misunderstandings of
    > > how DNS is resolved and this is leading you to (attempt
    > > to) design unworkable structures that will neither perform
    > > for what you have nor give you the new results.
    > >
    > > You can give me a call if you wish and we can talk through
    > > this -- the numbers are on my web site: LearnQuick.Com
    > >
    > >
    > >>
    > >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    > >> > "DavidM" <spam@spam.net> wrote in message
    > >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    > >> >> I need to set up a standalone DNS server for our customers and
    > >> >> internal
    > >> >> users to augment our current DNS environment.
    > >> >>
    > >> >> This is what we have today:
    > >> >>
    > >> >> 1) We have a W2K network using AD and DNS. All our internal users
    use
    > >> > this
    > >> >> DNS for name resolution and for accessing the Internet. There is a
    > >> > forward
    > >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    > >> >> Internet
    > >> >> names. All our servers and clients are on multiple private 10net
    > >> >> address.
    > >> >>
    > >> >> 2) We have about 50 customers (with many users per customer) that
    > >> > currently
    > >> >> accesses our production servers over their private frame circuit
    into
    > > us.
    > >> >> Today they access all our servers using a private 10net IP address.
    > >> >>
    > >> >> All customers have their own network. Some of more sophisticated
    than
    > >> >> others and have their own director Internet connection. Some only
    > >> >> have
    > >> >> dialup. Others have nothing and do not use DNS at all.
    > >> >
    > >> > This will not work for such customers by default.
    > >> > (Individual customers may be ABLE to make it work
    > >> > for themselves however that will depend on the DNS
    > >> > software they use and their skills.)
    > >> >
    > >> > Those that already use a full namespace from a common
    > >> > root down (e.g., THE INTERNET) will only be able to
    > >> > find your DNS server by DEFAULT if you delegate it
    > >> > from parent on the Internet (Com. -> yourDomain.Com)
    > >> >
    > >> >
    > >> >> 3) I'm creating a few web servers that our customers and internal
    > >> >> users
    > >> > will
    > >> >> need to access. I do not want to modify our AD DNS to include DNS
    > >> >> records
    > >> >> for any of our production servers. I do not want our customers to
    > >> >> add
    > >> > host
    > >> >> records or anything related to our private IP address into their DNS
    > >> > server
    > >> >> (if they have one) . In fact, I do not want our customers hosting
    any
    > >> >> secondary DNS or managing anything on their end.
    > >> >
    > >> > To be seemless your DNS will need to be delegated on
    > >> > the Internet from the parent zone -- then it will only work
    > >> > for those using the Internet name space.
    > >> >
    > >> > And since you don't appear to wish to use a public domain
    > >> > name, you won't be able to do this.
    > >> >
    > >> > For others you can setup privately but those customers
    > >> > will have to forward to your server and this will only
    > >> > work if they are not already using their forwarding value
    > >> > internally -- OR if they have a DNS server like Win2003
    > >> > (not Win2000) that allows for conditional forwarding.
    > >> >
    > >> > In any case, such customers (not on the Internet) will
    > >> > have to modify their DNS servers.
    > >> >
    > >> >> What I would like to do is create a standalone DNS server that has a
    > >> >> brand
    > >> >> new private domain for this purpose. For example, mycompany.fubar.
    > >> >> There
    > >> >> is no reason for this server to perform any TLD or secondary-domain
    > >> > lookups
    > >> >>
    > >> >> In this case, I created a Forward lookup Zone and a Reverse lookup
    > >> >> Zone
    > >> > for
    > >> >> this new domain. I added whatever "www" and other host records to
    > > point
    > >> > to
    > >> >> our various production servers. On this new DNS server, I changed
    its
    > >> >> TCP/IP DNS setting to point to itself.
    > >> >>
    > >> >> If I bring up IE I can successfully access all our web
    > >> > applications/servers
    > >> >> using the new domain mycompany.fubar. Life is good.
    > >> >>
    > >> >> Now comes the hard part --
    > >> >>
    > >> >> 1) I want our internal users to have access to this new domain...
    > >> >> mycompany.fubar. I simply want a way for our AD DNS server to look
    at
    > >> > this
    > >> >> new DNS server for anything it can't resolve.
    > >> >>
    > >> >> 2) I want all our customers to have access to this new domain...
    > >> >> mycompany.fubar. I do not want them to create a secondary zone or
    > >> > anything
    > >> >> of that nature on their network, as I want to keep everything
    > > manageable
    > >> > on
    > >> >> our network and all resource records hidden from them.
    > >> >>
    > >> >> If customers have DNS server, I want them to have a way to go look
    at
    > > my
    > >> > DNS
    > >> >> server for anything it can't resolve.
    > >> >>
    > >> >> If customers do not have DNS implemented in their environment, I
    want
    > >> >> them
    > >> >> to add my DNS server's IP address to their TCP/IP settings on their
    > >> >> client
    > >> >> PCs.
    > >> >>
    > >> >> I do not what this new standalone server to resolve any other DNS
    > > queries
    > >> >> for our customers. I.E., if they browse the Internet, then they
    have
    > > to
    > >> >> have their own DNS server setup to resolve this. I do not want the
    > > extra
    > >> >> traffic.
    > >> >>
    > >> >> If someone can explain to me the best way to accomplish this -- I
    > >> >> would
    > >> >> greatly appreciate it.
    > >> >
    > >> > DNS on the Internet works because every zone/domain
    > >> > is findable by recursing downwards from the root to any
    > >> > name in that namespace.
    > >> >
    > >> > It is very difficult to search more than one such namespaces
    > >> > (except with something akin to conditional forwarding which
    > >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    > >> > servers.)
    > >> >
    > >> > Your clients will have to take specific DNS actions in most
    > >> > cases.
    > >> >> Thanks for all your help
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >> > --
    > >> > Herb Martin
    > >> >
    > >> >
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  6. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    Herb -- this is what I've done and it appears to be working.

