Sign in with
Sign up | Sign in
Your question

Standalone DNS Question

Last response: in Windows 2000/NT
Share
Anonymous
February 10, 2005 12:35:53 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

I need to set up a standalone DNS server for our customers and internal
users to augment our current DNS environment.

This is what we have today:

1) We have a W2K network using AD and DNS. All our internal users use this
DNS for name resolution and for accessing the Internet. There is a forward
lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
names. All our servers and clients are on multiple private 10net address.

2) We have about 50 customers (with many users per customer) that currently
accesses our production servers over their private frame circuit into us.
Today they access all our servers using a private 10net IP address.

All customers have their own network. Some of more sophisticated than
others and have their own director Internet connection. Some only have
dialup. Others have nothing and do not use DNS at all.

3) I'm creating a few web servers that our customers and internal users will
need to access. I do not want to modify our AD DNS to include DNS records
for any of our production servers. I do not want our customers to add host
records or anything related to our private IP address into their DNS server
(if they have one) . In fact, I do not want our customers hosting any
secondary DNS or managing anything on their end.

What I would like to do is create a standalone DNS server that has a brand
new private domain for this purpose. For example, mycompany.fubar. There
is no reason for this server to perform any TLD or secondary-domain lookups

In this case, I created a Forward lookup Zone and a Reverse lookup Zone for
this new domain. I added whatever "www" and other host records to point to
our various production servers. On this new DNS server, I changed its
TCP/IP DNS setting to point to itself.

If I bring up IE I can successfully access all our web applications/servers
using the new domain mycompany.fubar. Life is good.

Now comes the hard part --

1) I want our internal users to have access to this new domain...
mycompany.fubar. I simply want a way for our AD DNS server to look at this
new DNS server for anything it can't resolve.

2) I want all our customers to have access to this new domain...
mycompany.fubar. I do not want them to create a secondary zone or anything
of that nature on their network, as I want to keep everything manageable on
our network and all resource records hidden from them.

If customers have DNS server, I want them to have a way to go look at my DNS
server for anything it can't resolve.

If customers do not have DNS implemented in their environment, I want them
to add my DNS server's IP address to their TCP/IP settings on their client
PCs.

I do not what this new standalone server to resolve any other DNS queries
for our customers. I.E., if they browse the Internet, then they have to
have their own DNS server setup to resolve this. I do not want the extra
traffic.

If someone can explain to me the best way to accomplish this -- I would
greatly appreciate it.

Thanks for all your help
Anonymous
February 10, 2005 1:04:55 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

"DavidM" <spam@spam.net> wrote in message
news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
> I need to set up a standalone DNS server for our customers and internal
> users to augment our current DNS environment.
>
> This is what we have today:
>
> 1) We have a W2K network using AD and DNS. All our internal users use
this
> DNS for name resolution and for accessing the Internet. There is a
forward
> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
> names. All our servers and clients are on multiple private 10net address.
>
> 2) We have about 50 customers (with many users per customer) that
currently
> accesses our production servers over their private frame circuit into us.
> Today they access all our servers using a private 10net IP address.
>
> All customers have their own network. Some of more sophisticated than
> others and have their own director Internet connection. Some only have
> dialup. Others have nothing and do not use DNS at all.

This will not work for such customers by default.
(Individual customers may be ABLE to make it work
for themselves however that will depend on the DNS
software they use and their skills.)

Those that already use a full namespace from a common
root down (e.g., THE INTERNET) will only be able to
find your DNS server by DEFAULT if you delegate it
from parent on the Internet (Com. -> yourDomain.Com)


> 3) I'm creating a few web servers that our customers and internal users
will
> need to access. I do not want to modify our AD DNS to include DNS records
> for any of our production servers. I do not want our customers to add
host
> records or anything related to our private IP address into their DNS
server
> (if they have one) . In fact, I do not want our customers hosting any
> secondary DNS or managing anything on their end.

To be seemless your DNS will need to be delegated on
the Internet from the parent zone -- then it will only work
for those using the Internet name space.

And since you don't appear to wish to use a public domain
name, you won't be able to do this.

For others you can setup privately but those customers
will have to forward to your server and this will only
work if they are not already using their forwarding value
internally -- OR if they have a DNS server like Win2003
(not Win2000) that allows for conditional forwarding.

In any case, such customers (not on the Internet) will
have to modify their DNS servers.

> What I would like to do is create a standalone DNS server that has a brand
> new private domain for this purpose. For example, mycompany.fubar. There
> is no reason for this server to perform any TLD or secondary-domain
lookups
>
> In this case, I created a Forward lookup Zone and a Reverse lookup Zone
for
> this new domain. I added whatever "www" and other host records to point
to
> our various production servers. On this new DNS server, I changed its
> TCP/IP DNS setting to point to itself.
>
> If I bring up IE I can successfully access all our web
applications/servers
> using the new domain mycompany.fubar. Life is good.
>
> Now comes the hard part --
>
> 1) I want our internal users to have access to this new domain...
> mycompany.fubar. I simply want a way for our AD DNS server to look at
this
> new DNS server for anything it can't resolve.
>
> 2) I want all our customers to have access to this new domain...
> mycompany.fubar. I do not want them to create a secondary zone or
anything
> of that nature on their network, as I want to keep everything manageable
on
> our network and all resource records hidden from them.
>
> If customers have DNS server, I want them to have a way to go look at my
DNS
> server for anything it can't resolve.
>
> If customers do not have DNS implemented in their environment, I want them
> to add my DNS server's IP address to their TCP/IP settings on their client
> PCs.
>
> I do not what this new standalone server to resolve any other DNS queries
> for our customers. I.E., if they browse the Internet, then they have to
> have their own DNS server setup to resolve this. I do not want the extra
> traffic.
>
> If someone can explain to me the best way to accomplish this -- I would
> greatly appreciate it.

DNS on the Internet works because every zone/domain
is findable by recursing downwards from the root to any
name in that namespace.

It is very difficult to search more than one such namespaces
(except with something akin to conditional forwarding which
for Microsoft only exists in Win2003 and NOT Win2000 DNS
servers.)

Your clients will have to take specific DNS actions in most
cases.
> Thanks for all your help
>
>


--
Herb Martin


>
Anonymous
February 10, 2005 1:16:01 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

I currently have a mycompany.net domain registered on the internet. My ATT
DNS entry points to our internal 10net webserver. This way folks on
Internet can resolve name to our internal server without adding HOSTS
entries, etc.

