Re: [ActiveDir] DNS Question
On 12/06/06, Za Vue <[EMAIL PROTECTED]> wrote: Quick DNS question for you all. DNS server-> W23K Domain->W23K How do you add the URL http://www.test2.math.smith.edu to the domain "Physics.Smith.edu" in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. You could create a CNAME record to point www.test2.math.smith.edu to physcis.smith.edu, but you'd need to make sure that the web server running on physics.smith.edu was prepared to take requests pointed at www.test2 When your browser connects to a web server, it sends a host argument, indicating which host it's attempting to connect to. This is done because sometimes several websites exist on one IP address. So connecting to 192.168.1.10 and asking to GET /index.html with a host argument of host:www.example.com might present the browser with a different page to connecting to the same IP with host:www.example.org -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Question
I'd allow forwarding and DNS caching to accommodate this. Alternatively, store a secondary copy of math.smith.edu and/or test2.math.smith.edu on the DNS server in physics.smith.edu. If you add a CNAME, what will the alias be called? Www?? You may already have a www CNAME in that zone. Maybe you should explain what you're trying to achieve :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 12 June 2006 16:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question Quick DNS question for you all. DNS server-> W23K Domain->W23K How do you add the URL http://www.test2.math.smith.edu to the domain "Physics.Smith.edu" in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DNS Question
Quick DNS question for you all. DNS server-> W23K Domain->W23K How do you add the URL http://www.test2.math.smith.edu to the domain "Physics.Smith.edu" in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS question
A better way to do that is to use separate domains for your external and internal domains or more succinctly something for your AD domain that will not be used elsewhere on other networks. I believe the comment was referring to this: http://technet2.microsoft.com/WindowsServer/en/Library/e7d25e54-17a3-4837-b069-493c6dab3e111033.mspx You can find Microsoft's view on this: http://www.microsoft.com/technet/community/chats/trans/win2ksrv/w2ad16p.mspx Search for RegisterDNSARecords in the text. Personally? I wouldn't opt for changing that record but instead would refuse the request and suggest that they figure another way to achieve the goal. At the very least a justification and impact of making that change should be communicated back. Al On 3/20/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote: Any other comments? I'm going to have to make a recommendation on thisand am looking for as many opinions as possible. Has anyone made these changes or does anyone forsee any other issues?Bryan LucasServer AdministratorTexas Christian University(817) 257-6971-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Alex FontanaSent: Saturday, March 18, 2006 1:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS questionYou can remove the A records with out any impact (if I remember theywere forlegacy LDAP clients) but this requires more work than just removing the records. You will have to change the registry entry below to "0" todisablethe registration of ALL A records, this includes some important DNSentriesthat will need to be entered as static records (see below). Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\ParametersValue: RegisterDNSARecordsType: RegDWordValue: 0/1 (default=1)You will need to enter the following records statically, especially when adding a GC...gc._msdcs.company.com. 600 IN A 192.168.0.1ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1Hope this helps.-Alex-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, BryanSent: Friday, March 17, 2006 8:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS questionPrimary DNS server = 192.168.0.1 serves AD zone company.comWeb server for www.company.com = 192.168.50.50A request is being made to have http://company.com resolve to 192.168.50.50.My AD zone, company.com, already has an "A" record with no host valuepointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1It seems to me it would be very bad to change this, right? That wouldmean that any DNS request for " company.com" would resolve to mywebserver. That would be good for the http requests, but horrible foreverything else, like the clients and servers.Is there any way to honor that request?Thanks, Bryan LucasServer AdministratorTexas Christian University(817) 257-6971List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Any other comments? I'm going to have to make a recommendation on this and am looking for as many opinions as possible. Has anyone made these changes or does anyone forsee any other issues? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, March 18, 2006 1:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS question You can remove the A records with out any impact (if I remember they were for legacy LDAP clients) but this requires more work than just removing the records. You will have to change the registry entry below to "0" to disable the registration of ALL A records, this includes some important DNS entries that will need to be entered as static records (see below). Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: RegisterDNSARecords Type: RegDWord Value: 0/1 (default=1) You will need to enter the following records statically, especially when adding a GC... gc._msdcs.company.com. 600 IN A 192.168.0.1 ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1 Hope this helps. -Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Friday, March 17, 2006 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS question Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Stupid outlook...