    My ISP (ATT in this case) has delegated a few subdomains on their DNS server
    to point to my internal DNS server of 10.246.16.43. For example:

    mydomain.net is on ATT DNS (which mydomain.net is a registered domain name)

    They delegated
    subdomain1.mydomain.net
    subdomain2.mydomain.net
    subdomain3.mydomain.net

    They then added a "clue" record "A" record for ns1.mydomain.net and
    ns2.mydomain.net to point to 10.246.16.43.

    I then created a forward lookup zone for subdomain1.mydomain.net,
    subdomain2.mydomain.net, and subdomain3.mydomain.net along with any required
    host entries that I want under that subdomain.

    So far -- everything appears to be working. I'm using my DNS server to
    resolve the production servers on my name. We did not point any of our
    internal servers to this new DNS server. It's querying thru Internet land.

    The next step is to have my customers that have an internet connection try
    the new URLs.

    For any customers that do not have an Internet connection or a DNS server,
    then I will have them add my primary/secondary DNS server on my internal
    network to their TCP/IP settings.

    This looks like it's going to work fine.

    I just now have to remember to renew my mycompany.net domain for 5 or 10
    years before I forget and someone scarfs it up and then all my customers
    will be getting a porn site as their home page instead of the home page on
    my production servers.

    I hope all this makes sense. It was a bit confusing for me.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:e3y8A65DFHA.3972@TK2MSFTNGP15.phx.gbl...
    > "DavidM" <spam@spam.net> wrote in message
    > news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
    >> Thanks for the quick response, Herb. I'll do more investigation before
    >> calling, if it become necessary.
    >>
    >> It doesn't matter to me if normal Internet users cannot connect to the
    > 10net
    >> address or if its routable. I don't expect/want them to get to
    >> mycompany.net anyway.
    >
    > Ok, then that MIGHT be different. So what you would
    > really do is just alter THOSE EXISTING DNS servers
    > to return the correct addresses.
    >
    >> But my customers can connect since they have the
    >> frame circuit.
    >
    >
    >> I'm just trying to make accessing our internal production servers simple
    > for
    >> our customers and minimize any configuration that they will have to do;
    >> since I can't expect them to keep up with all the changes we make to our
    >> servers and ip addresses, etc.
    >>
    >
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >>
    >>
    >>
    >>
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
    >> > "DavidM" <spam@spam.net> wrote in message
    >> > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
    >> >> I currently have a mycompany.net domain registered on the internet.
    >> >> My
    >> > ATT
    >> >> DNS entry points to our internal 10net webserver. This way folks on
    >> >> Internet can resolve name to our internal server without adding HOSTS
    >> >> entries, etc.
    >> >>
    >> >> From what you're saying, it sounds like I need to delegate my
    >> >> mycomany.net
    >> >> domain to my DNS server (10.246.16.43) in this case.
    >> >
    >> > Not on the Internet. No Internet user will ever be expected
    >> > to reach that 10.246.16.43 DNS server since the address is
    >> > not routable on the Internet.
    >> >
    >> > This would just screw with your public DNS. You also
    >> > cannot have two DNS servers (or sets) that are reachable
    >> > the same way (e.g., recursing the Internet) and which return
    >> > DIFFERENT answers.
    >> >
    >> > All DNS servers used by a particular client (or other
    >> > recursing DNS server) must return the SAME ANSWERS.