From what you're saying, it sounds like I need to delegate my mycomany.net
domain to my DNS server (10.246.16.43) in this case. And then configure my
internal DNS server for this domain correct?




"Herb Martin" <news@LearnQuick.com> wrote in message
news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
> "DavidM" <spam@spam.net> wrote in message
> news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
>> I need to set up a standalone DNS server for our customers and internal
>> users to augment our current DNS environment.
>>
>> This is what we have today:
>>
>> 1) We have a W2K network using AD and DNS. All our internal users use
> this
>> DNS for name resolution and for accessing the Internet. There is a
> forward
>> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
>> Internet
>> names. All our servers and clients are on multiple private 10net
>> address.
>>
>> 2) We have about 50 customers (with many users per customer) that
> currently
>> accesses our production servers over their private frame circuit into us.
>> Today they access all our servers using a private 10net IP address.
>>
>> All customers have their own network. Some of more sophisticated than
>> others and have their own director Internet connection. Some only have
>> dialup. Others have nothing and do not use DNS at all.
>
> This will not work for such customers by default.
> (Individual customers may be ABLE to make it work
> for themselves however that will depend on the DNS
> software they use and their skills.)
>
> Those that already use a full namespace from a common
> root down (e.g., THE INTERNET) will only be able to
> find your DNS server by DEFAULT if you delegate it
> from parent on the Internet (Com. -> yourDomain.Com)
>
>
>> 3) I'm creating a few web servers that our customers and internal users
> will
>> need to access. I do not want to modify our AD DNS to include DNS
>> records
>> for any of our production servers. I do not want our customers to add
> host
>> records or anything related to our private IP address into their DNS
> server
>> (if they have one) . In fact, I do not want our customers hosting any
>> secondary DNS or managing anything on their end.
>
> To be seemless your DNS will need to be delegated on
> the Internet from the parent zone -- then it will only work
> for those using the Internet name space.
>
> And since you don't appear to wish to use a public domain
> name, you won't be able to do this.
>
> For others you can setup privately but those customers
> will have to forward to your server and this will only
> work if they are not already using their forwarding value
> internally -- OR if they have a DNS server like Win2003
> (not Win2000) that allows for conditional forwarding.
>
> In any case, such customers (not on the Internet) will
> have to modify their DNS servers.
>
>> What I would like to do is create a standalone DNS server that has a
>> brand
>> new private domain for this purpose. For example, mycompany.fubar.
>> There
>> is no reason for this server to perform any TLD or secondary-domain
> lookups
>>
>> In this case, I created a Forward lookup Zone and a Reverse lookup Zone
> for
>> this new domain. I added whatever "www" and other host records to point
> to
>> our various production servers. On this new DNS server, I changed its
>> TCP/IP DNS setting to point to itself.
>>
>> If I bring up IE I can successfully access all our web
> applications/servers
>> using the new domain mycompany.fubar. Life is good.
>>
>> Now comes the hard part --
>>
>> 1) I want our internal users to have access to this new domain...
>> mycompany.fubar. I simply want a way for our AD DNS server to look at
> this
>> new DNS server for anything it can't resolve.
>>
>> 2) I want all our customers to have access to this new domain...
>> mycompany.fubar. I do not want them to create a secondary zone or
> anything
>> of that nature on their network, as I want to keep everything manageable
> on
>> our network and all resource records hidden from them.
>>
>> If customers have DNS server, I want them to have a way to go look at my
> DNS
>> server for anything it can't resolve.
>>
>> If customers do not have DNS implemented in their environment, I want
>> them
>> to add my DNS server's IP address to their TCP/IP settings on their
>> client
>> PCs.
>>
>> I do not what this new standalone server to resolve any other DNS queries
>> for our customers. I.E., if they browse the Internet, then they have to
>> have their own DNS server setup to resolve this. I do not want the extra
>> traffic.
>>
>> If someone can explain to me the best way to accomplish this -- I would
>> greatly appreciate it.
>
> DNS on the Internet works because every zone/domain
> is findable by recursing downwards from the root to any
> name in that namespace.
>
> It is very difficult to search more than one such namespaces
> (except with something akin to conditional forwarding which
> for Microsoft only exists in Win2003 and NOT Win2000 DNS
> servers.)
>
> Your clients will have to take specific DNS actions in most
> cases.
>> Thanks for all your help
>>
>>
>
>
> --
> Herb Martin
>
>
>>
>
>
Related resources
Anonymous
February 10, 2005 2:27:51 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

"DavidM" <spam@spam.net> wrote in message
news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
> I currently have a mycompany.net domain registered on the internet. My
ATT
> DNS entry points to our internal 10net webserver. This way folks on
> Internet can resolve name to our internal server without adding HOSTS
> entries, etc.
>
> From what you're saying, it sounds like I need to delegate my mycomany.net
> domain to my DNS server (10.246.16.43) in this case.

Not on the Internet. No Internet user will ever be expected
to reach that 10.246.16.43 DNS server since the address is
not routable on the Internet.

This would just screw with your public DNS. You also
cannot have two DNS servers (or sets) that are reachable
the same way (e.g., recursing the Internet) and which return
DIFFERENT answers.

All DNS servers used by a particular client (or other
recursing DNS server) must return the SAME ANSWERS.

You can only return different answers (effectively) if there
is some way to distinguish which ones the clients will use.

> And then configure my
> internal DNS server for this domain correct?

I doubt it -- based on the previous question.

It is likely you have some basic misunderstandings of
how DNS is resolved and this is leading you to (attempt
to) design unworkable structures that will neither perform
for what you have nor give you the new results.

You can give me a call if you wish and we can talk through
this -- the numbers are on my web site: LearnQuick.Com


