server refferring isp dns for lan

i have one domain controller with dns and it has all fsmo role ,name
:dc1.example.com
AND
one client machine name webs.example.com has w2k3 std os. and 2 nic and it's
web server.


1>dc1.example.com have fsmo role and dns server,1 NIC ,windows 2k3 ent sp2
ip 192.168.0.1
subnetmask 255.255.255.0
gateway none
dns 192.168.0.1

2>webs.example.com server and internet connection with 2 NIC(it is not
domain controller)
1 NIC
ip 192.168.0.25
subnetmask 255.255.255.0
gateway none
dns 192.168.0.1

2 NIC
ip 192.168.1.2
subnetmask 255.255.255.0
gateway 192.168.1.1
dns as isp dns server

the problem is when i run nslookup command on Webs
the result, it is preferring isp's dns server which create problems like
unable to apply group policy of my lan.
problem:
1)webs unable to prefer my lan dns it goes directly to isp's dns.

how do i solve this problem?
please reply.

"shrikant" <> wrote in message
news:F1835724-5C0F-42D0-BD68-...
>i have one domain controller with dns and it has all fsmo role ,name
> :dc1.example.com
> AND
> one client machine name webs.example.com has w2k3 std os. and 2 nic and
> it's
> web server.
>
>
> 1>dc1.example.com have fsmo role and dns server,1 NIC ,windows 2k3 ent sp2
> ip 192.168.0.1
> subnetmask 255.255.255.0
> gateway none
> dns 192.168.0.1
>
> 2>webs.example.com server and internet connection with 2 NIC(it is not
> domain controller)
> 1 NIC
> ip 192.168.0.25
> subnetmask 255.255.255.0
> gateway none
> dns 192.168.0.1
>
> 2 NIC
> ip 192.168.1.2
> subnetmask 255.255.255.0
> gateway 192.168.1.1
> dns as isp dns server
>
> the problem is when i run nslookup command on Webs
> the result, it is preferring isp's dns server which create problems like
> unable to apply group policy of my lan.
> problem:
> 1)webs unable to prefer my lan dns it goes directly to isp's dns.
>
> how do i solve this problem?
> please reply.



Never use an ISP's DNS on any AD member, DC, client, etc.

Remove the ISP's DNS. Point only to the internal DNS. On the internal DNS,
configure a forwarder to your ISP's DNS.

In Network Conncetions window, Advanced menu, Advanced settings, make sure
the internal NIC is at the top of the binding order.

Restart the machine after you make changes.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

the dns resolution is solved when i keep my lan dns server on top of dns list
in network properties of internet connected that is NIC2.
but in event viewer the event id:1030 and 1005 error are still exits. this
serever is able to access all resource of my lan, i checked sysvol shared
permission and it's ok.
how i apply the group policy to my member server.

yes!!!!!
i solved the problem of 1030 and 1005
the winlogon,wmi services is blocked by firewall, i unblock them to contact
my dns server and problem solved.
i checked G. P by using gpresult, it working well.

"shrikant" <> wrote in message
news:44B6CBDD-E27A-42AF-A69B-...
> yes!!!!!
> i solved the problem of 1030 and 1005
> the winlogon,wmi services is blocked by firewall, i unblock them to
> contact
> my dns server and problem solved.
> i checked G. P by using gpresult, it working well.
>


You really need to remove the ISP's DNS address from the domain controllers.
It will still cause problems with DNS registration.

To explain why will require a little background on AD and DNS:

First, just to get this out of the way, if you have your ISP's DNS addresses
in your IP configuration (DCs and clients), they need to be REMOVED. If the
ISP's DNS is in there, this will cause additional problems. I usually see
errors (GPOs not working, can't find the domain, RPC issues, etc), when the
ISP's DNS servers are listed on a client, DCs and/or member servers, or with
multihomed DCs. If you have an ISP's (or some other outside DNS server or
even using your router as a DNS server) DNS addresses in your IP
configuration (all DCs, member servers and clients), they need to be REMOVED
and ONLY use the internal DNS server(s). This can be very problematic.

Basically, AD requires DNS. DNS stores AD's resource and service locations
in the form of SRV records, hence how everything that is part of the domain
will find resources in the domain. If the ISP's DNS is configured in the any
of the internal AD member machines' IP properties, (including all client
machines and DCs), the machines will be asking the ISP's DNS 'where is the
domain controller for my domain?", whenever it needs to perform a function,
(such as a logon request, replication request, querying and applying GPOs,
etc). Unfortunately, the ISP's DNS does not have that info and they reply
with an "I dunno know", and things just fail. Unfortunately, the ISP's (or
your router as a DNS server) DNS doesn't have information or records about
your internal private AD domain, and they shouldn't have that sort of
information.

Also, AD registers certain records in DNS in the form of SRV records that
signify AD's resource and service locations. When there are multiple NICs,
each NIC registers. IF a client, or another DC queries DNS for this DC, it
may get the wrong record. One factor controlling this is Round Robin. If a
DC or client on another subnet that the DC is not configured on queries for
it, Round Robin will kick in offering one or the other. If the wrong one
gets offered, it may not have a route to it. On the other hand, Subnetmask
Priortization will ensure a querying client will get an IP that corresponds
to the subnet it's on, which will work. To insure everything works, stick
with one NIC.

Since this DC is multi-homed, it requires additional configuration to
prevent the public interface addresses from being registered in DNS. This
creates a problem for internal clients locating AD to authenticate and find
other services and resources such as the Global Catalog, file sharing and
the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
logged, authenticating to shares and printers, logging on takes forever,
among numerous other issues.

Another problem is the DC now becomes part of two Sites. This is another
issue that can be problematic.

But if you like, there are some registry changes to eliminate the
registration of the external NIC or simply use the internal networking
routing to allow access. Here's the whole list of manual steps to follow.

But believe me, it's much easier to just get a separate NAT device or
multihome a non-DC then having to alter the DC. If the both NICs are
internal, I would suggest to pick a subnet, team the NICs and allow your
internal routers handle the traffic between subnets.

If you like to keep the ISP's DNS, I can supply the steps to make the
necessary alterations, if you like.

Ace