(yes I'm blaming the program for my mistake, it's St. Patrick's day so I think I can get away with it...;-)) gc._msdcs.company.com. 600 IN A 192.168.0.1 ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, March 17, 2006 11:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS question You can remove the A records with out any impact (if I remember they were for legacy LDAP clients) but this requires more work than just removing the records. You will have to change the registry entry below to "0" to disable the registration of ALL A records, this includes some important DNS entries that will need to be entered as static records (see below). Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: RegisterDNSARecords Type: RegDWord Value: 0/1 (default=1) You will need to enter the following records statically, especially when adding a GC... gc._msdcs.company.com. 600 IN A 192.168.0.1 ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1 Hope this helps. -Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Friday, March 17, 2006 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS question Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
You can remove the A records with out any impact (if I remember they were for legacy LDAP clients) but this requires more work than just removing the records. You will have to change the registry entry below to "0" to disable the registration of ALL A records, this includes some important DNS entries that will need to be entered as static records (see below). Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: RegisterDNSARecords Type: RegDWord Value: 0/1 (default=1) You will need to enter the following records statically, especially when adding a GC... gc._msdcs.company.com. 600 IN A 192.168.0.1 ForestDnsZones.company.com. 600 IN A 192.168.0.1 Domaindnzones.company.com. 600 IN A 192.168.0.1 Hope this helps. -Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Friday, March 17, 2006 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS question Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question
Primary DNS server = 192.168.0.1 serves AD zone company.com Web server for www.company.com = 192.168.50.50 A request is being made to have http://company.com resolve to 192.168.50.50. My AD zone, company.com, already has an "A" record with no host value pointing to 192.168.0.1. Specifically, it looks like this: (same as parent folder) Host (A)192.168.0.1 It seems to me it would be very bad to change this, right? That would mean that any DNS request for "company.com" would resolve to my webserver. That would be good for the http requests, but horrible for everything else, like the clients and servers. Is there any way to honor that request? Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
I did some testing and here is what I found. 1) If you actually give the user or group READ access in ADUC (User and Computers, not DNS) under domainname/System/MicrosoftDNS. This give you access to the DNS MMC on the server 2) Then at the ZONE(s) level, you have to give the user or group READ access and DENY = (WRITE, Create All Child Objects and Delete All Child Objects). It gets some rights from Authenticated users as William mentioned. I did not want these folks to be able to create 10,000 records on our DNS servers. Any other way, the user or group ends up having the ability to create dns resource records and delete them. This way, I can truly give some folks READ access to the DNS zones and it does not interfere with dynamic updates which works under system. We are 2003 DCs (two 2000 DCs left) in native mode. We do not have SP1 on the DCs just yet. Your mileage may vary! Thank you everyone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Friday, December 09, 2005 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question On the 2003 DC, you could use the Effective Permissions tab (Security -> Advanced -> Effective Permissions) to verify the permissions assigned to the test user. I was able to get read-only for the user by setting Read at the server level and again at the zone level. I had to remove 'Everyone' and 'Authenticated Users' where applicable. It sounds as if the user may have more rights than expected. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question 2K in native mode, all but two of the DCs are running 2003 (NOT SP1 yet) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/I
RE: [ActiveDir] DNS Question
On the 2003 DC, you could use the Effective Permissions tab (Security -> Advanced -> Effective Permissions) to verify the permissions assigned to the test user. I was able to get read-only for the user by setting Read at the server level and again at the zone level. I had to remove 'Everyone' and 'Authenticated Users' where applicable. It sounds as if the user may have more rights than expected. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question 2K in native mode, all but two of the DCs are running 2003 (NOT SP1 yet) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Inste
RE: [ActiveDir] DNS Question
2K in native mode, all but two of the DCs are running 2003 (NOT SP1 yet) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] DNS Question
I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communic
RE: [ActiveDir] DNS Question
This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Question
As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub
