Re: DNS Configuration for Windows 2003 Server

From: Kevin D. Goodknecht Sr. [MVP] (admin_at_nospam.WFTX.US)
Date: 10/21/04 

Date: Wed, 20 Oct 2004 22:00:13 -0500

In news:eIc7s4rtEHA.904@TK2MSFTNGP11.phx.gbl,
Marcelo <marceloariel@gmail.com> commented
Then Kevin replied below:
> Hi Sharad, here come my questions...
>
>> you must have decided the domain name. (it must have
>> atleast two periods, and should not be same as your
>> registered domain name.)
>
> You mean having 2 points at least with FQDN, right?
> My DNS Name is called something like
> servername.dnsname.com.ar
> I guess then this is ok. Is it?

It is OK but you are going to have problems connecting with an external site
such as your public website with the name dnsname.com.ar, in fact you just
will not be able to. That record must point to the IP of the NIC on your DCs
that have file sharing enabled. You will have to use www.dnsname.com.ar

> -----------------
>
>> Do not use single lable domain name.
>
> I don't know what is a single lable domain name so I
> searched it at
> It says I have to set this at registry:
>
> AllowSingleLabelDnsDomain (REG_DWORD) bajo la siguiente
> Clave del Registro:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
>
> Since this entry is not at my server registry then this
> is not set as single lable domain name?

A single-label name would be just domain vs. domain.com for multi-label
name, you're OK on the count.

> -------------------
>
> Since when I've installed DNS Server I did it while
> installing Active
>
> Directory at the same time (AC forces you to install DNS
> Server) I've
>
> had it installed so I'll write about these points you set
> below:
>
>
>> 1. In DNS server add forward lookup zone yourdomain.com
>> and allow dynamic updates for this zone.
>
> It has a forward lookup zone.
> In order to allow dynamic updates I've read the following
> microsoft
>
> link:
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/stand
>
> ard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ
>
> /2003/standard/proddocs/en-us/sag_DNS_pro_AllowDynamicUpdates.asp
>
> ... and set in Dynamic Updates, Nonsecure and secure.
> Is this ok?

OK, but Only secure updates would be better.

>
> ------------
>>
>> 2. In the DNS server set forwarders to your ISP.
>>
>
> How should I do this? I cannot find a way to do it.

Click on the properties of your DNS server in the DNS management console,
then select the forwarders tab. Forwarders optional but not required, as
long as there is no "." forward lookup zone.

> --------------
>
>> 3. If your win 2003 server is behind firewall, ensure
>> that the
>
> firewall > supports more than 512 byte UDP packets (EDNS.)
>> If it doesn't or if you are not sure then you need to
>> disable EDNS
>
> probes on
>> win 2003 DNS server.
>> Please see below link for the same.
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;828731
>
> Since I'm behind a firewall (Winroute) and don't know
> whether it
>
> handles or not EDNS I've tried to disable it with no
> success.
>
> I've done what your link says:
> dnscmd /Config /EnableEDnsProbes 0, and then press ENTER.
>
> it says dnscmd is not recognized as an internal or
> external program
>
> I've looked forward it and it really does not exist.
>
> So.. what could be another way to disable this EDNS or
> how can I check
>
> is this is being a problem if it is set?

dnscmd is in the Server support toold on the CD, but leave EDNS enabled,
that is for firewalls like the Cisco Pix firewall, which block these
packets. Even then it is better to fix the Pix to allow these packets, it
improves the performance of Win2k3 DNS to leave EDNS enabled.

>
> -----------------------
>
>
>> 4. Run recursive and non recursive query tests, from the
>> DNS manager
>
> and
>> verify both tests succeed.
>
> Here comes something wierd. I do a nslookup 10.0.1.5 (my
> server and dns
>
> ip) and it says: non-existing domain. That's scaring me!!
>
> Same when I do a NS Lookup and then ls -t google.com
>
> I must tell you I don't have a reversing zone set up.

That is why nslookup gives you this message, you still need a reverse lookup
zone to prevent the server from trying to send updates to the Blackhole DNS
servers. There is an event related to this I can't remember the event ID but
it says cannot make secure connection to prisioner.iana.org.

>
> -----------------------
>
>
>> 5. Point the win 2003 server to itself for DNS server in
>> the tcp/ip properties of its NIC.
>> Please note the server and the clients must point to the
>> local DNS
>
> server
>> and not to the ISP's
>> DNS server (not even as secondary DNS.)
>
> This topic was exactly as you say.
>
>
>
>
> Can you help me with these topics? What I'm most
> concerned of is that when I do a nslookup to my server it
> doesn't work.

Forget nslookup, use Dig or get Netdig from www.mvptools.com 

-- 
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Relevant Pages

  • Issues migrating SBS 2003 domain to Server 2008 Standard
    ... We are stuck migrating our SBS 2003 domain to Server 2008. ... Fatal Error:DsGetDcName (SRV-EXCH) call failed, ... Verify your Domain Name Sysytem (DNS) is ... network connectivity to a domain controller. ...
    (microsoft.public.windows.server.sbs)
  • Re: AD management snap in cannot find DC (netdiag /v workstation)
    ... The name.local entries are used by my apache server to implement ... change button, more button, the "Primary DNS suffix of this ... Attr: subschemaSubentry ... Owner of the binding path: ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD management snap in cannot find DC (netdiag /v workstation)
    ... button, more button, the "Primary DNS suffix of this computer", it should ... The Security System could not establish a secured connection with the server ... Attr: subschemaSubentry ... Owner of the binding path: ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD management snap in cannot find DC (netdiag /v workstation)
    ... DNS Host Name: tonyb-pc.imageproc.imageproc.com ... Testing IpConfig - pinging the DHCP Server... ... Attr: subschemaSubentry ... Owner of the binding path: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues migrating SBS 2003 domain to Server 2008 Standard
    ... Since you have migrated to standard server 2008 you would be better served posting in a Standard server NG. ... Event String: ... Verify your Domain Name Sysytem (DNS) is ... network connectivity to a domain controller. ...
    (microsoft.public.windows.server.sbs)
Loading