DNS server setup questions

Discussion in 'DNS Server' started by Sally Mathews, Feb 9, 2007.

  1. Can someone please confirm whether my setup is correct or not? I have one
    Windows Server 2003 that I am using just as a file server.

    Here are my server NICs

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : server
    Primary Dns Suffix . . . . . . . : VALLEY
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : VALLEY

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 PM Network Connection
    Physical Address. . . . . . . . . : 00-19-D1-22-A2-CA
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.16.10


    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : SysKonnect SK-9E21D 10/100/1000Base-T
    Adapter,PCI-Express, Copper RJ-45

    Physical Address. . . . . . . . . : 00-00-5A-71-7E-C1
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.16.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.16.10


    The question is that I have DHCP set up on my server. I also have
    forwarding set for the 2 DNSs that my ISP provides. My router is set with
    the static IP but also the 2 DNSs from the ISP.

    I am having problems with my network in that when we have multiple users on
    the network or the busier times of the day the internet access drops out.
    Systems reconnect right away, but the drops cause problems because the
    clients chart records online as a regular part of their day.

    In addition, if I watch my permance monitor the DNS hits are at 100% while
    my CPU/Memory,etc usage is close to nothing. I have event log erros of 6702
    as well.

    Does anyone have suggestions as to what I might change? Should I have my
    router run the DHCP instead? Should I take the DNS entries off of my router
    since they are forwarded on my server already?

    Thanks in advance for your suggesions.
     
    Sally Mathews, Feb 9, 2007
    #1
    1. Advertisements

  2. Sally Mathews

    Guest Guest

    Hi Sally,

    Why do you believe this is related to DNS? Have you checked logs and
    interface statistics on the router? It may be possible that you are pushing
    the top of your bandwidth at busier times of the day. When the Internet
    connection drops, does it drop for everyone all at once suddenly, or do you
    just experience sporadic poor connectivity?

    The interfaces below appear to be configured correctly.
     
    Guest, Feb 9, 2007
    #2
    1. Advertisements

  3. Sally Mathews

    Herb Martin Guest

    It is a very bad ideay to use a single LABEL domain name, especially if
    this is, or will be one day, an AD domain.
    Do you have a Zone named JUST "valley"?
    Implies that 192.168.16.10 either holds or can find the zone name "Valley".
    So this machine has the DNS server (and that address) too.
    Then your router should NOT be a domain member machine (like ISA)
    nor a machine that needs to address internal machines by internal names.
    What does the above mean? "chart records" and "drops out" -- these terms
    are not nearly specific enough to diagnose. What specifically happens?
    When does it happen? What are the precise error messages?
    "DNS hits at 100%" ??? What is that? The DNS service perhaps?
    May not matter. If nothing is using the Routers as DNS server, e.g., no
    client
    machine (they should ONLY use the INTERNAL DNS server) and the internal
    DNS server is NOT forwarding to it.
     
    Herb Martin, Feb 9, 2007
    #3
  4. **What do you suggest?
    **I haven't manually made any zones, I will check when I am onsite
    **I have no problem moving around my network or the internet really. Just
    intermittent at the same time every day. The ISP and online database company
    both say it isn't them. If I go offsite it is not slow at the database
    company with a personal DSL connection. These problems all started when I
    introduced the server.
    **There is only one server on my network, it has 2 nics
    **You confuse me on that. are you saying that I shouldn't run DNS on my
    server and go back to the router doing the work?
    ** The internet connection just drops, they loose connection to the internet
    entirely.
    ** I have some clients that are not moved over to the server yet. they are
    still pulling their IP from the server and not the router. The internal DNS
    server does only forwards to the ISPs DNS, but the router is the default
    gateway 192.168.1.1 (is that incorrect)
    ****** Thanks in advance for your suggesions!!!!!

