DNS and Server 2003

Discussion in 'Server Networking' started by CoveTom, Jun 30, 2004.

  1. CoveTom

    CoveTom Guest


    Consider this one computer tech who's head is about to
    explode. :) I apologize for the length of this message,
    but I want to make sure I put forth all the info. you'll
    need to know.

    I'm new to Windows Server 2003 -- Windows server software
    at all, really -- and now I'm in the position of having to
    move the network of the school I work for to that platform
    before the new school year starts. I've got a wonderful
    book, and I've learned alot, but DNS is confounding me to
    a point, and I hope I can get some help.

    Here's the scenario: We are a small school. To this point,
    we have been running a Novell NetWare 3.12 (yes, that old)
    server that did only file and print sharing for the
    intranet. No DNS, no web site, no e-mail. Just a LAN
    server. Now, in one fell swoop, we've dumped the old
    server, bought a new machine and a copy of Windows Server
    2003 Standard, and want to have a web site and e-mail (for
    employees only, not students) through our own domain.

    So, as I said, we have one (count 'em, one) server running
    Windows Server 2003 Standard. At the moment, it's the
    server that's going to do everything for us. That includes
    file services for the local network users, being the
    primary (well, only) domain controller, handling Active
    Directory, being our (again, only) DNS server, and
    handling our web site and e-mail. Alot for a single server
    to do, I know, and not exactly the recommended setup, but
    it's what we've got. Like I said, we're a small school.

    Should we need a second server, like one to do secondary
    DNS or to host our web site and e-mail seperately, I could
    put up a second machine to act as a seperate server for
    some of this. I could come up with the hardware. But as we
    don't have the money for another Server 2003 license, it
    would have to run Linux. I like that idea, but I'm also
    not keen on the idea of having to learn Linux and Server
    2003 at the same time -and- try to get them to play nice
    with each other. I know how much Linux and Windows love
    each other, after all.

    So, here's where we stand: I'm an experienced Windows guy,
    but not a Windows Server guy. But, with the help of my
    book (Mastering Windows Server 2003 by Mark Minasi, if
    you're interested) and a bit of good luck, I've managed to
    install the server, set it up as a primary domain
    controller, get Active Directory up and running, and set
    it up as a DNS server that successfully handles our
    internal network (and only our internal network). In other
    words, a computer on our network can boot up, find the
    server, create a computer account for itself, and login to
    the server. But right now that's all it can do. No access
    to the outside Internet, and no server setup for web and e-
    mail purposes.

    I should also mention at this point how our Internet setup
    works. We have a T1 connection from here to a pseudo-
    government organization that supplies Internet access to
    local area schools. They give us a bunch of IP addresses
    in a non-routable range (10.x.x.x) and the address of
    their DNS server. We have a Cisco 1600 series router which
    tosses all our Internet traffic over to them, and their
    systems get everything where it needs to go. They also
    filter our Internet traffic, BTW, so that students can't
    get to anything, well, inappropriate.

    In special cases where we need incoming traffic, such as
    our server, they "unfilter" one of our non-routable
    internal IP addresses and tie it to a real, routable
    external IP address. So, essentially, our server has two
    IP addresses: one internal that's non-routable on the
    Internet, and one external that's a real live IP address.

    And that's where my knowledge hits a brick wall. I need to
    figure out how to get all of the computers inside our
    network to be able to go out onto the Internet, do DNS
    queries, find sites, etc. and also figure out how to get
    traffic on the outside Internet able to access our soon-to-
    be-created web and e-mail addresses. And I need opinions.

    What is the best way to handle this? Can it be reasonably
    done on a single server? Do we need a seperate box running
    Linux to handle some of this? Should we keep the default
    gateway for the local computers as the router or switch it
    to the server, because if we switch it to the server,
    which has an unfiltered IP, students can get to
    everything? Does any of this make any sense at all?

    If someone could start to point me in the right direction,
    I would be greatly appreciative.


    CoveTom, Jun 30, 2004
    1. Advertisements

  2. Windows DNS is designed as such that you simply stay away from it and it
    keeps working fine. It is required for having a Domain, so make sure DNS is
    installed (but unconfigured) before you make the Server a domain controller.
    It will install automatically if it is not there, but I think things are
    "smoother" if it is already there. The process of making the machine a DC
    will automatically configure DNS the way it should be and you can just "stay
    away" from it and it will work fine.

    Do *not* make your Domain Name the same as any publicly registered Internet
    Domain Name,...these are not the same thing,..do no treat them as the same
    thing,...keep the names different. Just use a three letter ending that is
    not ever on the Internet (like "loc" instead of com, net, edu, etc..). I
    like to use *.loc (loc = "Local"), but you can pick whatever you like.