>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
> > "DavidM" <spam@spam.net> wrote in message
> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
> >> I need to set up a standalone DNS server for our customers and internal
> >> users to augment our current DNS environment.
> >>
> >> This is what we have today:
> >>
> >> 1) We have a W2K network using AD and DNS. All our internal users use
> > this
> >> DNS for name resolution and for accessing the Internet. There is a
> > forward
> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
> >> Internet
> >> names. All our servers and clients are on multiple private 10net
> >> address.
> >>
> >> 2) We have about 50 customers (with many users per customer) that
> > currently
> >> accesses our production servers over their private frame circuit into
us.
> >> Today they access all our servers using a private 10net IP address.
> >>
> >> All customers have their own network. Some of more sophisticated than
> >> others and have their own director Internet connection. Some only have
> >> dialup. Others have nothing and do not use DNS at all.
> >
> > This will not work for such customers by default.
> > (Individual customers may be ABLE to make it work
> > for themselves however that will depend on the DNS
> > software they use and their skills.)
> >
> > Those that already use a full namespace from a common
> > root down (e.g., THE INTERNET) will only be able to
> > find your DNS server by DEFAULT if you delegate it
> > from parent on the Internet (Com. -> yourDomain.Com)
> >
> >
> >> 3) I'm creating a few web servers that our customers and internal users
> > will
> >> need to access. I do not want to modify our AD DNS to include DNS
> >> records
> >> for any of our production servers. I do not want our customers to add
> > host
> >> records or anything related to our private IP address into their DNS
> > server
> >> (if they have one) . In fact, I do not want our customers hosting any
> >> secondary DNS or managing anything on their end.
> >
> > To be seemless your DNS will need to be delegated on
> > the Internet from the parent zone -- then it will only work
> > for those using the Internet name space.
> >
> > And since you don't appear to wish to use a public domain
> > name, you won't be able to do this.
> >
> > For others you can setup privately but those customers
> > will have to forward to your server and this will only
> > work if they are not already using their forwarding value
> > internally -- OR if they have a DNS server like Win2003
> > (not Win2000) that allows for conditional forwarding.
> >
> > In any case, such customers (not on the Internet) will
> > have to modify their DNS servers.
> >
> >> What I would like to do is create a standalone DNS server that has a
> >> brand
> >> new private domain for this purpose. For example, mycompany.fubar.
> >> There
> >> is no reason for this server to perform any TLD or secondary-domain
> > lookups
> >>
> >> In this case, I created a Forward lookup Zone and a Reverse lookup Zone
> > for
> >> this new domain. I added whatever "www" and other host records to
point
> > to
> >> our various production servers. On this new DNS server, I changed its
> >> TCP/IP DNS setting to point to itself.
> >>
> >> If I bring up IE I can successfully access all our web
> > applications/servers
> >> using the new domain mycompany.fubar. Life is good.
> >>
> >> Now comes the hard part --
> >>
> >> 1) I want our internal users to have access to this new domain...
> >> mycompany.fubar. I simply want a way for our AD DNS server to look at
> > this
> >> new DNS server for anything it can't resolve.
> >>
> >> 2) I want all our customers to have access to this new domain...
> >> mycompany.fubar. I do not want them to create a secondary zone or
> > anything
> >> of that nature on their network, as I want to keep everything
manageable
> > on
> >> our network and all resource records hidden from them.
> >>
> >> If customers have DNS server, I want them to have a way to go look at
my
> > DNS
> >> server for anything it can't resolve.
> >>
> >> If customers do not have DNS implemented in their environment, I want
> >> them
> >> to add my DNS server's IP address to their TCP/IP settings on their
> >> client
> >> PCs.
> >>
> >> I do not what this new standalone server to resolve any other DNS
queries
> >> for our customers. I.E., if they browse the Internet, then they have
to
> >> have their own DNS server setup to resolve this. I do not want the
extra
> >> traffic.
> >>
> >> If someone can explain to me the best way to accomplish this -- I would
> >> greatly appreciate it.
> >
> > DNS on the Internet works because every zone/domain
> > is findable by recursing downwards from the root to any
> > name in that namespace.
> >
> > It is very difficult to search more than one such namespaces
> > (except with something akin to conditional forwarding which
> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
> > servers.)
> >
> > Your clients will have to take specific DNS actions in most
> > cases.
> >> Thanks for all your help
> >>
> >>
> >
> >
> > --
> > Herb Martin
> >
> >
> >>
> >
> >
>
>
Anonymous
February 10, 2005 3:12:10 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

Thanks for the quick response, Herb. I'll do more investigation before
calling, if it become necessary.

It doesn't matter to me if normal Internet users cannot connect to the 10net
address or if its routable. I don't expect/want them to get to
mycompany.net anyway. But my customers can connect since they have the
frame circuit.

I'm just trying to make accessing our internal production servers simple for
our customers and minimize any configuration that they will have to do;
since I can't expect them to keep up with all the changes we make to our
servers and ip addresses, etc.







