Re: Public Namespace and Private Network
From: Herb Martin (news_at_LearnQuick.com)
Date: 02/17/05
- Next message: Dirk: "Re: win2003 event 1030 & 1058"
- Previous message: Ace Fekay [MVP]: "Re: Another XP SP2 Issue"
- In reply to: dm4714: "Re: Public Namespace and Private Network"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 16 Feb 2005 23:02:01 -0600
> They will not use my internal DNS server unless they do not have have
> dedicated internet access. If they do have a DNS without Internet access,
> then my plan is for them to add a forward lookup to my server.
Not everyone can use your as a forwarder even if they have
no Internet access (this might not affect your but it is certainly
possible) if they already use their forwarders internally OR
if they have their own "." root zone for resolving multiple
trees.
You might ignore these cases but you should do so consciously,
and not be shocked if it occurs.
> This is what I would like to do. Do multiple zones on their server
matter?
NOT if they are all on (all of) their DNS servers or if
they have some scheme where the "forwarder setting"
is not already in use.
NOR if they have Win2003 (or another DNS server) which
offers conditional forwarding. (Were all of your customers
to run Win2003 DNS you really wouldn't have a problem.
But there is really nothing wrong with allowing them to define
and hold secondaries for your zone (coming off the server they
would use anyway.)
> > They will have to include you into whatever scheme they
> > currenty use to hook the trees together, either holding a
> > secondary for your zone (you must allow this) or some
> > substitute OR by delegating from their internal root
> > down to your DNS server that they may use.
>
> You've lost me here. I suppose some of them could have an AD DNS
> configuration -- and it may cause me problems.
That's not the issue (and I covered it again above.)
The issue is if they have NO AVAILABLE forwarder setting
(because they use it for something else) OR if they have an
internal ROOT "." zone.
> I'm hoping they since my
> name is publically registered, that they can simply add a forward looking
to
> my server (without recursion enable) or some sort of "conditional
> forwarding" for my domain.
Conditional forwarding doesn't exist in Win2000 and lower,
nor necessarily in all versions of other DNS servers. It is a
relatively new feature.
> I really do not want to entertain the thought of my customers becoming
> secondaries to my zones.
Why?
> This would require more maintenance for all
> involved, in addition to publishing them a list of everything we have
setup
> on our DNS.
No really. It is about as hard to set a forward, especially
a conditional forwarder, as it is to set a secondary.
This way if they switch to using the Internet, it doesn't
immediately screw them up.
And for those running Win2003 with a Stub zone capability
that will be another option.
> > You are expecting that they will have IP and have no
> > DNS servers of their own?
>
> I did not mention this, but all our customers have IP and they currently
> talk to our networking with it.
But do you expect they (any of them) have IP but no DNS?
> > That is an unlikely assumption on a network with routers,
> > but possible.
> >
> > And they are going to have to change every one of their
> > clients to use your DNS server (which shouldn't be a big
> > deal if they have no DNS server.)
>
> Agreed.
And the first time someone ADDS Internet access to one
or a 100 clients they will probably screw it up by putting
BOTH DNS (public AND you) in there. <grin>
Not your fault, but be prepared to help.
> >> Opinions?
> >
> > It's pretty goofy (seriously it has a flaky feel, to someone
> > who has spent a long time consulting and designing solution)
> > but it CAN work.
>
> These sorts of things for me, in my experience, never seem easy because of
> the environment that I work in. Seems like some of the basic concepts in
> books are overly simplified and real-world solutions are never truly
given.
This is NOT a common situation -- they only reason that
I can comment on it accurately is that I know the 10-12
simple rules of DNS and can just run the resolution in my
head to see what will work and what won't.
All of the concepts I am giving you are based on COMMON
principles no matter how complicated the design.
Analogy:
26 letters in the English language -- 100,000 to a Million words, but
an infite number of books are possible.
> I mean, I wish I could just have to internet facing DNS servers and be
done
> with it. But unfortunately, all my customers do not have the same network
> infrastructure and some are less sophisticated than others. Yes, some of
> our customers only use dial-up for Internet access.
Which is not the fault of DNS (or you) but it just part of
the burden your company CHOSE to assume to have these
customers (really.)
> >
> > If it meets your needs -- your biggest problem will likely
> > be those people who say they have no Internet access and
> > then next week put one into their system.
> >
> > Then they won't be able to figure out why their clients
> > pointed at you no longer work -- OR they will point
> > them to themselves and break access to you...or...
> >
> > Worst of all, they will put BOTH sets of DNS servers
> > on the client and get RANDOM results that work one
> > day for one client and not for another, and change the
> > next day.
>
> I would agree. This is a risk and this will have to be communicated to
all
> customers once DNS environment is implemented.
Mostly if I can prepare you for this you will recognize it
in the first 20 minutes instead of days or weeks later.
It won't help that much to "communicate it" (except as CYA)
because those that will do this will do it anyway.
You will have to CATCH it when they start complaining OR
teach their Admins (as I am trying to help you) to do so.
- Next message: Dirk: "Re: win2003 event 1030 & 1058"
- Previous message: Ace Fekay [MVP]: "Re: Another XP SP2 Issue"
- In reply to: dm4714: "Re: Public Namespace and Private Network"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