    Once in place *all* machines (and I mean *ALL* machines) use the Domain's
    DNS for their DNS, even the DC itself. The DC can point to itself using for it's DNS setting. I use because it will always be
    available when somtime things can happen to cause the regular IP to not

    For internet name resolution you simply add the ISP's DNS Servers to the
    Forwarder's List within the config of your DNS Server(s). So the clients
    look to you DNS first, if it can't resolve it is passed on to the DNS listed
    in the Forwarder's List. It's pretty simple and everything works right.
    Phillip Windell, Jun 30, 2004
    1. Advertisements

  3. Another message is comming...hang on,...I can't type and think that fast...


    Phillip Windell [MCP, MVP, CCNA]

    Phillip Windell, Jun 30, 2004
  4. Some straight forward answers to some of your questions in no particular

    1. Student Internet access: Presumably student machines access the
    Internet by setting their default gateway to the IP address of the Cisco
    router. This will give them Internet connectivity, but they also need name
    resolution. Student machines should be configured to point to the server IP
    for DNS. Now you need to configure Forwarders on the server so that local
    DNS clients can resolve Internet names. On the server - Go to
    Administrative Tools and open the DNS console. Right click the server and
    select properties. Click the Forwarders tab and enter/add the IP address
    of the 'pseudo government's DNS server. If the Forwarders tab entries are
    grayed out, delete the '.' zone. You may have to restart the service or
    reboot the server. All internal machines should then be able to get
    whatever Internet access is available through your provider.

    2. Configuring the Win 2003 machine as a web server is extremely easy.
    Just click on the Configure My Server wizard in Administrative Tools. To
    allow your internal users to connect to the server is also easy. If you
    create a web site that uses your Active Directory domain name - eg.
    www.ADdomaniname.com, then all you need to do is add a host record called
    www in the ADdomainname.com zone through the DNS console. If you create a
    web site with a different DNS name, then use the DNS console to add a
    standard primary zone with the new name - eg. newzone.com - again add a
    host record called www to this zone.

    Providing External access to your web sites - ie. enabling outside Internet
    users to view your web site, requires your provider to set things up. They
    will have to assign you a public IP address and map it or port 80 to the
    10.x.x.x IP address of your server. There also has to be an external or
    public DNS server to resolve the public DNS name, and this means the public
    DNS name needs to be registered. None of this can be configured on your
    internal network. So the short answer is that you need to consult with the
    provider in order to allow public access to your server.

    3. Win 2003 has a builtin mail server - use the Configure My Server
    wizard - which may meet your needs. Again its easy to provide mail services
    to the internal LAN users. However, if you want to provide mail services to
    external Internet users, you have issues similar to those for providing
    external web access.

    4. Ideally, everyone wants to use a separate server for every server
    function and have a back-up box for each one as well. However, tthere is no
    theoretcal reason why you can't provide the desired services from a single
    machine. Whether there is a practical reason depends on hardware
    performance, bandwidth availability and demands, etc. MS makes a product
    called Small Business Server 2003 which is designed to provide all your
    server needs plus several others all on one box. So I would try to do what
    you want with what you have. If the platform proves to be inadequate -
    that's your best argument for more hardware. You won't get very far with
    the powers-that-be by telling them that some guy in a newsgroup told you you
    need MS Exchange Server and a second Windows Server 2003 box.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    Doug Sherman [MVP], Jun 30, 2004
  5. You can get things working on the one box for now and see how it behaves.
    Add others only when you know you need them. So don't try to solve problems
    that you don't even have yet.
    I've heard of these situations in schools. I don't think they are "pretty".
    If they give you enough 10.* addresses to cover all your needs, then you
    simply use them on all your machines and the Cisco 1600's 10.* address
    becomes the Default Gateway of the machines. This "pseudo-gov organization"
    will be the ones "firewalling" and protecting your network.

    If you don't have enough 10.* addresses then *ask for more* from the *same*
    subnet, ..it is still the simplest model to follow. But if they won't give
    more you will require a NAT Device. The Server could do it, but I don't
    recommend duel-homing a DC/DNS machine, nor do I recommend adding that much
    more responsibility to a Server that may already be overworked. The best bet
    is to use a Hardware based Firewall for this. You could also build one with
    Linux & IP Tables.

    When doing this you need to wisely pick a private address range that won't
    cause future problems with other private systems you may have to deal with.
    These would be your "internal" addresses, while the 10.* addresses would
    become your "external" address which are in the same role that a Public
    Address Range would be in a "normal" network. Now the clients would use the
    internal IP# of the "NAT Device" as their Default Gateway. This "pseudo-gov
    organization" will *still* be the ones "firewalling" and protecting your
    network, but you will be able to do additional filtering yourself, but you
    will *not* be able to allow what they don't allow because it will never get
    to (or from) you.
    This is called Static NAT or One-toOne NAT depending on the filtering model.