"Herb Martin" <news@LearnQuick.com> wrote in message
news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
> "DavidM" <spam@spam.net> wrote in message
> news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
>> I currently have a mycompany.net domain registered on the internet. My
> ATT
>> DNS entry points to our internal 10net webserver. This way folks on
>> Internet can resolve name to our internal server without adding HOSTS
>> entries, etc.
>>
>> From what you're saying, it sounds like I need to delegate my
>> mycomany.net
>> domain to my DNS server (10.246.16.43) in this case.
>
> Not on the Internet. No Internet user will ever be expected
> to reach that 10.246.16.43 DNS server since the address is
> not routable on the Internet.
>
> This would just screw with your public DNS. You also
> cannot have two DNS servers (or sets) that are reachable
> the same way (e.g., recursing the Internet) and which return
> DIFFERENT answers.
>
> All DNS servers used by a particular client (or other
> recursing DNS server) must return the SAME ANSWERS.
>
> You can only return different answers (effectively) if there
> is some way to distinguish which ones the clients will use.
>
>> And then configure my
>> internal DNS server for this domain correct?
>
> I doubt it -- based on the previous question.
>
> It is likely you have some basic misunderstandings of
> how DNS is resolved and this is leading you to (attempt
> to) design unworkable structures that will neither perform
> for what you have nor give you the new results.
>
> You can give me a call if you wish and we can talk through
> this -- the numbers are on my web site: LearnQuick.Com
>
>
>>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
>> > "DavidM" <spam@spam.net> wrote in message
>> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
>> >> I need to set up a standalone DNS server for our customers and
>> >> internal
>> >> users to augment our current DNS environment.
>> >>
>> >> This is what we have today:
>> >>
>> >> 1) We have a W2K network using AD and DNS. All our internal users use
>> > this
>> >> DNS for name resolution and for accessing the Internet. There is a
>> > forward
>> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
>> >> Internet
>> >> names. All our servers and clients are on multiple private 10net
>> >> address.
>> >>
>> >> 2) We have about 50 customers (with many users per customer) that
>> > currently
>> >> accesses our production servers over their private frame circuit into
> us.
>> >> Today they access all our servers using a private 10net IP address.
>> >>
>> >> All customers have their own network. Some of more sophisticated than
>> >> others and have their own director Internet connection. Some only
>> >> have
>> >> dialup. Others have nothing and do not use DNS at all.
>> >
>> > This will not work for such customers by default.
>> > (Individual customers may be ABLE to make it work
>> > for themselves however that will depend on the DNS
>> > software they use and their skills.)
>> >
>> > Those that already use a full namespace from a common
>> > root down (e.g., THE INTERNET) will only be able to
>> > find your DNS server by DEFAULT if you delegate it
>> > from parent on the Internet (Com. -> yourDomain.Com)
>> >
>> >
>> >> 3) I'm creating a few web servers that our customers and internal
>> >> users
>> > will
>> >> need to access. I do not want to modify our AD DNS to include DNS
>> >> records
>> >> for any of our production servers. I do not want our customers to
>> >> add
>> > host
>> >> records or anything related to our private IP address into their DNS
>> > server
>> >> (if they have one) . In fact, I do not want our customers hosting any
>> >> secondary DNS or managing anything on their end.
>> >
>> > To be seemless your DNS will need to be delegated on
>> > the Internet from the parent zone -- then it will only work
>> > for those using the Internet name space.
>> >
>> > And since you don't appear to wish to use a public domain
>> > name, you won't be able to do this.
>> >
>> > For others you can setup privately but those customers
>> > will have to forward to your server and this will only
>> > work if they are not already using their forwarding value
>> > internally -- OR if they have a DNS server like Win2003
>> > (not Win2000) that allows for conditional forwarding.
>> >
>> > In any case, such customers (not on the Internet) will
>> > have to modify their DNS servers.
>> >
>> >> What I would like to do is create a standalone DNS server that has a
>> >> brand
>> >> new private domain for this purpose. For example, mycompany.fubar.
>> >> There
>> >> is no reason for this server to perform any TLD or secondary-domain
>> > lookups
>> >>
>> >> In this case, I created a Forward lookup Zone and a Reverse lookup
>> >> Zone
>> > for
>> >> this new domain. I added whatever "www" and other host records to
> point
>> > to
>> >> our various production servers. On this new DNS server, I changed its
>> >> TCP/IP DNS setting to point to itself.
>> >>
>> >> If I bring up IE I can successfully access all our web
>> > applications/servers
>> >> using the new domain mycompany.fubar. Life is good.
>> >>
>> >> Now comes the hard part --
>> >>
>> >> 1) I want our internal users to have access to this new domain...
>> >> mycompany.fubar. I simply want a way for our AD DNS server to look at
>> > this
>> >> new DNS server for anything it can't resolve.
>> >>
>> >> 2) I want all our customers to have access to this new domain...
>> >> mycompany.fubar. I do not want them to create a secondary zone or
>> > anything
>> >> of that nature on their network, as I want to keep everything
> manageable
>> > on
>> >> our network and all resource records hidden from them.
>> >>
>> >> If customers have DNS server, I want them to have a way to go look at
> my
>> > DNS
>> >> server for anything it can't resolve.
>> >>
>> >> If customers do not have DNS implemented in their environment, I want
>> >> them
>> >> to add my DNS server's IP address to their TCP/IP settings on their
>> >> client
>> >> PCs.
>> >>
>> >> I do not what this new standalone server to resolve any other DNS
> queries
>> >> for our customers. I.E., if they browse the Internet, then they have
> to
>> >> have their own DNS server setup to resolve this. I do not want the
> extra
>> >> traffic.
>> >>
>> >> If someone can explain to me the best way to accomplish this -- I
>> >> would
>> >> greatly appreciate it.
>> >
>> > DNS on the Internet works because every zone/domain
>> > is findable by recursing downwards from the root to any
>> > name in that namespace.
>> >
>> > It is very difficult to search more than one such namespaces
>> > (except with something akin to conditional forwarding which
>> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
>> > servers.)
>> >
>> > Your clients will have to take specific DNS actions in most
>> > cases.
>> >> Thanks for all your help
>> >>
>> >>
>> >
>> >
>> > --
>> > Herb Martin
>> >
>> >
>> >>
>> >
>> >
>>
>>
>
>
Anonymous
February 10, 2005 3:19:30 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

"DavidM" <spam@spam.net> wrote in message
news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
> Thanks for the quick response, Herb. I'll do more investigation before
> calling, if it become necessary.
>
> It doesn't matter to me if normal Internet users cannot connect to the
10net
> address or if its routable. I don't expect/want them to get to
> mycompany.net anyway.

Ok, then that MIGHT be different. So what you would
really do is just alter THOSE EXISTING DNS servers
to return the correct addresses.

> But my customers can connect since they have the
> frame circuit.


> I'm just trying to make accessing our internal production servers simple
for
> our customers and minimize any configuration that they will have to do;
> since I can't expect them to keep up with all the changes we make to our
> servers and ip addresses, etc.
>