    **This same setup is working great on a SBS 2003 server I have at another
    location but that is R2.
     
    Sally Mathews, Feb 9, 2007
    #4
  5. ** I suspect DNS because I am unsure of my setup. The ISP and the online
    database they use both point at the server. The problems started with the
    server, although the frequent disconnect issue happens at about the same
    time, just after lunch, and lasts all afternoon. I have even taken it down
    to one user on the network during that time and it acts the same way. I
    personally suspected the ISP, but the swear there is no problem. I addition
    we went off site to a personal DSL connection and had no problems online, so
    I don't suspect it is the online database.
     
    Sally Mathews, Feb 9, 2007
    #5
  6. Sally Mathews

    Herb Martin Guest

    Valley.local, valley.org, valley.something.
    Then you presumably created a Domain (DCPromo the first DC) and
    chose "VALLEY" as you domain name. This auto-created the VALLEY
    zone as a single label domain name.

    If so, it will not be difficult to change and manage correctly.

    Google for:

    [ site:microsoft.com single label DNS name dynamic ]

    You can add "2000" or "2003" depending on your Server version.
    Such intermittent problems are CAUSED by placing the ISP or Gateway DNS
    on the Client NIC->IP-> DNS settings.

    You cannot mix two different "sets" of DNS server; you cannot bypass the
    internal DNS even with an alternate. When the alternate goes active the
    internal DNS and domain resources will become unavailable.

    Is this an AD domain or not?

    DCs should generally be single homed (one NIC).

    Those are find. What is the
    Router is fine for machines on that subnet (presumably you have two or more
    subnets since server has two NICs.)

    All internal Machines must use INTERNAL DNS.

    Machines must use a default gateway ON the same subnet (broadcast domain)
    to which they are connected.

    Are there machines connected to the server which is then connected to the
    gateway router?

    ISP -- Gateway -- (machines) -- Server -- (more machines)

    If so, that Gateway will need a MANUAL route to find the network where
    "more machines" are located. The equivalent of the follow route would be
    normal:

    route add IP.Net.More.Machines MASK 255.255.255.0 IP.Left.Nic.Server

    "More machines would use "Right.IP.Nic.Server" as default gateway, and both
    server and "Machines" would use the gateway as the "default gateway."
    Different nets have to be done correctly and cannot always be assumed to
    be the "same".
     
    Herb Martin, Feb 9, 2007
    #6
  7. ++++Thank you, I will try that.
    +++So are you telling me that those systems that are not authenticating on
    the domain, and are simply standalone are causing an alternate set of
    settings to go out to the workstations? It makes sense now.
    +++ IPS - DSL Modem - Router (4 port) - 24 port Switch - machines and server
    on same switch
     
    Sally Mathews, Feb 9, 2007
    #7
  8. Sally Mathews

    Herb Martin Guest

    I think you MAY understand it so allow me to clarify: The settings don't
    "go out" to the client, but if the client queries a DNS server which cannot
    resolve "internal names" (e.g., the ISP or some firewall/gateway DNS
    that isn't part of the interal DNS server set) then the client will receive
    a NEGATIVE response and thus fail to find the internal resources.

    IF that is what you meant above, then you do understand.
    Ok, but look at two issues of being unspecific above: "Switch"* can either
    be
    a bridge type switch (layer 2) which does NOT separate "broadcast domains"
    or a Router-Switch (layer 3) which DOES create separate broadcast domains.
    (In fact some are both, and even configurable VLAN switches which is even
    more complex to explain, but follow the same simple rules once configured.)

    Second issue is that TWO-NIC server. Is it a router?

    If not, why does it have 2-NICs?

    You have between 1 and 3+ subnets based on the unspecified number of
    routers present above.

    *Switch when used out of context is a very imprecise term. Router and
    bridge have very precise meanings in almost all cases.
     
