Proper way to set up DNS for AD and Internet access for In..

G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

I want to make sure I am properly setting up DNS for AD domain and Internal
users.

I set up AD domain name as company.local on dc1.company.local (192.168.0.1)-
set up local DNS, active directory integrated Zone.
They all share access to broadband connection (512Kbps FTTH connection) to
Internet through Linksys router
I set all clients primary DNS to 192.168.0.1, this is the only DNS entry for
clients. I then go to DNS server - Forwarders TAB and put the DNS ip
addresses for my ISP

Logins work good, GPO's process and users have Internet access

Users then started to complain about web pages being kind of slow to load.

Should I add a ISP dns entry in each client as a secondary DNS server?

Does the forwarding from the inside DNS server to ISP dns server tend to
slow browsing?

Thanks for you time
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:B0F1AC12-D7F6-4BCF-A72C-AD57BF9A5525@microsoft.com,
exchangerookie1994 <exchangerookie1994@discussions.microsoft.com> commented
Then Kevin replied below:
> I want to make sure I am properly setting up DNS for AD
> domain and Internal users.
>
> I set up AD domain name as company.local on
> dc1.company.local (192.168.0.1)- set up local DNS, active
> directory integrated Zone.
> They all share access to broadband connection (512Kbps
> FTTH connection) to Internet through Linksys router
> I set all clients primary DNS to 192.168.0.1, this is the
> only DNS entry for clients. I then go to DNS server -
> Forwarders TAB and put the DNS ip addresses for my ISP
>
> Logins work good, GPO's process and users have Internet
> access
>
> Users then started to complain about web pages being kind
> of slow to load.

How many users are sharing this 512Kbps link?
Mine is 800Kbps which isn't considered fast these days, when my son is
playing XBox Live it slows me down a lot even though it only uses 112Kbps of
bandwidth.
If even one user is using internet radio you'll see a dramatic slowdown.

>
> Should I add a ISP dns entry in each client as a
> secondary DNS server?

Absolutely not. This is how clients access domain resources, and the ISP
doesn't know anything about your local network, if it answers it will be
wrong and cause network errors.

>
> Does the forwarding from the inside DNS server to ISP dns
> server tend to slow browsing?

You haven't really provided any evidence to prove this is DNS related. But
you should really use the router as your forwarder, instead.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

"exchangerookie1994" <exchangerookie1994@discussions.microsoft.com> wrote in
message news:B0F1AC12-D7F6-4BCF-A72C-AD57BF9A5525@microsoft.com...
> I want to make sure I am properly setting up DNS for AD domain and
Internal
> users.


** See below for full summary...

> I set up AD domain name as company.local on dc1.company.local
(192.168.0.1)-
> set up local DNS, active directory integrated Zone.

> They all share access to broadband connection (512Kbps FTTH connection) to
> Internet through Linksys router
> I set all clients primary DNS to 192.168.0.1, this is the only DNS entry
for
> clients.

That is actually the "Preferred DNS" (or Alternated) as the
words Primary and Secondary have technical meanings on
DNS (as types of servers.)

You setup is correct. Internal clients must use STRICTLY
the Internal DNS.

> I then go to DNS server - Forwarders TAB and put the DNS ip
> addresses for my ISP

Good. That is correct.

You could also use a "caching only" DNS server at the firewall/DMZ
but it is NOT necessary. This would however eliminate the need for
the DC/DNS server to go out to the Internet.

OPTIONAL: IF your ISP DNS is reliable, then you might
benefit from checking "Do not use Recursion" (ONLY) on
the Forwarders tab.

This will keep your DC/DNS from trying to visit the ENTIRE
Internet but it will make it dependent on the ISP DNS for
Internet resolution. (I usually do this.)

> Logins work good, GPO's process and users have Internet access
> Users then started to complain about web pages being kind of slow to load.


> Should I add a ISP dns entry in each client as a secondary DNS server?

NO.

Definitly NOT. This will screw up your clients (i.e., make
them erratic when they latch onto the wrong DNS server.)

It might not (probably won't) even improve performance.
Once a web site is in the DNS cache of the DNS/DC even
if another machine put it there (most people tend to visit
the same sites) then it will be there for everyone.

Some people have reported that the "Do not use Recursion"
(on forwarder tab) has improved such systems BUT I can
logically figure out why that would be the case.

> Does the forwarding from the inside DNS server to ISP dns server tend to
> slow browsing?

No. Not in general. You would benefit more from a caching
(web) proxy. ISA (but it costs money.)


**DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]