--
Herb Martin


>
>
>
>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
> > "DavidM" <spam@spam.net> wrote in message
> > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
> >> I currently have a mycompany.net domain registered on the internet. My
> > ATT
> >> DNS entry points to our internal 10net webserver. This way folks on
> >> Internet can resolve name to our internal server without adding HOSTS
> >> entries, etc.
> >>
> >> From what you're saying, it sounds like I need to delegate my
> >> mycomany.net
> >> domain to my DNS server (10.246.16.43) in this case.
> >
> > Not on the Internet. No Internet user will ever be expected
> > to reach that 10.246.16.43 DNS server since the address is
> > not routable on the Internet.
> >
> > This would just screw with your public DNS. You also
> > cannot have two DNS servers (or sets) that are reachable
> > the same way (e.g., recursing the Internet) and which return
> > DIFFERENT answers.
> >
> > All DNS servers used by a particular client (or other
> > recursing DNS server) must return the SAME ANSWERS.
> >
> > You can only return different answers (effectively) if there
> > is some way to distinguish which ones the clients will use.
> >
> >> And then configure my
> >> internal DNS server for this domain correct?
> >
> > I doubt it -- based on the previous question.
> >
> > It is likely you have some basic misunderstandings of
> > how DNS is resolved and this is leading you to (attempt
> > to) design unworkable structures that will neither perform
> > for what you have nor give you the new results.
> >
> > You can give me a call if you wish and we can talk through
> > this -- the numbers are on my web site: LearnQuick.Com
> >
> >
> >>
> >> "Herb Martin" <news@LearnQuick.com> wrote in message
> >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
> >> > "DavidM" <spam@spam.net> wrote in message
> >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
> >> >> I need to set up a standalone DNS server for our customers and
> >> >> internal
> >> >> users to augment our current DNS environment.
> >> >>
> >> >> This is what we have today:
> >> >>
> >> >> 1) We have a W2K network using AD and DNS. All our internal users
use
> >> > this
> >> >> DNS for name resolution and for accessing the Internet. There is a
> >> > forward
> >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
> >> >> Internet
> >> >> names. All our servers and clients are on multiple private 10net
> >> >> address.
> >> >>
> >> >> 2) We have about 50 customers (with many users per customer) that
> >> > currently
> >> >> accesses our production servers over their private frame circuit
into
> > us.
> >> >> Today they access all our servers using a private 10net IP address.
> >> >>
> >> >> All customers have their own network. Some of more sophisticated
than
> >> >> others and have their own director Internet connection. Some only
> >> >> have
> >> >> dialup. Others have nothing and do not use DNS at all.
> >> >
> >> > This will not work for such customers by default.
> >> > (Individual customers may be ABLE to make it work
> >> > for themselves however that will depend on the DNS
> >> > software they use and their skills.)
> >> >
> >> > Those that already use a full namespace from a common
> >> > root down (e.g., THE INTERNET) will only be able to
> >> > find your DNS server by DEFAULT if you delegate it
> >> > from parent on the Internet (Com. -> yourDomain.Com)
> >> >
> >> >
> >> >> 3) I'm creating a few web servers that our customers and internal
> >> >> users
> >> > will
> >> >> need to access. I do not want to modify our AD DNS to include DNS
> >> >> records
> >> >> for any of our production servers. I do not want our customers to
> >> >> add
> >> > host
> >> >> records or anything related to our private IP address into their DNS
> >> > server
> >> >> (if they have one) . In fact, I do not want our customers hosting
any
> >> >> secondary DNS or managing anything on their end.
> >> >
> >> > To be seemless your DNS will need to be delegated on
> >> > the Internet from the parent zone -- then it will only work
> >> > for those using the Internet name space.
> >> >
> >> > And since you don't appear to wish to use a public domain
> >> > name, you won't be able to do this.
> >> >
> >> > For others you can setup privately but those customers
> >> > will have to forward to your server and this will only
> >> > work if they are not already using their forwarding value
> >> > internally -- OR if they have a DNS server like Win2003
> >> > (not Win2000) that allows for conditional forwarding.
> >> >
> >> > In any case, such customers (not on the Internet) will
> >> > have to modify their DNS servers.
> >> >
> >> >> What I would like to do is create a standalone DNS server that has a
> >> >> brand
> >> >> new private domain for this purpose. For example, mycompany.fubar.
> >> >> There
> >> >> is no reason for this server to perform any TLD or secondary-domain
> >> > lookups
> >> >>
> >> >> In this case, I created a Forward lookup Zone and a Reverse lookup
> >> >> Zone
> >> > for
> >> >> this new domain. I added whatever "www" and other host records to
> > point
> >> > to
> >> >> our various production servers. On this new DNS server, I changed
its
> >> >> TCP/IP DNS setting to point to itself.
> >> >>
> >> >> If I bring up IE I can successfully access all our web
> >> > applications/servers
> >> >> using the new domain mycompany.fubar. Life is good.
> >> >>
> >> >> Now comes the hard part --
> >> >>
> >> >> 1) I want our internal users to have access to this new domain...
> >> >> mycompany.fubar. I simply want a way for our AD DNS server to look
at
> >> > this
> >> >> new DNS server for anything it can't resolve.
> >> >>
> >> >> 2) I want all our customers to have access to this new domain...
> >> >> mycompany.fubar. I do not want them to create a secondary zone or
> >> > anything
> >> >> of that nature on their network, as I want to keep everything
> > manageable
> >> > on
> >> >> our network and all resource records hidden from them.
> >> >>
> >> >> If customers have DNS server, I want them to have a way to go look
at
> > my
> >> > DNS
> >> >> server for anything it can't resolve.
> >> >>
> >> >> If customers do not have DNS implemented in their environment, I
want
> >> >> them
> >> >> to add my DNS server's IP address to their TCP/IP settings on their
> >> >> client
> >> >> PCs.
> >> >>
> >> >> I do not what this new standalone server to resolve any other DNS
> > queries
> >> >> for our customers. I.E., if they browse the Internet, then they
have
> > to
> >> >> have their own DNS server setup to resolve this. I do not want the
> > extra
> >> >> traffic.
> >> >>
> >> >> If someone can explain to me the best way to accomplish this -- I
> >> >> would
> >> >> greatly appreciate it.
> >> >
> >> > DNS on the Internet works because every zone/domain
> >> > is findable by recursing downwards from the root to any
> >> > name in that namespace.
> >> >
> >> > It is very difficult to search more than one such namespaces
> >> > (except with something akin to conditional forwarding which
> >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
> >> > servers.)
> >> >
> >> > Your clients will have to take specific DNS actions in most
> >> > cases.
> >> >> Thanks for all your help
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> > Herb Martin
> >> >
> >> >
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
February 10, 2005 5:18:16 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

Herb -- this is what I've done and it appears to be working.

My ISP (ATT in this case) has delegated a few subdomains on their DNS server
to point to my internal DNS server of 10.246.16.43. For example:

mydomain.net is on ATT DNS (which mydomain.net is a registered domain name)

They delegated
subdomain1.mydomain.net
subdomain2.mydomain.net
subdomain3.mydomain.net

They then added a "clue" record "A" record for ns1.mydomain.net and
ns2.mydomain.net to point to 10.246.16.43.

I then created a forward lookup zone for subdomain1.mydomain.net,
subdomain2.mydomain.net, and subdomain3.mydomain.net along with any required
host entries that I want under that subdomain.

So far -- everything appears to be working. I'm using my DNS server to
resolve the production servers on my name. We did not point any of our
internal servers to this new DNS server. It's querying thru Internet land.

The next step is to have my customers that have an internet connection try
the new URLs.

For any customers that do not have an Internet connection or a DNS server,
then I will have them add my primary/secondary DNS server on my internal
network to their TCP/IP settings.

This looks like it's going to work fine.

I just now have to remember to renew my mycompany.net domain for 5 or 10
years before I forget and someone scarfs it up and then all my customers
will be getting a porn site as their home page instead of the home page on
my production servers.

I hope all this makes sense. It was a bit confusing for me.