    Herb Martin, Feb 9, 2007
    #8
  9. Yes, I believe I understand now.
    The router is a simple Linksys 4 port Router, the switch is a basic switch,
    not managed if that helps.
    I put a second NIC in the server as I understood that I could access
    remotely without it. Is there a recommended setup I could use so that I
    could remotely access using only one NIC?
     
    Sally Mathews, Feb 9, 2007
    #9
  10. Sally Mathews

    Herb Martin Guest

    No, not much. I get that the Router is a Router (it forwards IP traffic
    based
    on IP address and routing tables).

    BUT, the "basic switch" (managed or unmanaged) doesn't really tell me
    enough.

    Many people (even manufacturers) use the term "Switch" incorrectly to refer
    to a 10/100 (or /1000) Mbps HUB - -that is a simple device which can only
    relay or technically REPEAT what it hears. Such 10/100 so-called 'switches'
    are NOT switches in the network engineering sense but are really "2
    multi-port
    repeaters separated by a bridge".

    Chances are if it is "unmanaged" it is however such a hub, or some slightly
    more sophisticated bridge device and thus doesn't separate "broadcast
    domains".

    Do you use the same IP Subnet ranges on all ports of the switch? If so,
    and if they can communicate successfully then this is likely NOT a router
    and so the additional STATIC routes won't be needed on the true router
    to the Internet (the Linksys).
    Sure. Remote from where though to be specific?

    You don't need but one NIC for most anything you would need to do
    except route (or maybe for cluster service management but even that
    is optional.)

    Generally Windows machines don't deal well with two network inferfaces
    on the same "broadcast domain" due to NetBIOS name problems.

    And there is little if any advantages.
     
    Herb Martin, Feb 9, 2007
    #10
  11. It is not configurable, and for our purpose, i would call it a hub. the box
    says switch but it can't be programmed and wasn't high cost.
    I haven't set any specific ports on any switch or router with the exception
    of opening up for Symantec Antivirus Corporate 10.2
    I wish I could have talked to you a long time ago. The others I have talked
    to have suggested that I need 2 nics in order to come into my server remotely
    to troubleshoot my workstations (or server). I could use PC Anywhere with
    one NIC, but that doesn't help me out much with my workstations.

    Do you have a canned example on how I would do this with 1 nic. I really
    would like to keep this setup as simple as possible.

    Herb, I really do appreciate your patience and assistance!
     
    Sally Mathews, Feb 9, 2007
    #11
  12. Sally Mathews

    Herb Martin Guest

    I really want to smack the idiot "Marketers" who started advertising
    multi-speed Hubs as switches. The only switching they do is at PLUG
    IN (or enabling of the network from that port) when they 'switch' the
    computer to either the 10 or the 100 or 1000 Mbps 'side' of the bridge
    in these things.

    This is NOT "dynamic switching" which is what network engineers mean
    when they talk about a switch.

    Unfortunately these labels on boxes have confused a LOT of people new
    to networking.

    Ok, I think we can eliminate this as a router. You will use the same
    subnets
    on all ports of this HUB. Or more formally and accurately::

    10/100 Mbps Multi-port repeater

    If you only have ONE "Internal Router" then adding routes is unnecessary.

    Technically you need manual (or dynamic) routes when you have more then
    TWO ROUTERS (in a linear configuration) but the ISP's router counts as
    one of these, thus the internal rule is 2 or more.

    I call this the "router in the middle" problem. With 3 routers, one is in
    the
    middle, so that MIDDLE router needs dynamic routes -- doesn't seem to
    be your issue though. (FYI: With more than 3 routers, several can be
    "in the middle".)
    Windows Server had Remote Desktop (or they call it Terminal Server "admin
    mode" for Win2000) so even PCAnywhere isn't needed but PCAnywhere works
    just fine with a single NIC.

    PCAnywhere also isn't needed for WinXP (RDP is included) but for Win2000
    PCAnywhere, VNC, or something similar is useful. None of these requires an
    extra NIC.