    >> >
    >> > You can only return different answers (effectively) if there
    >> > is some way to distinguish which ones the clients will use.
    >> >
    >> >> And then configure my
    >> >> internal DNS server for this domain correct?
    >> >
    >> > I doubt it -- based on the previous question.
    >> >
    >> > It is likely you have some basic misunderstandings of
    >> > how DNS is resolved and this is leading you to (attempt
    >> > to) design unworkable structures that will neither perform
    >> > for what you have nor give you the new results.
    >> >
    >> > You can give me a call if you wish and we can talk through
    >> > this -- the numbers are on my web site: LearnQuick.Com
    >> >
    >> >
    >> >>
    >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    >> >> > "DavidM" <spam@spam.net> wrote in message
    >> >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    >> >> >> I need to set up a standalone DNS server for our customers and
    >> >> >> internal
    >> >> >> users to augment our current DNS environment.
    >> >> >>
    >> >> >> This is what we have today:
    >> >> >>
    >> >> >> 1) We have a W2K network using AD and DNS. All our internal users
    > use
    >> >> > this
    >> >> >> DNS for name resolution and for accessing the Internet. There is a
    >> >> > forward
    >> >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    >> >> >> Internet
    >> >> >> names. All our servers and clients are on multiple private 10net
    >> >> >> address.
    >> >> >>
    >> >> >> 2) We have about 50 customers (with many users per customer) that
    >> >> > currently
    >> >> >> accesses our production servers over their private frame circuit
    > into
    >> > us.
    >> >> >> Today they access all our servers using a private 10net IP address.
    >> >> >>
    >> >> >> All customers have their own network. Some of more sophisticated
    > than
    >> >> >> others and have their own director Internet connection. Some only
    >> >> >> have
    >> >> >> dialup. Others have nothing and do not use DNS at all.
    >> >> >
    >> >> > This will not work for such customers by default.
    >> >> > (Individual customers may be ABLE to make it work
    >> >> > for themselves however that will depend on the DNS
    >> >> > software they use and their skills.)
    >> >> >
    >> >> > Those that already use a full namespace from a common
    >> >> > root down (e.g., THE INTERNET) will only be able to
    >> >> > find your DNS server by DEFAULT if you delegate it
    >> >> > from parent on the Internet (Com. -> yourDomain.Com)
    >> >> >
    >> >> >
    >> >> >> 3) I'm creating a few web servers that our customers and internal
    >> >> >> users
    >> >> > will
    >> >> >> need to access. I do not want to modify our AD DNS to include DNS
    >> >> >> records
    >> >> >> for any of our production servers. I do not want our customers to
    >> >> >> add
    >> >> > host
    >> >> >> records or anything related to our private IP address into their
    >> >> >> DNS
    >> >> > server
    >> >> >> (if they have one) . In fact, I do not want our customers hosting
    > any
    >> >> >> secondary DNS or managing anything on their end.
    >> >> >
    >> >> > To be seemless your DNS will need to be delegated on
    >> >> > the Internet from the parent zone -- then it will only work
    >> >> > for those using the Internet name space.
    >> >> >
    >> >> > And since you don't appear to wish to use a public domain
    >> >> > name, you won't be able to do this.
    >> >> >
    >> >> > For others you can setup privately but those customers
    >> >> > will have to forward to your server and this will only
    >> >> > work if they are not already using their forwarding value
    >> >> > internally -- OR if they have a DNS server like Win2003