"Herb Martin" <news@LearnQuick.com> wrote in message
news:e3y8A65DFHA.3972@TK2MSFTNGP15.phx.gbl...
> "DavidM" <spam@spam.net> wrote in message
> news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
>> Thanks for the quick response, Herb. I'll do more investigation before
>> calling, if it become necessary.
>>
>> It doesn't matter to me if normal Internet users cannot connect to the
> 10net
>> address or if its routable. I don't expect/want them to get to
>> mycompany.net anyway.
>
> Ok, then that MIGHT be different. So what you would
> really do is just alter THOSE EXISTING DNS servers
> to return the correct addresses.
>
>> But my customers can connect since they have the
>> frame circuit.
>
>
>> I'm just trying to make accessing our internal production servers simple
> for
>> our customers and minimize any configuration that they will have to do;
>> since I can't expect them to keep up with all the changes we make to our
>> servers and ip addresses, etc.
>>
>
>
>
> --
> Herb Martin
>
>
>>
>>
>>
>>
>>
>>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
>> > "DavidM" <spam@spam.net> wrote in message
>> > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
>> >> I currently have a mycompany.net domain registered on the internet.
>> >> My
>> > ATT
>> >> DNS entry points to our internal 10net webserver. This way folks on
>> >> Internet can resolve name to our internal server without adding HOSTS
>> >> entries, etc.
>> >>
>> >> From what you're saying, it sounds like I need to delegate my
>> >> mycomany.net
>> >> domain to my DNS server (10.246.16.43) in this case.
>> >
>> > Not on the Internet. No Internet user will ever be expected
>> > to reach that 10.246.16.43 DNS server since the address is
>> > not routable on the Internet.
>> >
>> > This would just screw with your public DNS. You also
>> > cannot have two DNS servers (or sets) that are reachable
>> > the same way (e.g., recursing the Internet) and which return
>> > DIFFERENT answers.
>> >
>> > All DNS servers used by a particular client (or other
>> > recursing DNS server) must return the SAME ANSWERS.
>> >
>> > You can only return different answers (effectively) if there
>> > is some way to distinguish which ones the clients will use.
>> >
>> >> And then configure my
>> >> internal DNS server for this domain correct?
>> >
>> > I doubt it -- based on the previous question.
>> >
>> > It is likely you have some basic misunderstandings of
>> > how DNS is resolved and this is leading you to (attempt
>> > to) design unworkable structures that will neither perform
>> > for what you have nor give you the new results.
>> >
>> > You can give me a call if you wish and we can talk through
>> > this -- the numbers are on my web site: LearnQuick.Com
>> >
>> >
>> >>
>> >> "Herb Martin" <news@LearnQuick.com> wrote in message
>> >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
>> >> > "DavidM" <spam@spam.net> wrote in message
>> >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
>> >> >> I need to set up a standalone DNS server for our customers and
>> >> >> internal
>> >> >> users to augment our current DNS environment.
>> >> >>
>> >> >> This is what we have today:
>> >> >>
>> >> >> 1) We have a W2K network using AD and DNS. All our internal users
> use
>> >> > this
>> >> >> DNS for name resolution and for accessing the Internet. There is a
>> >> > forward
>> >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
>> >> >> Internet
>> >> >> names. All our servers and clients are on multiple private 10net
>> >> >> address.
>> >> >>
>> >> >> 2) We have about 50 customers (with many users per customer) that
>> >> > currently
>> >> >> accesses our production servers over their private frame circuit
> into
>> > us.
>> >> >> Today they access all our servers using a private 10net IP address.
>> >> >>
>> >> >> All customers have their own network. Some of more sophisticated
> than
>> >> >> others and have their own director Internet connection. Some only
>> >> >> have
>> >> >> dialup. Others have nothing and do not use DNS at all.
>> >> >
>> >> > This will not work for such customers by default.
>> >> > (Individual customers may be ABLE to make it work
>> >> > for themselves however that will depend on the DNS
>> >> > software they use and their skills.)
>> >> >
>> >> > Those that already use a full namespace from a common
>> >> > root down (e.g., THE INTERNET) will only be able to
>> >> > find your DNS server by DEFAULT if you delegate it
>> >> > from parent on the Internet (Com. -> yourDomain.Com)
>> >> >
>> >> >
>> >> >> 3) I'm creating a few web servers that our customers and internal
>> >> >> users
>> >> > will
>> >> >> need to access. I do not want to modify our AD DNS to include DNS
>> >> >> records
>> >> >> for any of our production servers. I do not want our customers to
>> >> >> add
>> >> > host
>> >> >> records or anything related to our private IP address into their
>> >> >> DNS
>> >> > server
>> >> >> (if they have one) . In fact, I do not want our customers hosting
> any
>> >> >> secondary DNS or managing anything on their end.
>> >> >
>> >> > To be seemless your DNS will need to be delegated on
>> >> > the Internet from the parent zone -- then it will only work
>> >> > for those using the Internet name space.
>> >> >
>> >> > And since you don't appear to wish to use a public domain
>> >> > name, you won't be able to do this.
>> >> >
>> >> > For others you can setup privately but those customers
>> >> > will have to forward to your server and this will only
>> >> > work if they are not already using their forwarding value
>> >> > internally -- OR if they have a DNS server like Win2003
>> >> > (not Win2000) that allows for conditional forwarding.
>> >> >
>> >> > In any case, such customers (not on the Internet) will
>> >> > have to modify their DNS servers.
>> >> >
>> >> >> What I would like to do is create a standalone DNS server that has
>> >> >> a
>> >> >> brand
>> >> >> new private domain for this purpose. For example, mycompany.fubar.
>> >> >> There
>> >> >> is no reason for this server to perform any TLD or secondary-domain
>> >> > lookups
>> >> >>
>> >> >> In this case, I created a Forward lookup Zone and a Reverse lookup
>> >> >> Zone
>> >> > for
>> >> >> this new domain. I added whatever "www" and other host records to
>> > point
>> >> > to
>> >> >> our various production servers. On this new DNS server, I changed
> its
>> >> >> TCP/IP DNS setting to point to itself.
>> >> >>
>> >> >> If I bring up IE I can successfully access all our web
>> >> > applications/servers
>> >> >> using the new domain mycompany.fubar. Life is good.
>> >> >>
>> >> >> Now comes the hard part --
>> >> >>
>> >> >> 1) I want our internal users to have access to this new domain...
>> >> >> mycompany.fubar. I simply want a way for our AD DNS server to look
> at
>> >> > this
>> >> >> new DNS server for anything it can't resolve.
>> >> >>
>> >> >> 2) I want all our customers to have access to this new domain...
>> >> >> mycompany.fubar. I do not want them to create a secondary zone or
>> >> > anything
>> >> >> of that nature on their network, as I want to keep everything
>> > manageable
>> >> > on
>> >> >> our network and all resource records hidden from them.
>> >> >>
>> >> >> If customers have DNS server, I want them to have a way to go look
> at
>> > my
>> >> > DNS
>> >> >> server for anything it can't resolve.
>> >> >>
>> >> >> If customers do not have DNS implemented in their environment, I
> want
>> >> >> them
>> >> >> to add my DNS server's IP address to their TCP/IP settings on their
>> >> >> client
>> >> >> PCs.
>> >> >>
>> >> >> I do not what this new standalone server to resolve any other DNS
>> > queries
>> >> >> for our customers. I.E., if they browse the Internet, then they
> have
>> > to
>> >> >> have their own DNS server setup to resolve this. I do not want the
>> > extra
>> >> >> traffic.
>> >> >>
>> >> >> If someone can explain to me the best way to accomplish this -- I
>> >> >> would
>> >> >> greatly appreciate it.
>> >> >
>> >> > DNS on the Internet works because every zone/domain
>> >> > is findable by recursing downwards from the root to any
>> >> > name in that namespace.
>> >> >
>> >> > It is very difficult to search more than one such namespaces
>> >> > (except with something akin to conditional forwarding which
>> >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
>> >> > servers.)
>> >> >
>> >> > Your clients will have to take specific DNS actions in most
>> >> > cases.
>> >> >> Thanks for all your help
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Herb Martin
>> >> >
>> >> >
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
Anonymous
February 10, 2005 7:45:27 PM