    What is typically the problem when these program (PCA, RDP, VNC, even
    telnet) don't work is that the local XP-firewall or an add-on firewall is
    blocking
    the ports on the target machine.
    Sure, you just enable or install one of these service (RDP is included so
    merely
    enabled it, VNC and PCAnywhere are add-ons), check that the firewall for
    their port(s) is open, and then just connect to the main IP or using the DNS
    or
    NetBIOS name.

    For RDP the port is 3389 by default. I would have to lookup the PCAnywhere
    or VNC ports but they are trivial to find.
    You are welcome. We like helping.
     
    Herb Martin, Feb 9, 2007
    #12

  13. Herb,

    If I eliminate one of the NICs how should I set the IP Scheme for that NIC?
    Do I actually give the server itself my static IP from my ISP rather than my
    router?

    Are you suggesting that my server is actually my router and I can get rid of
    the router that comes off of the DSL Modem? That router is also my firewall
    with NAT (if I understand correctly)

    I am going to go through this weekend and join all the rest of the
    workstations to the domain (per our previous conversation), but want to make
    sure I have the server set correctly first.

    Not sure if you will respond after hours or out of the normal week day but
    this network is a side thing I am doing and it is a learn as you go project
    for a non profit organization I am helping.

    Sally


    And if this is all true above then how about a firewall?


     
    Sally Mathews, Feb 10, 2007
    #13
  14. Sally Mathews

    Herb Martin Guest

    No, since you only have the one Public IP it needs to stay on the router
    (linksys).

    Generally you need to do "service mapping", "port mapping", "addess
    mapping",
    "service definition", etc on the Router. Such routers vary in terminology
    but
    you will map the external address AND PORT number to the INTERNAL
    ADDRESS and PORT number of your internal machine.

    This does mean the internal machine will need a 'fixed' address of course.
    No, that is actually possible but there is no reason to do this. Your
    server
    is likely safer behind the hardware router.
    Yes, so just do the service mapping. You will need the PCAnywhere
    port number.

    Harder will be if you wish to reach "Multiple machines" but usually
    it is easiest to come through the router to the "server" and from their
    to all of the other machines (using a remote access client on the first
    machine to reach the others.)
    Ok.

    Remember, all internal machines must use STRICTLY the internal
    DNS server.
    If you get in trouble you can call me -- use the 512 number on website.
     
    Herb Martin, Feb 10, 2007
    #14
  15. So this is what I need to do:


    Change domain name to valley.local

    Check to see if I have a Zone named JUST "valley"
    (should have been auto-created)

    By changing this domain name my DNS error 6702 should stop.

    Google for:

    [ site:microsoft.com single label DNS name dynamic ]


    When I look at the results they confirm that I don’t want to use a single
    label DNS name (and that is why I am changing it, right?)


    I am going to remove the extra NIC from the server, and configure the single
    NIC as below:

    Ethernet adapter Local Area Connection:
    IP Address. . . . . . . . . . . . : 192.168.1.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.10


    I am going to leave DHCP running on my server


    I am going to make sure that only DNS my clients get is the server IP


    “You cannot mix two different "sets" of DNS server; you cannot bypass the
    internal DNS even with an alternate. When the alternate goes active the
    internal DNS and domain resources will become unavailable.â€

    In response to the above statement. If I join all of my workstations to the
    domain this should not be an issue, correct? But how about the consultant
    that comes in with their personal laptop. Will that cause problems as they
    will not be part of the domain, just picking up internet access.

    “If nothing is using the Routers as DNS server, e.g., no client machine
    (they should ONLY use the INTERNAL DNS server) and the internal DNS server
    is NOT forwarding to it.â€

    In my DNS settings, I do forward to my ISP DNSs don’t I? Or how do the
    workstations get it otherwise?

    “All internal Machines must use INTERNAL DNS.â€

    And they get this through the DHCP from my server, right?