    >> >> > (not Win2000) that allows for conditional forwarding.
    >> >> >
    >> >> > In any case, such customers (not on the Internet) will
    >> >> > have to modify their DNS servers.
    >> >> >
    >> >> >> What I would like to do is create a standalone DNS server that has
    >> >> >> a
    >> >> >> brand
    >> >> >> new private domain for this purpose. For example, mycompany.fubar.
    >> >> >> There
    >> >> >> is no reason for this server to perform any TLD or secondary-domain
    >> >> > lookups
    >> >> >>
    >> >> >> In this case, I created a Forward lookup Zone and a Reverse lookup
    >> >> >> Zone
    >> >> > for
    >> >> >> this new domain. I added whatever "www" and other host records to
    >> > point
    >> >> > to
    >> >> >> our various production servers. On this new DNS server, I changed
    > its
    >> >> >> TCP/IP DNS setting to point to itself.
    >> >> >>
    >> >> >> If I bring up IE I can successfully access all our web
    >> >> > applications/servers
    >> >> >> using the new domain mycompany.fubar. Life is good.
    >> >> >>
    >> >> >> Now comes the hard part --
    >> >> >>
    >> >> >> 1) I want our internal users to have access to this new domain...
    >> >> >> mycompany.fubar. I simply want a way for our AD DNS server to look
    > at
    >> >> > this
    >> >> >> new DNS server for anything it can't resolve.
    >> >> >>
    >> >> >> 2) I want all our customers to have access to this new domain...
    >> >> >> mycompany.fubar. I do not want them to create a secondary zone or
    >> >> > anything
    >> >> >> of that nature on their network, as I want to keep everything
    >> > manageable
    >> >> > on
    >> >> >> our network and all resource records hidden from them.
    >> >> >>
    >> >> >> If customers have DNS server, I want them to have a way to go look
    > at
    >> > my
    >> >> > DNS
    >> >> >> server for anything it can't resolve.
    >> >> >>
    >> >> >> If customers do not have DNS implemented in their environment, I
    > want
    >> >> >> them
    >> >> >> to add my DNS server's IP address to their TCP/IP settings on their
    >> >> >> client
    >> >> >> PCs.
    >> >> >>
    >> >> >> I do not what this new standalone server to resolve any other DNS
    >> > queries
    >> >> >> for our customers. I.E., if they browse the Internet, then they
    > have
    >> > to
    >> >> >> have their own DNS server setup to resolve this. I do not want the
    >> > extra
    >> >> >> traffic.
    >> >> >>
    >> >> >> If someone can explain to me the best way to accomplish this -- I
    >> >> >> would
    >> >> >> greatly appreciate it.
    >> >> >
    >> >> > DNS on the Internet works because every zone/domain
    >> >> > is findable by recursing downwards from the root to any
    >> >> > name in that namespace.
    >> >> >
    >> >> > It is very difficult to search more than one such namespaces
    >> >> > (except with something akin to conditional forwarding which
    >> >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    >> >> > servers.)
    >> >> >
    >> >> > Your clients will have to take specific DNS actions in most
    >> >> > cases.
    >> >> >> Thanks for all your help
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >> > --
    >> >> > Herb Martin
    >> >> >
    >> >> >
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    "DavidM" <spam@spam.net> wrote in message
    news:uo2pp26DFHA.1932@TK2MSFTNGP10.phx.gbl...
    > Herb -- this is what I've done and it appears to be working.
    >
    > My ISP (ATT in this case) has delegated a few subdomains on their DNS
    server
    > to point to my internal DNS server of 10.246.16.43. For example:
    >
    > mydomain.net is on ATT DNS (which mydomain.net is a registered domain
    name)
    >
    > They delegated
    > subdomain1.mydomain.net
    > subdomain2.mydomain.net
    > subdomain3.mydomain.net

