New to DNS Admin - Root-hints & IMCP packets

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

We have just migrated our DC's to 2003. We have our 2 internal DC's
running DNS and forwarding to our third DC in the DMZ, that is also a
DNS server, forwarding to our ISP. The internal DC's are pinging the
living mess out of the servers on the root hints page, and nothing is
getting through due to rules on our firewall. DNS is active directory
integrated and setup for secure transfers amongst themselves.

Is there anyway to keep the root hints on the DNS server in the DMZ
without having them replicate to the two internal DNS servers? Such as
"Do Not use Recursion" on the internal DNS servers? Deleting the
cache.dns did not work.

Also what constitutes the primary and secondary DNS servers? The
largest SOA? Our clients will be getting their configurations through
DHCP. For load balancing reasons we have DHCP configured to point the
clients to a primary DNS server that doesn't have the FSMO roles, and
the one that holds the roles as secondary DNS. My understanding is,
that if DNS is integrated, all the DNS servers can be considered
primary dns servers?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:hoj711psrf3cppakpaf56s27grpk015c2a@4ax.com,
tjadmsn@nospam.org <tjadmsn@nospam.org> commented
Then Kevin replied below:
> We have just migrated our DC's to 2003. We have our 2
> internal DC's running DNS and forwarding to our third DC
> in the DMZ, that is also a DNS server, forwarding to our
> ISP. The internal DC's are pinging the living mess out
> of the servers on the root hints page, and nothing is
> getting through due to rules on our firewall. DNS is
> active directory integrated and setup for secure
> transfers amongst themselves.
>
> Is there anyway to keep the root hints on the DNS server
> in the DMZ without having them replicate to the two
> internal DNS servers? Such as "Do Not use Recursion" on
> the internal DNS servers? Deleting the cache.dns did not
> work.

On the Forwarders tab check this box: "Do not use recursion"
This basically disables the root hints without having to remove them.

> Also what constitutes the primary and secondary DNS
> servers?

There are not Primary and Secondary DNS servers. You have DNS servers with
Primary or Secondary zones on them. A primary is a writable master zone, a
Secondary is a read only copy.

The largest SOA? Our clients will be getting
> their configurations through DHCP. For load balancing
> reasons we have DHCP configured to point the clients to a
> primary DNS server that doesn't have the FSMO roles, and
> the one that holds the roles as secondary DNS. My
> understanding is, that if DNS is integrated, all the DNS
> servers can be considered primary dns servers?

If the zones are Active Directory integrated, they are all writable masters,
each will list themselves as the Primary master on the SOA record.
DNS being for the most part a read only service, uses very little system
resources. Unless you have several thousand clients the machines are
unlikely to notice the load. If they are properly configured, not forwarding
to each other and you are not using any type of advanced logging. If a DNS
server has to write a log file you can expect it to put a lot more load on
the machine.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks...Enableing "Do not use recursion" on the internal DNS servers
worked. Ping packets have disappeared, and I have a better
understanding of DNS.

On Wed, 16 Feb 2005 18:57:49 -0600, "Kevin D. Goodknecht Sr. [MVP]"
<admin@nospam.WFTX.US> wrote:

>In news:hoj711psrf3cppakpaf56s27grpk015c2a@4ax.com,
>tjadmsn@nospam.org <tjadmsn@nospam.org> commented
>Then Kevin replied below:
>> We have just migrated our DC's to 2003. We have our 2
>> internal DC's running DNS and forwarding to our third DC
>> in the DMZ, that is also a DNS server, forwarding to our
>> ISP. The internal DC's are pinging the living mess out
>> of the servers on the root hints page, and nothing is
>> getting through due to rules on our firewall. DNS is
>> active directory integrated and setup for secure
>> transfers amongst themselves.
>>
>> Is there anyway to keep the root hints on the DNS server
>> in the DMZ without having them replicate to the two
>> internal DNS servers? Such as "Do Not use Recursion" on
>> the internal DNS servers? Deleting the cache.dns did not
>> work.
>
>On the Forwarders tab check this box: "Do not use recursion"
>This basically disables the root hints without having to remove them.
>
>> Also what constitutes the primary and secondary DNS
>> servers?
>
>There are not Primary and Secondary DNS servers. You have DNS servers with
>Primary or Secondary zones on them. A primary is a writable master zone, a
>Secondary is a read only copy.
>
>The largest SOA? Our clients will be getting
>> their configurations through DHCP. For load balancing
>> reasons we have DHCP configured to point the clients to a
>> primary DNS server that doesn't have the FSMO roles, and
>> the one that holds the roles as secondary DNS. My
>> understanding is, that if DNS is integrated, all the DNS
>> servers can be considered primary dns servers?
>
>If the zones are Active Directory integrated, they are all writable masters,
>each will list themselves as the Primary master on the SOA record.
>DNS being for the most part a read only service, uses very little system
>resources. Unless you have several thousand clients the machines are
>unlikely to notice the load. If they are properly configured, not forwarding
>to each other and you are not using any type of advanced logging. If a DNS
>server has to write a log file you can expect it to put a lot more load on
>the machine.