    If you have enought 10.* addresses and follow that simpler method, they will
    continue to do this in this manner. But if you have to add another NAT
    Device and another Address Range, this will become nearly impossible or at
    least difficult. They can only Static or One-to-One NAT to the 10.* address
    which are now *external* to your private system and cannot communicate
    directly with your machines. You can probably Static or One-to-One NAT
    betwen the 10.* address they used and one of your own internal addresses,
    but things can get really complicated when things don't work and be very
    hair-pulling to sort out where the problem *really* is.
    Phillip Windell, Jun 30, 2004
  6. CoveTom

    CoveTom Guest

    In the book that I've been using as a reference, the
    author uses the same domain name as both the internal,
    Windows Active Directory domain name and the external
    Internet-accessible domain. In other words, something.com
    is everything, both internal and external. Thus, that's
    the model I've been following in setting things up. Are
    you saying that's a bad idea and, if so, why?
    CoveTom, Jun 30, 2004
  7. CoveTom

    Guest Guest

    So, to boil this down to the essentials, it sounds to me
    like what you're saying is that for internal access, we
    just need to use the router as our gateway and the Server
    2003 box, with a forwarder to our ISP's DNS, as our DNS
    server. And for our web site, we just need to have a real,
    outside IP address forwarded by our ISP to their
    appropriate internal IP and either the ISP's DNS server or
    some other external DNS server set up to resolve DNS
    queries for our domain to that external IP. Is that

    Guest, Jun 30, 2004
  8. That's about it. I made some assumptions about your network infrastructure,
    but the description would make little sense unless it works they way I
    assume it does - possibly the ISP has a proxy server requirement, but they
    should have told you that. The good news is that providing access to
    external users does not require any additional resources or configuration on
    your internal network. As to how much help your ISP is willing to provide
    ........ who knows? But presumably they have done this for other schools.
    They are the only ones who can control the routing from a public IP to your
    internal network, but they might require you to pay for name registration
    and use a third party for external DNS.

    Also, many networks use the same DNS name for the Active Directory domain
    and the external or public DNS name space. There are both advantages and
    disadvantages to doing this, but it is a common practice.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    Doug Sherman [MVP], Jun 30, 2004
  9. Yes it is a bad idea and the guy the wrote the book should be slapped.

    It would probably take a chapter or two of writing to explain that. I'm
    afraid it is one of those things that is very simple yet very hard to
    explain. It like defining the word "the".

    Here are some articles that display the depth of problems created by this.
    These are centered around the use of ISA Server, but the priniciples apply
    to any situation.

    [Those are underscores, not spaces between the words]
    14120 Errors; Discussion and Solution

    [Those are underscores, not spaces between the words]
    You Need to Create a Split DNS!
    Phillip Windell, Jun 30, 2004
  10. Well, as you can tell if you've been reading the other
    replies in this thread, I've already gotten one reply
    insisting that I should not use the same domain name as
    our Internet domain and our internal Windows domain.
    OTOH, the book I'm using doesn't seem to have a problem
    with the practice. He uses "bigfirm.biz" as his example
    domain, and uses that as both the Internet domain and the
    internal Windows domain throughout his examples.

    I am very early on in the game of setting up the server,
    so switching domain names wouldn't be too big a pain in
    the neck if I needed to, but I want to make sure what I
    need before I go setting things up yet again. What would -
    you- recommend?

    BTW, we do have to use a proxy server on the filtered IP
    addresses, yes. But on the unfiltered addresses like the
    server, no proxy is necessary.
    Tom E. Pinkerton, Jun 30, 2004
  11. I don't think "biz" is a legitiment top-level domain. He was probably just
    using that as an example to teach what he was teaching and may not have been
    implying one way or the other whether it should be the same on both the
    Public and Private sides. But if he did expect it to be the same for both,
    then he should have made the problems with it clear so you know what you're
    getting into. He would have still annoyed me, but then I wouldn't have to
    slap him at least.

    Remeber that the naming of the Domain can have severe consequenses and it
    wasn't even until 2003 that they could even be easily renamed once created.
    You used to have to start from scratch again or create a new domain and
    migrate the accounts. But even with 2003, once Exchange is installed it is
    not rename-able due to the changes Exchange makes to AD.
    Phillip Windell, Jun 30, 2004
  12. CoveTom

    Guest Guest

    Yes, "biz" is a legitimate TLD. It's one of the new ones
    approved by ICANN. It's sort of the "catch all" of the new
    domain names, apparently intended to be an extension of
    the overcrowded "com" TLD, but I have yet to see any
    indication of it taking off, nor do I expect to. I suspect
    com, org, and net are here to stay as the dominant domains
    for as long as they accept new registrations.