    Ok, and no one can reach that DNS UNLESS they can
    route directly to you or through a shared ISP who will
    support the 10-net. That is, it won't route across the
    backbone routers of the Internet.

    > They then added a "clue" record "A" record for ns1.mydomain.net and
    > ns2.mydomain.net to point to 10.246.16.43.

    Huh? Clue? That's probably GLUE record. An NS and A
    record pair are usually referred to as Glue Records (or Delegation
    records) when delegating -- the A is not always needed in some
    special cases.

    > I then created a forward lookup zone for subdomain1.mydomain.net,
    > subdomain2.mydomain.net, and subdomain3.mydomain.net along with any
    required
    > host entries that I want under that subdomain.

    Ok. Anyone who can reach BOTH your ISP and your
    10-net DNS server can resolve those addresses.

    > So far -- everything appears to be working. I'm using my DNS server to
    > resolve the production servers on my name. We did not point any of our
    > internal servers to this new DNS server. It's querying thru Internet
    land.

    Ok.

    > The next step is to have my customers that have an internet connection try
    > the new URLs.

    And they will fail UNLESS they can already route
    to your 10-net, but likely succeed if they can.
    (Which is what I think you want.)

    > For any customers that do not have an Internet connection or a DNS server,
    > then I will have them add my primary/secondary DNS server on my internal
    > network to their TCP/IP settings.

    What if they have their own DNS servers?
    (Use forwarding in SOME cases but...)

    If they don't usse the Internet, have their own DNS,
    AND already use the forwarder setting (not that common
    but it does occur) then this won't work.

    > This looks like it's going to work fine.
    >
    > I just now have to remember to renew my mycompany.net domain for 5 or 10
    > years before I forget and someone scarfs it up and then all my customers
    > will be getting a porn site as their home page instead of the home page on
    > my production servers.

    Most of the registrars send you notices. <grin>

    > I hope all this makes sense. It was a bit confusing for me.

    You were mostly confusing your question with HOW you
    were going to do it, rather than what you really wanted to
    accomplish at first.