    “Machines must use a default gateway ON the same subnet (broadcast domain)
    to which they are connected.â€

    Sure, you just enable or install one of these service (RDP is included so
    merely enabled it, VNC and PCAnywhere are add-ons), check that the firewall
    for their port(s) is open, and then just connect to the main IP or using the
    DNS or NetBIOS name.

    For RDP the port is 3389 by default. I would have to lookup the PCAnywhere
    or VNC ports but they are trivial to find.

    “Since you only have the one Public IP it needs to stay on the router
    (linksys).†– GOOD< thanks for clarifying that

    “Generally you need to do "service mapping", "port mapping", "addess
    mapping", "service definition", etc on the Router. Such routers vary in
    terminology but you will map the external address AND PORT number to the
    INTERNAL ADDRESS and PORT number of your internal machine.â€

    I have done this before, you are talking still about the RDP above, right?

    This does mean the internal machine will need a 'fixed' address of course.

    Harder will be if you wish to reach "Multiple machines" but usually
    it is easiest to come through the router to the "server" and from their
    to all of the other machines (using a remote access client on the first
    machine to reach the others.)
    If you get in trouble you can call me -- use the 512 number on website.
    (on what web site, learnquick.com?), I will try not to call.

    Thanks again Herb
     
    Sally Mathews, Feb 10, 2007
    #15
  16. Sally Mathews

    Herb Martin Guest

    That's tough to do -- unless your entire forest is in Win2003 Forest
    Functional Level, and even then it is tedious.
    IF you change the domain name your DNS will always require adding
    the (new) zone for that new name, which should be included in the
    procedures you will find in the KB articles about renaming a domain.
    Yes. I agree if you understand this and the tediousness of changing a
    domain name.
    Sure, because you get better control there than you do with the DHCP
    on many of those hardware, purpose-built routers -- these things commonly
    don't let you make all of the settings you need to make things work
    correctly,
    like specifying your OWN DNS instead of the (stupid) router DNS.
    Yes -- technically the "Internal DNS Server 'set'" but you only have the
    one DNS server for now -- if this is a production domain you will eventually
    want 2 DCs, both GCs, both AD Integrated DNS, and all stations using
    BOTH of them for DNS.
    No, it is still an INTERNAL DNS client if it will ever try to reach any of
    your
    internal servers etc. And it won't matter since your internal DNS is going
    to
    forward for external names so that the Internet WILL BE resolvable by all
    machines anyway, right?
    That is ONE CORRECT choice. You could also forward to the ROUTER
    DNS Server which could EITHER foward to the ISP OR it could do the
    "actual recursion" from the root of the Internet down.
    Yes -- or because you SET IT manually on them (e.g., for servers or any
    machine where you NEED a manual address for some reason.)
    Yes, but such can be done for (most) any service that sits "behind" the
    firewall.
    Internet users come to the firewall EXTERNAL address on some service port,
    and are mapped to the service defined to go to some internal server on some
    (maybe different) port. Web, FTP, email, RDP, PCAnywhere, etc can all
    be setup this way. Commonly some network games have to do this.


    If they are going to have those "Service definitions" or "mappings" they
    need
    to STAY on the same address to keep these from changing on every reboot
    etc -- you can give the same addresses by MANUALLY setting them on
    the workstation, or by using RESERVATIONS on the DHCP server.

    No difference to the machines, but it is sometimes nice to be able to set
    this centrally on the DHCP server OR to have the client set as DHCP
    if they are laptops that need to travel to OTHER DHCP service nets.
    Sure.
     
    Herb Martin, Feb 10, 2007
    #16
  17. OK, so I need to leave it as it is even though it isn't preferred, because
    it is just too tedious to change it at this point.
    THis is a small organization, and a simple file server. It will be a very
    long time before they do anything else.
    On my DHCP settings I just set a scope that I wanted my workstations to pick
    up IPs out of. I set my printers and server outside of the scope so their
    addresses wouldn't be handed out. Should i instead set reservations for each
    workstation or printer? I really don't want to manually set addresses on
    workstations but certainly can if needed.
    I am headed out onsite now, thanks again!
     