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

"DavidM" <spam@spam.net> wrote in message
news:uo2pp26DFHA.1932@TK2MSFTNGP10.phx.gbl...
> Herb -- this is what I've done and it appears to be working.
>
> My ISP (ATT in this case) has delegated a few subdomains on their DNS
server
> to point to my internal DNS server of 10.246.16.43. For example:
>
> mydomain.net is on ATT DNS (which mydomain.net is a registered domain
name)
>
> They delegated
> subdomain1.mydomain.net
> subdomain2.mydomain.net
> subdomain3.mydomain.net

Ok, and no one can reach that DNS UNLESS they can
route directly to you or through a shared ISP who will
support the 10-net. That is, it won't route across the
backbone routers of the Internet.

> They then added a "clue" record "A" record for ns1.mydomain.net and
> ns2.mydomain.net to point to 10.246.16.43.

Huh? Clue? That's probably GLUE record. An NS and A
record pair are usually referred to as Glue Records (or Delegation
records) when delegating -- the A is not always needed in some
special cases.

> I then created a forward lookup zone for subdomain1.mydomain.net,
> subdomain2.mydomain.net, and subdomain3.mydomain.net along with any
required
> host entries that I want under that subdomain.

Ok. Anyone who can reach BOTH your ISP and your
10-net DNS server can resolve those addresses.

> So far -- everything appears to be working. I'm using my DNS server to
> resolve the production servers on my name. We did not point any of our
> internal servers to this new DNS server. It's querying thru Internet
land.

Ok.

> The next step is to have my customers that have an internet connection try
> the new URLs.

And they will fail UNLESS they can already route
to your 10-net, but likely succeed if they can.
(Which is what I think you want.)

> For any customers that do not have an Internet connection or a DNS server,
> then I will have them add my primary/secondary DNS server on my internal
> network to their TCP/IP settings.

What if they have their own DNS servers?
(Use forwarding in SOME cases but...)

If they don't usse the Internet, have their own DNS,
AND already use the forwarder setting (not that common
but it does occur) then this won't work.

> This looks like it's going to work fine.
>
> I just now have to remember to renew my mycompany.net domain for 5 or 10
> years before I forget and someone scarfs it up and then all my customers
> will be getting a porn site as their home page instead of the home page on
> my production servers.

Most of the registrars send you notices. <grin>

> I hope all this makes sense. It was a bit confusing for me.

You were mostly confusing your question with HOW you
were going to do it, rather than what you really wanted to
accomplish at first.



> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:e3y8A65DFHA.3972@TK2MSFTNGP15.phx.gbl...
> > "DavidM" <spam@spam.net> wrote in message
> > news:efKULw5DFHA.1932@TK2MSFTNGP14.phx.gbl...
> >> Thanks for the quick response, Herb. I'll do more investigation before
> >> calling, if it become necessary.
> >>
> >> It doesn't matter to me if normal Internet users cannot connect to the
> > 10net
> >> address or if its routable. I don't expect/want them to get to
> >> mycompany.net anyway.
> >
> > Ok, then that MIGHT be different. So what you would
> > really do is just alter THOSE EXISTING DNS servers
> > to return the correct addresses.
> >
> >> But my customers can connect since they have the
> >> frame circuit.
> >
> >
> >> I'm just trying to make accessing our internal production servers
simple
> > for
> >> our customers and minimize any configuration that they will have to do;
> >> since I can't expect them to keep up with all the changes we make to
our
> >> servers and ip addresses, etc.
> >>
> >
> >
> >
> > --
> > Herb Martin
> >
> >
> >>
> >>
> >>
> >>
> >>
> >>
> >> "Herb Martin" <news@LearnQuick.com> wrote in message
> >> news:uHuytX5DFHA.3648@TK2MSFTNGP10.phx.gbl...
> >> > "DavidM" <spam@spam.net> wrote in message
> >> > news:#AGtRv4DFHA.3924@TK2MSFTNGP09.phx.gbl...
> >> >> I currently have a mycompany.net domain registered on the internet.
> >> >> My
> >> > ATT
> >> >> DNS entry points to our internal 10net webserver. This way folks on
> >> >> Internet can resolve name to our internal server without adding
HOSTS
> >> >> entries, etc.
> >> >>
> >> >> From what you're saying, it sounds like I need to delegate my
> >> >> mycomany.net
> >> >> domain to my DNS server (10.246.16.43) in this case.
> >> >
> >> > Not on the Internet. No Internet user will ever be expected
> >> > to reach that 10.246.16.43 DNS server since the address is
> >> > not routable on the Internet.
> >> >
> >> > This would just screw with your public DNS. You also
> >> > cannot have two DNS servers (or sets) that are reachable
> >> > the same way (e.g., recursing the Internet) and which return
> >> > DIFFERENT answers.
> >> >
> >> > All DNS servers used by a particular client (or other
> >> > recursing DNS server) must return the SAME ANSWERS.
> >> >
> >> > You can only return different answers (effectively) if there
> >> > is some way to distinguish which ones the clients will use.
> >> >
> >> >> And then configure my
> >> >> internal DNS server for this domain correct?
> >> >
> >> > I doubt it -- based on the previous question.
> >> >
> >> > It is likely you have some basic misunderstandings of
> >> > how DNS is resolved and this is leading you to (attempt
> >> > to) design unworkable structures that will neither perform
> >> > for what you have nor give you the new results.
> >> >
> >> > You can give me a call if you wish and we can talk through
> >> > this -- the numbers are on my web site: LearnQuick.Com
> >> >
> >> >
> >> >>
> >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
> >> >> news:ubM19p4DFHA.548@TK2MSFTNGP14.phx.gbl...
> >> >> > "DavidM" <spam@spam.net> wrote in message
> >> >> > news:eeBc2Y4DFHA.2032@tk2msftngp13.phx.gbl...
> >> >> >> I need to set up a standalone DNS server for our customers and
> >> >> >> internal
> >> >> >> users to augment our current DNS environment.
> >> >> >>
> >> >> >> This is what we have today:
> >> >> >>
> >> >> >> 1) We have a W2K network using AD and DNS. All our internal
users
> > use
> >> >> > this
> >> >> >> DNS for name resolution and for accessing the Internet. There is
a
> >> >> > forward
> >> >> >> lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve
> >> >> >> Internet
> >> >> >> names. All our servers and clients are on multiple private 10net
> >> >> >> address.
> >> >> >>
> >> >> >> 2) We have about 50 customers (with many users per customer) that
> >> >> > currently
> >> >> >> accesses our production servers over their private frame circuit
> > into
> >> > us.
> >> >> >> Today they access all our servers using a private 10net IP
address.
> >> >> >>
> >> >> >> All customers have their own network. Some of more sophisticated
> > than
> >> >> >> others and have their own director Internet connection. Some
only
> >> >> >> have
> >> >> >> dialup. Others have nothing and do not use DNS at all.
> >> >> >
> >> >> > This will not work for such customers by default.
> >> >> > (Individual customers may be ABLE to make it work
> >> >> > for themselves however that will depend on the DNS
> >> >> > software they use and their skills.)
> >> >> >
> >> >> > Those that already use a full namespace from a common
> >> >> > root down (e.g., THE INTERNET) will only be able to
> >> >> > find your DNS server by DEFAULT if you delegate it
> >> >> > from parent on the Internet (Com. -> yourDomain.Com)
> >> >> >
> >> >> >
> >> >> >> 3) I'm creating a few web servers that our customers and internal
> >> >> >> users
> >> >> > will
> >> >> >> need to access. I do not want to modify our AD DNS to include
DNS
> >> >> >> records
> >> >> >> for any of our production servers. I do not want our customers
to
> >> >> >> add
> >> >> > host
> >> >> >> records or anything related to our private IP address into their