    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:e3y8A65DFHA.3972@TK2MSFTNGP15.phx.gbl...
    > > "DavidM" <spam@spam.net> wrote in message
    > > news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
    > >> Thanks for the quick response, Herb. I'll do more investigation before
    > >> calling, if it become necessary.
    > >>
    > >> It doesn't matter to me if normal Internet users cannot connect to the
    > > 10net
    > >> address or if its routable. I don't expect/want them to get to
    > >> mycompany.net anyway.
    > >
    > > Ok, then that MIGHT be different. So what you would
    > > really do is just alter THOSE EXISTING DNS servers
    > > to return the correct addresses.
    > >
    > >> But my customers can connect since they have the
    > >> frame circuit.
    > >
    > >
    > >> I'm just trying to make accessing our internal production servers
    simple
    > > for
    > >> our customers and minimize any configuration that they will have to do;
    > >> since I can't expect them to keep up with all the changes we make to
    our
    > >> servers and ip addresses, etc.
    > >>
    > >
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >>
    > >>
    > >>
    > >>
    > >>
    > >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
    > >> > "DavidM" <spam@spam.net> wrote in message
    > >> > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
    > >> >> I currently have a mycompany.net domain registered on the internet.
    > >> >> My
    > >> > ATT
    > >> >> DNS entry points to our internal 10net webserver. This way folks on
    > >> >> Internet can resolve name to our internal server without adding
    HOSTS
    > >> >> entries, etc.
    > >> >>
    > >> >> From what you're saying, it sounds like I need to delegate my
    > >> >> mycomany.net
    > >> >> domain to my DNS server (10.246.16.43) in this case.
    > >> >
    > >> > Not on the Internet. No Internet user will ever be expected
    > >> > to reach that 10.246.16.43 DNS server since the address is
    > >> > not routable on the Internet.
    > >> >
    > >> > This would just screw with your public DNS. You also
    > >> > cannot have two DNS servers (or sets) that are reachable
    > >> > the same way (e.g., recursing the Internet) and which return
    > >> > DIFFERENT answers.
    > >> >
    > >> > All DNS servers used by a particular client (or other
    > >> > recursing DNS server) must return the SAME ANSWERS.
    > >> >
    > >> > You can only return different answers (effectively) if there
    > >> > is some way to distinguish which ones the clients will use.
    > >> >
    > >> >> And then configure my
    > >> >> internal DNS server for this domain correct?
    > >> >
    > >> > I doubt it -- based on the previous question.
    > >> >
    > >> > It is likely you have some basic misunderstandings of
    > >> > how DNS is resolved and this is leading you to (attempt
    > >> > to) design unworkable structures that will neither perform
    > >> > for what you have nor give you the new results.
    > >> >
    > >> > You can give me a call if you wish and we can talk through
    > >> > this -- the numbers are on my web site: LearnQuick.Com
    > >> >
    > >> >
    > >> >>
    > >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
    > >> >> > "DavidM" <spam@spam.net> wrote in message
    > >> >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
    > >> >> >> I need to set up a standalone DNS server for our customers and
    > >> >> >> internal
    > >> >> >> users to augment our current DNS environment.
    > >> >> >>
    > >> >> >> This is what we have today:
    > >> >> >>
    > >> >> >> 1) We have a W2K network using AD and DNS. All our internal
    users
    > > use
    > >> >> > this
    > >> >> >> DNS for name resolution and for accessing the Internet. There is
    a
    > >> >> > forward
    > >> >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
    > >> >> >> Internet
    > >> >> >> names. All our servers and clients are on multiple private 10net
    > >> >> >> address.
    > >> >> >>
    > >> >> >> 2) We have about 50 customers (with many users per customer) that
    > >> >> > currently
    > >> >> >> accesses our production servers over their private frame circuit
    > > into
    > >> > us.
    > >> >> >> Today they access all our servers using a private 10net IP
    address.
    > >> >> >>
    > >> >> >> All customers have their own network. Some of more sophisticated
    > > than
    > >> >> >> others and have their own director Internet connection. Some
    only
    > >> >> >> have
    > >> >> >> dialup. Others have nothing and do not use DNS at all.
    > >> >> >
    > >> >> > This will not work for such customers by default.
    > >> >> > (Individual customers may be ABLE to make it work
    > >> >> > for themselves however that will depend on the DNS
    > >> >> > software they use and their skills.)
    > >> >> >
    > >> >> > Those that already use a full namespace from a common
    > >> >> > root down (e.g., THE INTERNET) will only be able to
    > >> >> > find your DNS server by DEFAULT if you delegate it
    > >> >> > from parent on the Internet (Com. -> yourDomain.Com)
    > >> >> >
    > >> >> >
    > >> >> >> 3) I'm creating a few web servers that our customers and internal
    > >> >> >> users
    > >> >> > will
    > >> >> >> need to access. I do not want to modify our AD DNS to include
    DNS
    > >> >> >> records
    > >> >> >> for any of our production servers. I do not want our customers
    to
    > >> >> >> add
    > >> >> > host
    > >> >> >> records or anything related to our private IP address into their

