Re: slow logon on windows 2000 domain

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/19/05 

Date: Sat, 19 Feb 2005 09:38:37 -0600

"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns9603C5476590AA12F32EDB83F@207.46.248.16...
> "ptwilliams" <ptw2001@hotmail.com> said
>
> > The setup's can vary. Personally, I've always configured it just like
> > you've said -only configure internal DNS on the internal adapter;

Right. As pt says you can do it many ways, but
the most secure and least trouble with the firewall
(and perhaps the best performance and least WAN
traffic if you have multiple internal DNS servers)
is to have the internal DNS servers forward strictly
at the firewall/gateway/DMZ caching only DNS,
and allow that firewall DNS to forward strictly
to the ISP.

[This is not cool if the ISP is a small and flaky,
but with big ISPs 95% of all lookups will be in
the caches due to other customers.]

This keeps DNS servers (which frequently DCs)
off the Internet -- and we don't even have to open
the firewall between them and the firewall.

Our caching only DNS server only needs to
activate DNS on the internal NIC (if it is a
multi-homed machine itself) unless it is trying
to provide external (Internet/public) resolution
for our external resources (www, SMTP, etc.)

And generally for companies without a massive
Internet presence the should put external/public
DNS (back) at the Registrar.

[The registrars have multiple/fault tolerant/24-7/
crews for caring for DNS and give a web interface
where one can manage one's own actual records
which are small in number and seldom change for
those on the Internet.]

The thing that many people mess up (to the point
of it being the answer to many FAQs) is that they
really must point all internal DNS clients STRICLY
to internal DNS servers.

And reminding everyone that DCs, and even DNS
and other servers are ALSO DNS CLIENTS.

> > Some of our ISA boxes are not domain members, they're simply stand-alone
> > proxy servers;
>

In that case the ISA might or might not point to
itself as a DNS client.

If the ISA is a domain member, then it is also an
INTERNAL name client and needs to point not
to itself (even though it is a caching only DNS
server) but rather to the INTERNAL DNS servers.

Relevant Pages

  • Re: DNS Issue
    ... SBS Server runs DNS and forwards to 2 ISP DNS Servers ... What type of firewall do you have? ... Microsoft MVP - Directory Services ...
    (microsoft.public.windows.server.dns)
  • Re: Adobe Photoshop
    ... >>server behind your firewall. ... You computer initiates the dns requests, ... > connection for the server to return the response on. ... >>however is when you have slow DNS servers that delay in response. ...
    (comp.security.firewalls)
  • Re: DNS Servers (And related permissions via firewall)
    ... but I never seem to get an answer on the firewall ... Most lists will either flame you or ignore you when you do that, ... You'd probably get better help on a DNS list, ... These are the only DNS servers that should be listed in your ...
    (RedHat)
  • Re: Advice Needed - AD integrated DNS Zone
    ... the DNS servers in question are windows server 2003 standard SP1 but their ... Windows Firewall, you might have to restart your computer so that these ... issues pinging the dns servers, but I don not think I tried telnet. ...
    (microsoft.public.windows.server.dns)
  • Re: Help - External DNS & SMTP relay
    ... Do you mean you want to host your domains' public DNS in-house? ... Only the external DNS server is configured with Internet root ... All internal DNS servers are configured only with the root ...
    (microsoft.public.security)
Loading