    Regarding the issue of internal vs. external domains,
    there is something else to consider. Since the same server
    is going to be handling web and e-mail functions, as well
    as domain controller and Active Directory functions, it is
    going to be accessible, in part, to the outside world
    regardless. Why? Because when they go to our external
    domain, even if its different from the internal one,
    they're still going to the same physical machine. Given
    that scenario, is there still a benefit to having a
    different local domain name?

    > wrote in message
    Guest, Jun 30, 2004
  13. I disagree - there are plenty of domains out there running the same AD
    domain name as their registered Internet domain names. Split-brain DNS isn't
    necessarily good or - no matter what you choose you just have to set it up

    To access hosts on the "real" domain name from inside the network, you just
    create the host records manually in DNS - such as mail, www, etc.

    I don't really have a clear preference here. I've done it both ways, made it
    work both ways.
    Lanwench [MVP - Exchange], Jun 30, 2004
  14. Not really - it's up to you. I suppose if your external website or mail
    server didn't have a static IP, it would be a lot easier to use
    mydomain.local for your AD ...but really, even that isn't insurmountable.
    Your choice - you're the one who has to live with it. ;-)
    Lanwench [MVP - Exchange], Jun 30, 2004
  15. "Lanwench [MVP - Exchange]"
    I know people will disagree,...there always are when there is more than one
    way to do something.

    Split-DNS is not simple and it requires two DNS Servers. The OP says he is
    not an experienced "Windows Server guy" and is struggling with the basics of
    Ad Domains and DNS. I am not going to suggest to him and saddle him with the
    burden that he should try configuring Split DNS with two DNS Servers. I know
    that there are also other ways to "workaround" this with only one DNS, but I
    am still not going to suggest this either. He not only has to set this up,
    but has to understand it well enough to maintain it and troubleshoot it when
    something quits "down the road" as well.

    By using unique FQDNs for the public and private side create an AD
    environment that is so totally simple that a child could deal with it and
    never have to even touch the DNS Admin Tool in MMC once the Forwarders are
    added. I'm "sticking by my guns" and still insisting that this be the route
    he take.

    The author of the book should have made all this stuff clear to the reader
    before stating or at least implying that the FQDNs be the same on both
    sides. The fact we are all having this discussion in the first place
    demonstrates this. So I still stand by my statement concerning him as well.
    Phillip Windell, Jun 30, 2004
  16. Yep - one internal for AD, and one for the public DNS which can be external
    (and usually should be in a small shop). One doesn't have to host the
    public DNS in house in order to do this.
    Lanwench [MVP - Exchange], Jul 1, 2004
  17. Phillip, Douglas, and Lanwench,

    I appreciate all the advice that you have given, but now
    I must come back because my situation has now changed. A
    kind soul who Microsoft provided with a case of free not-
    for-resale copies of Windows Server 2003 Enterprise
    Edition, each with 25 client licenses, has offered to
    donate a copy to our school to use as our web and e-mail

    Thus, that means that I need to re-think our network
    strategy. We now have the ability to have a secondary DNS
    server and secondary domain controller, as well as
    keeping our Internet services seperate from our local
    network services.

    Do you all have recommendations on how we should go about
    designing the network now? Or do you even recommend going
    with the two servers at all?


    Tom E. Pinkerton, Jul 1, 2004
  18. I love keeping the server's "jobs" split up across multiple servers so that
    if you have to work on one or reboot it you aren't taking down the whole
    network to do it.

    However my design recommendations are the same. My recommendations are not
    effected by whether you do everything on one box or split things across
    several boxes.
    Phillip Windell, Jul 1, 2004
  19. CoveTom

    Guest Guest

    the only reason youre being told not to do this is incase a public website
    or other dns record exists in the public domain. in that case youll simply
    manually create the A record in DNS. this THE way its done. ignore everyone
    Guest, Jul 1, 2004
  20. Since he is "being told" about three different things, which "being told"
    are you refering to? If he uses his own Public Domain name that isn't an
    issue because he is already using his own which is already definitely his,
    so there won't be a conflict. If he creates a unique Private Domain then it
    can't conflict anyway....so either way there isn't a conflict. So doing it
    to avoid conflicting with an existing Public Record isn't the primary
    reason, although it should be kept in mind.
    Phillip Windell, Jul 1, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.