>>Use a TLD of .AD or .LAN. Especially in large environments. Don't use .AD, or you will have thousands of your users yelling and screaming about not being able to get to Andorra websites. Okay, maybe not thousands... :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 12, 2005 7:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub Yeah, I know I have been remiss these least couple mouths. With work, home improvements, Tivo, and my new addiction to World of Warcraft... haven't had much time to post. I am planning to go full tilt on reviewing Longhorn & W2k3 R2 and hope to push an AD podcast by June on. Recently I been doing work on ESX server, clustering, SQL server, Citrix and SAN stuff. To me the AD stuff is getting to the point that there are enough people versed in it at many levels that my contributions are getting less needed. Especially with Joe and Dean around ;) On the topic of DNS and Split-Brain DNS support. My past experiences have taught me to avoid Split-Brain DNS unless you like daily pain and the politics are two strong that you are forced to use it. Here are some of the things you run into with Split-Brain designs. Laptops that register A and PTR records multiple times with different IP. Our KCC script picks these up each night. VPN users who register names at home and at work. Now keep in mind, the politics of my organization allow secure and non-secure updates to our DDNS, and the DHCP service sometimes proxies registrations of down-level clients in some organizations. In addition, if you use split brain DNS and have multiple domain trees, delegated DNS, and firewalls, you will find yourself having secondary or stubs hosted on your DDNS servers. Also if your webmasters happen to use a URL of . to resolve web addresses and your AD is named the same as the URL, you will find that the URL doesn't work cause the DC's are intercepting the request. So internally you will have to train people to use www.. My recommendation going forward is to never do Split-DNS again. Use a TLD of .AD or .LAN. Especially in large environments. We did a lot of work to get this to work, and while it does work pretty well, it is an unnecessary operation IMHO. A lot of my early influence to use split DNS was from experts like Mark Minasi, and MCS when they insisted that you register your domain just in case you plan to use it later. I refer to this as when I was young and drinking the 1.0 AD cool-aid. I bought into using DNS and mirroring and one day replacing the UNIX DNS. My attitude now is let a third party or edge device host the forward facing DNS. Let DC's host the internal DDNS namespace as integrated zones and allow only secure updates, and don't allow DHCP to proxy down-level client registrations. What is the point of letting third-party devices register dynamically is my opinion. My opinion has changed on other AD design ideas as well since the release of ADAM and MIIS. So in summery just say no to split-brain. Toddler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub >>> one thing I would like to try is to see if it would make hosting >>> split brain DNS zones with out the need to sync them manually. No. Conditional Forwarding is not the answer to split-brain limitations. Until MS comes up with something specifically designed for this, you are still left with your manual/scripted procedure. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub
Yeah, I know I have been remiss these least couple mouths. With work, home improvements, Tivo, and my new addiction to World of Warcraft... haven't had much time to post. I am planning to go full tilt on reviewing Longhorn & W2k3 R2 and hope to push an AD podcast by June on. Recently I been doing work on ESX server, clustering, SQL server, Citrix and SAN stuff. To me the AD stuff is getting to the point that there are enough people versed in it at many levels that my contributions are getting less needed. Especially with Joe and Dean around ;) On the topic of DNS and Split-Brain DNS support. My past experiences have taught me to avoid Split-Brain DNS unless you like daily pain and the politics are two strong that you are forced to use it. Here are some of the things you run into with Split-Brain designs. Laptops that register A and PTR records multiple times with different IP. Our KCC script picks these up each night. VPN users who register names at home and at work. Now keep in mind, the politics of my organization allow secure and non-secure updates to our DDNS, and the DHCP service sometimes proxies registrations of down-level clients in some organizations. In addition, if you use split brain DNS and have multiple domain trees, delegated DNS, and firewalls, you will find yourself having secondary or stubs hosted on your DDNS servers. Also if your webmasters happen to use a URL of . to resolve web addresses and your AD is named the same as the URL, you will find that the URL doesn't work cause the DC's are intercepting the request. So internally you will have to train people to use www.. My recommendation going forward is to never do Split-DNS again. Use a TLD of .AD or .LAN. Especially in large environments. We did a lot of work to get this to work, and while it does work pretty well, it is an unnecessary operation IMHO. A lot of my early influence to use split DNS was from experts like Mark Minasi, and MCS when they insisted that you register your domain just in case you plan to use it later. I refer to this as when I was young and drinking the 1.0 AD cool-aid. I bought into using DNS and mirroring and one day replacing the UNIX DNS. My attitude now is let a third party or edge device host the forward facing DNS. Let DC's host the internal DDNS namespace as integrated zones and allow only secure updates, and don't allow DHCP to proxy down-level client registrations. What is the point of letting third-party devices register dynamically is my opinion. My opinion has changed on other AD design ideas as well since the release of ADAM and MIIS. So in summery just say no to split-brain. Toddler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub >>> one thing I would like to try is to see if it would make hosting split brain DNS zones with out the need to sync them manually. No. Conditional Forwarding is not the answer to split-brain limitations. Until MS comes up with something specifically designed for this, you are still left with your manual/scripted procedure. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub
>>> one thing I would like to try is to see if it would make hosting split brain DNS zones with out the need to sync them manually. No. Conditional Forwarding is not the answer to split-brain limitations. Until MS comes up with something specifically designed for this, you are still left with your manual/scripted procedure. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub
Title: DNS Question - Conditional Forwarding or Secondary Zone Stub It doesn't since conditional forwarders are maintained internally as a zone type :( --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)Sent: Wednesday, May 11, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub Regarding scenarios my preference is to use Stub Zones for Internal AD DDNS environments (Like Tree to Tree (Within a forest) or Forest to Forest DNS resolution). I haven’t had much experience with Conditional Forwarding, one thing I would like to try is to see if it would make hosting split brain DNS zones with out the need to sync them manually or through scripting. Thanks, Todd Myrick From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 10:35 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub Having reviewed this thread, I'd like to note that the use of conditional forwarding for a particular namespace is not, relatively speaking, computationally expensive. Mere string comparisons do not require significantly more effort than that of locating a record within the local cache or a local zone (though I've not personally tested it to that degree, I'd hazard a guess that it's quite the reverse). I'll admit to having not read the afore mentioned links so if I'm dup'ing anything, my apologies. Re: stub zones or cond. forwarding, I generally apply the following rational when trying to explain an architectural design decision or teaching a class ... consider the following - * stub zones - fault tolerant - automated load balancing - intelligent distributed configuration (AD integration) - self updating (limited) - may expire - no re-configuration required for target namespace * conditional forwarders exhibit - fault tolerant - no automated load-balancing - unintelligent distributed configuration (AD integration) - not self updating (static knowledge) - never expires - no re-configuration required for target namespace I'd certainly agree with Al's comment that conditional forwarders have their place when a predictable path of resolution is required since stub zones round-robin resolution attempts, other than that I personally consider conditional forwarding a quick and dirty mechanism offering little advantages. Dean --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 10, 2005 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I’ve done some reading but can’t seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I’ve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what’s the best approach for this? TIA -m
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub
Title: DNS Question - Conditional Forwarding or Secondary Zone Stub Regarding scenarios my preference is to use Stub Zones for Internal AD DDNS environments (Like Tree to Tree (Within a forest) or Forest to Forest DNS resolution). I haven’t had much experience with Conditional Forwarding, one thing I would like to try is to see if it would make hosting split brain DNS zones with out the need to sync them manually or through scripting. Thanks, Todd Myrick From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 10:35 AM To: Send - AD mailing list Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub Having reviewed this thread, I'd like to note that the use of conditional forwarding for a particular namespace is not, relatively speaking, computationally expensive. Mere string comparisons do not require significantly more effort than that of locating a record within the local cache or a local zone (though I've not personally tested it to that degree, I'd hazard a guess that it's quite the reverse). I'll admit to having not read the afore mentioned links so if I'm dup'ing anything, my apologies. Re: stub zones or cond. forwarding, I generally apply the following rational when trying to explain an architectural design decision or teaching a class ... consider the following - * stub zones - fault tolerant - automated load balancing - intelligent distributed configuration (AD integration) - self updating (limited) - may expire - no re-configuration required for target namespace * conditional forwarders exhibit - fault tolerant - no automated load-balancing - unintelligent distributed configuration (AD integration) - not self updating (static knowledge) - never expires - no re-configuration required for target namespace I'd certainly agree with Al's comment that conditional forwarders have their place when a predictable path of resolution is required since stub zones round-robin resolution attempts, other than that I personally consider conditional forwarding a quick and dirty mechanism offering little advantages. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 6:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I’ve done some reading but can’t seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I’ve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what’s the best approach for this? TIA -m
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