> >> >> >> DNS
> >> >> > server
> >> >> >> (if they have one) . In fact, I do not want our customers
hosting
> > any
> >> >> >> secondary DNS or managing anything on their end.
> >> >> >
> >> >> > To be seemless your DNS will need to be delegated on
> >> >> > the Internet from the parent zone -- then it will only work
> >> >> > for those using the Internet name space.
> >> >> >
> >> >> > And since you don't appear to wish to use a public domain
> >> >> > name, you won't be able to do this.
> >> >> >
> >> >> > For others you can setup privately but those customers
> >> >> > will have to forward to your server and this will only
> >> >> > work if they are not already using their forwarding value
> >> >> > internally -- OR if they have a DNS server like Win2003
> >> >> > (not Win2000) that allows for conditional forwarding.
> >> >> >
> >> >> > In any case, such customers (not on the Internet) will
> >> >> > have to modify their DNS servers.
> >> >> >
> >> >> >> What I would like to do is create a standalone DNS server that
has
> >> >> >> a
> >> >> >> brand
> >> >> >> new private domain for this purpose. For example,
mycompany.fubar.
> >> >> >> There
> >> >> >> is no reason for this server to perform any TLD or
secondary-domain
> >> >> > lookups
> >> >> >>
> >> >> >> In this case, I created a Forward lookup Zone and a Reverse
lookup
> >> >> >> Zone
> >> >> > for
> >> >> >> this new domain. I added whatever "www" and other host records
to
> >> > point
> >> >> > to
> >> >> >> our various production servers. On this new DNS server, I
changed
> > its
> >> >> >> TCP/IP DNS setting to point to itself.
> >> >> >>
> >> >> >> If I bring up IE I can successfully access all our web
> >> >> > applications/servers
> >> >> >> using the new domain mycompany.fubar. Life is good.
> >> >> >>
> >> >> >> Now comes the hard part --
> >> >> >>
> >> >> >> 1) I want our internal users to have access to this new domain...
> >> >> >> mycompany.fubar. I simply want a way for our AD DNS server to
look
> > at
> >> >> > this
> >> >> >> new DNS server for anything it can't resolve.
> >> >> >>
> >> >> >> 2) I want all our customers to have access to this new domain...
> >> >> >> mycompany.fubar. I do not want them to create a secondary zone
or
> >> >> > anything
> >> >> >> of that nature on their network, as I want to keep everything
> >> > manageable
> >> >> > on
> >> >> >> our network and all resource records hidden from them.
> >> >> >>
> >> >> >> If customers have DNS server, I want them to have a way to go
look
> > at
> >> > my
> >> >> > DNS
> >> >> >> server for anything it can't resolve.
> >> >> >>
> >> >> >> If customers do not have DNS implemented in their environment, I
> > want
> >> >> >> them
> >> >> >> to add my DNS server's IP address to their TCP/IP settings on
their
> >> >> >> client
> >> >> >> PCs.
> >> >> >>
> >> >> >> I do not what this new standalone server to resolve any other DNS
> >> > queries
> >> >> >> for our customers. I.E., if they browse the Internet, then they
> > have
> >> > to
> >> >> >> have their own DNS server setup to resolve this. I do not want
the
> >> > extra
> >> >> >> traffic.
> >> >> >>
> >> >> >> If someone can explain to me the best way to accomplish this -- I
> >> >> >> would
> >> >> >> greatly appreciate it.
> >> >> >
> >> >> > DNS on the Internet works because every zone/domain
> >> >> > is findable by recursing downwards from the root to any
> >> >> > name in that namespace.
> >> >> >
> >> >> > It is very difficult to search more than one such namespaces
> >> >> > (except with something akin to conditional forwarding which
> >> >> > for Microsoft only exists in Win2003 and NOT Win2000 DNS
> >> >> > servers.)
> >> >> >
> >> >> > Your clients will have to take specific DNS actions in most
> >> >> > cases.
> >> >> >> Thanks for all your help
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Herb Martin
> >> >> >
> >> >> >
> >> >> >>
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
!