    > >> >> >> DNS
    > >> >> > server
    > >> >> >> (if they have one) . In fact, I do not want our customers
    hosting
    > > any
    > >> >> >> secondary DNS or managing anything on their end.
    > >> >> >
    > >> >> > To be seemless your DNS will need to be delegated on
    > >> >> > the Internet from the parent zone -- then it will only work
    > >> >> > for those using the Internet name space.
    > >> >> >
    > >> >> > And since you don't appear to wish to use a public domain
    > >> >> > name, you won't be able to do this.
    > >> >> >
    > >> >> > For others you can setup privately but those customers
    > >> >> > will have to forward to your server and this will only
    > >> >> > work if they are not already using their forwarding value
    > >> >> > internally -- OR if they have a DNS server like Win2003
    > >> >> > (not Win2000) that allows for conditional forwarding.
    > >> >> >
    > >> >> > In any case, such customers (not on the Internet) will
    > >> >> > have to modify their DNS servers.
    > >> >> >
    > >> >> >> What I would like to do is create a standalone DNS server that
    has
    > >> >> >> a
    > >> >> >> brand
    > >> >> >> new private domain for this purpose. For example,
    mycompany.fubar.
    > >> >> >> There
    > >> >> >> is no reason for this server to perform any TLD or
    secondary-domain
    > >> >> > lookups
    > >> >> >>
    > >> >> >> In this case, I created a Forward lookup Zone and a Reverse
    lookup
    > >> >> >> Zone
    > >> >> > for
    > >> >> >> this new domain. I added whatever "www" and other host records
    to
    > >> > point
    > >> >> > to
    > >> >> >> our various production servers. On this new DNS server, I
    changed
    > > its
    > >> >> >> TCP/IP DNS setting to point to itself.
    > >> >> >>
    > >> >> >> If I bring up IE I can successfully access all our web
    > >> >> > applications/servers
    > >> >> >> using the new domain mycompany.fubar. Life is good.
    > >> >> >>
    > >> >> >> Now comes the hard part --
    > >> >> >>
    > >> >> >> 1) I want our internal users to have access to this new domain...
    > >> >> >> mycompany.fubar. I simply want a way for our AD DNS server to
    look
    > > at
    > >> >> > this
    > >> >> >> new DNS server for anything it can't resolve.
    > >> >> >>
    > >> >> >> 2) I want all our customers to have access to this new domain...
    > >> >> >> mycompany.fubar. I do not want them to create a secondary zone
    or
    > >> >> > anything
    > >> >> >> of that nature on their network, as I want to keep everything
    > >> > manageable
    > >> >> > on
    > >> >> >> our network and all resource records hidden from them.
    > >> >> >>
    > >> >> >> If customers have DNS server, I want them to have a way to go
    look
    > > at
    > >> > my
    > >> >> > DNS
    > >> >> >> server for anything it can't resolve.
    > >> >> >>
    > >> >> >> If customers do not have DNS implemented in their environment, I
    > > want
    > >> >> >> them
    > >> >> >> to add my DNS server's IP address to their TCP/IP settings on
    their
    > >> >> >> client
    > >> >> >> PCs.
    > >> >> >>
    > >> >> >> I do not what this new standalone server to resolve any other DNS
    > >> > queries
    > >> >> >> for our customers. I.E., if they browse the Internet, then they
    > > have
    > >> > to
    > >> >> >> have their own DNS server setup to resolve this. I do not want
    the
    > >> > extra
    > >> >> >> traffic.
    > >> >> >>
    > >> >> >> If someone can explain to me the best way to accomplish this -- I
    > >> >> >> would
    > >> >> >> greatly appreciate it.
    > >> >> >
    > >> >> > DNS on the Internet works because every zone/domain
    > >> >> > is findable by recursing downwards from the root to any
    > >> >> > name in that namespace.
    > >> >> >
    > >> >> > It is very difficult to search more than one such namespaces
    > >> >> > (except with something akin to conditional forwarding which
    > >> >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
    > >> >> > servers.)
    > >> >> >
    > >> >> > Your clients will have to take specific DNS actions in most
    > >> >> > cases.
    > >> >> >> Thanks for all your help
    > >> >> >>
    > >> >> >>
    > >> >> >
    > >> >> >
    > >> >> > --
    > >> >> > Herb Martin
    > >> >> >
    > >> >> >
    > >> >> >>
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Internet Service Providers Microsoft DNS Windows