    Sally Mathews, Feb 10, 2007
    #17
  18. Now that I am onsite I see another problem, or maybe you can tell me if this
    is the root of the problem.

    There are 2 routers on the network. The linksys I discussed earlier and a
    wireless one. The wifi router I had thought to be just an access point but
    if I check the IP configs of my clients I can see that they have all of the
    right settings now, but have 2 gateways listed. (the 2 routers). Neither one
    is doing DHCP and the WIFI has all of the regular settings that a client
    would have (no external addressing at all).

    The original Linksys router that is attached to the DSL modem still has all
    of the ISP info on it, and the server is down to 1 nic, with all internal
    settings with the exception of forwarding to the ISPs DNSs.

    Is having 2 gateways hurting anything if the clients are pulling the right
    IP scheme otherwise.

    Example:

    Workstation

    IP 192.168.1.125
    Subnet 255.255.255.0
    DNS 192.168.1.10 (server IP)
    Gateway 192.168.1.1 (linksys)
    192.168.1.20 (wifi)

    Server
    IP 192.168.1.10
    Subnet 255.255.255.0
    DNS 192.168.1.10
    Gatway 192.168.1.1
    Forwarding to the ISP DNSs

    WIFI router
    IP 192.168.1.20
    Subnet 255.255.255.0
    DNS 192.168.1.10
    Gateway 192.168.1.1

    Linksys Router- all settings assigned by ISP, Static IP





     
    Sally Mathews, Feb 10, 2007
    #18
  19. Sally Mathews

    Herb Martin Guest

    It probably IS "preferred" but is tedious and may not be practical to do
    right now.
    Just be aware that if you lose the ONLY DC then you lose the ENTIRE
    domain. Backups of SYSTEM STATE become critical with a single DC.

    I do this for printers (since they have to be hard coded IPs to setup the
    print
    ports.
    I don't do it for (most) workstations and even some servers.

    It must be done for any DHCP clients which must remain on a fixed address.

    Using DHCP reservation or manually setting it on the NIC->IP properties
    is ALMOST a matter of style, but I mentioned earlier there are still some
    advantages for setting reservations instead of manual NIC properties.
     
    Herb Martin, Feb 10, 2007
    #19
  20. Sally Mathews

    Herb Martin Guest

    The WiFi is acting as a bridge/repeater and NOT also a Router. It has
    no external settins and is using addresses that put it on the same subnet
    with the Ethernet. (I have one of these doing the same thing because I
    have a "real" router connecting to the Internet.)

    If you thought the whole switch discussion was complicated the you will
    LOVE the "wireless router" explanation. These purpose built WAN-Wireless
    Ethernet routers are actually a combination of an access point, an Ethernet
    hub (repeater), and an IP router. To make it worse, some of them have an
    OPTION to either "Bridge" the Wireless to the EtherNet (single broadcast
    domain, suitable for SMALL networks) or to ROUTE between the Ethernet
    and Wireless -- i.e., use different broadcast domains and therefore
    different
    IP Subnets.

    You are apparently (see number also below) using yours MERELY as a
    Wireless access point and "Bridge" to the Ethernet with the WAN capabilities
    inactive.

    Since it isn't a "router" (as I read this) you should remove it from the
    client
    "default gateway" settings. (It isn't helping an might just hurt sometime
    under
    odd conditions.)

    In this configuration:

    ISP--LinkSys--(Single net with wired, wireless bridged together by wireless
    device)

    ....ther is only one "internal router", the Linksys.
    Technically the above line is incorrect IF this is a router, since ONLY
    the "outside" can be set by the ISP; the internal side of the Linksys
    router must have settings compatible with the subnet of the other
    stations on that same broadcast domain.
     
    Herb Martin, Feb 10, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.