Title: DNS Question - Conditional Forwarding or Secondary Zone Stub Having reviewed this thread, I'd like to note that the use of conditional forwarding for a particular namespace is not, relatively speaking, computationally expensive. Mere string comparisons do not require significantly more effort than that of locating a record within the local cache or a local zone (though I've not personally tested it to that degree, I'd hazard a guess that it's quite the reverse). I'll admit to having not read the afore mentioned links so if I'm dup'ing anything, my apologies. Re: stub zones or cond. forwarding, I generally apply the following rational when trying to explain an architectural design decision or teaching a class ... consider the following - * stub zones - fault tolerant - automated load balancing - intelligent distributed configuration (AD integration) - self updating (limited) - may expire - no re-configuration required for target namespace * conditional forwarders exhibit - fault tolerant - no automated load-balancing - unintelligent distributed configuration (AD integration) - not self updating (static knowledge) - never expires - no re-configuration required for target namespace I'd certainly agree with Al's comment that conditional forwarders have their place when a predictable path of resolution is required since stub zones round-robin resolution attempts, other than that I personally consider conditional forwarding a quick and dirty mechanism offering little advantages. Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 10, 2005 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I’ve done some reading but can’t seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I’ve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what’s the best approach for this? TIA -m
Re: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
Hi Marcus Stub zones list all name servers for the zone equally - if you have 10 name servers for the zone, and 3 of those are on T1s while the other 7 are on 28.8 modems, then 70% of your lookups are going to be slow. On the other hand, if you change the ip address of a name server, your stub zone will pick it up. Conditional forwarding lets you specify the 3 fast linked name servers and all client requests will go to the those three. if you change one however, you have to change the conditional forwarding record on every DNS server that has it. We have a number of sub zones, the top level zone is an AD integrated Forest Wide zone and contains delegation records for all of our sub zones - so we only have to change the delegation record in one place for it to change on every DNS server. That is only an option if the top zone is in AD and the other zones you want to hit are sub zones of it. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 05/10/2005 06:12 PM AST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub | >--| Iâve done some reading but canât seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. Iâve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, whatâs the best approach for this? TIA -m
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
Funny stuff. I read this yesterday but missed this part of the FAQ in case anyone is interested. Thanks for the help guys... Otto: Overall, it sounds like conditional forwarding in stub zones might provide the same features, but the conditional forwarding is easier to configure. Why would I use stub zones instead of conditional forwarding? Tim: That's a really good question, and I think that question will be asked a lot. One of the big differences there is that conditional forwarding obviously is going to be processor intensive. Every time a query comes in, it's compared to the conditions in that list. If you really load up that list, if you create lots of conditions, you're going to start running up the processor utilization on your DNS server. Typically, you don't want to do that, you want to avoid that. In cases where you're asking, "Should I use stub zones or should I use conditional forwarding," stub zones are probably going to be a little bit easier on the DNS server, and your DNS server is going to be a lot easier for it to process, using stub zones rather than conditional forwarding. Really, it comes down to if you have a need to use these features, as I mentioned, we sort of recommend that in disjointed namespace situation, in DMZs, in situations where conditional forwarding doesn't work effectively, or where stub zones can provide optimization, that's when you should use them. But just because they're in the product doesn't mean you should run out and just start using them without a specific problem to address. -m\dsm\cci -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 7:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub http://www.readymaids.com/Portals/1/Docs/W2K3/DNS/Stub%20Zones%20and%20Condit ional%20Forwarding.htm That should give you all you need. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 5/10/2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I've done some reading but can't seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I've a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what's the best approach for this? TIA -m List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
Title: DNS Question - Conditional Forwarding or Secondary Zone Stub The usual deciding factor on this is whether or not you want to control the network traffic created. Stub zones by default are going to pull in the records of all the name servers for that zone based on manual refresh or refresh interval. For conditional forwarders you will designate the name server manually every time. It would seem that if you have multiple sites (WAN) you may want to control the name resolution path on the wire. Depends on the needs. Read Deji's doc if he posts it. He's got a lot to say about names last I checked. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 10, 2005 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I’ve done some reading but can’t seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I’ve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what’s the best approach for this? TIA -m
RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
http://www.readymaids.com/Portals/1/Docs/W2K3/DNS/Stub%20Zones%20and%20Condit ional%20Forwarding.htm That should give you all you need. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 5/10/2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub I've done some reading but can't seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I've a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what's the best approach for this? TIA -m List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Question - Conditional Forwarding or Secondary Zone Stub
Title: DNS Question - Conditional Forwarding or Secondary Zone Stub I’ve done some reading but can’t seem to surmise the best practice when trying to decide between using a secondary stub or conditional forwarding when both technologies could address a requirement. I’ve a situation for a disjointed namespace where the root servers would hold the zone. Since either secondary stub or conditional forwarding would solve it, what’s the best approach for this? TIA -m
RE: [ActiveDir] DNS question
Not to crash the party or anything like that. Here's a rule I use for figuring out my 2K3 DNS configuration. In an Intra-Forest Parent-Child relationship: Create parent.whatever zone on Parent DNS server Create child.parent.whatever on Child DNS Server Delegate child.parent.whatever to Child DNS Server from parent.whatever zone Add Parent DNS server to the Forwarders list on Child DNS Server. In an Inter-Forest relationship: On ForestA DNS Server, create on a Stub zone for the Root Domain of ForestB and list ForestB's root DNS Servers as the "master DNS Servers" On ForestB DNS Server, create on a Stub zone for the Root Domain of ForestA and list ForestA's root DNS Servers as the "master DNS Servers" The above has, so far, served me well. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Hunter, Laura E. Sent: Fri 1/14/2005 7:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS question Thanks a lot Dean. So tell me if I've got this right, so I'll know that I've finally wrapped my brain around it: 1. If I configure the baz.foo.com child domain, but make no changes to my DNS structure, then clients in the baz.foo.com domain will still point to the nameserver in foo.com. (Assuming that we're not all pointing out to an ISP DNS or something silly, obviously.) 2. If I want baz.foo.com to be responsible for its own DNS, I'll install a DNS server somewhere in the baz.foo.com domain, create a zone for baz.foo.com on the baz.foo.com NS, and create a delegation on the foo.com NS. At which point I can direct the baz.foo.com clients to the local NS for name resolution. 3. I need to configure some way for baz.foo.com to resolve queries for the rest of the world, either using a stub zone or some type of forwarding. 4. Stub/zones conditional forwarding will prevent the name resolution stupidity of a baz.foo.com client needing to go all the way out to the Internet and back just to locate a resource in foo.com. Hmmm, now try this one on for size: If I install DNS on the first DC for baz.foo.com, does the baz.foo.com zone get created locally automagically? Or do I still need to manually do the stuff in item 2 above? Thanks so much! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com 1. If I configure the baz.foo.com child domain, but make no changes to my DNS structure, then clients in the baz.foo.com domain will still point to the nameserver in foo.com. (Assuming that we're not all pointing out to an ISP DNS or something silly, obviously.) [DEAN] - I'm guessing you well know this but your wording confused me a little so ... a client's DNS will point to where _you_ point it to according to whether it leases a name server address or you statically assign one (or more). Pointing to an ISP's name server will cause your clients to fail in many aspects of their domain memberships but I'm guessing you knew that to (even if the ISP name server is listed as the Alternate Resolver). 2. If I want baz.foo.com to be responsible for its own DNS, I'll install a DNS server somewhere in the baz.foo.com domain, create a zone for baz.foo.com on the baz.foo.com NS, and create a delegation on the foo.com NS. At which point I can direct the baz.foo.com clients to the local NS for name resolution. [DEAN] - Yes ... also note that the name server doesn't _have_ to run on a machine in that domain though there are good reasons for it do so. In addition, don't forget that the child name servers must be able to resolve their parent namespace. 3. I need to configure some way for baz.foo.com to resolve queries for the rest of the world, either using a stub zone or some type of forwarding. [DEAN] - Not just the rest of the world, as I mentioned above ... it must also be able to resolve its parent domain. Using a stub zone (or a conditional forwarder or a secondary zone [hmmm]) that provides resolution of the parent would suffice since the default root hints provided in the cache.dns will allow the name server to service all public resolution requests assuming the path to the Internet is not obstructed in any way. 4. Stub/zones conditional forwarding will prevent the name resolution stupidity of a baz.foo.com client needing to go all the way out to the Internet and back just to locate a resource in foo.com. [DEAN] - Unlikely it would ever find it since you really, really shouldn't register or provide public access to your AD's name servers/zones. Hmmm, now try this one on for size: If I install DNS on the first DC for baz.foo.com, does the baz.foo.com zone get created locally automagically? Or do I still need to manually do the stuff in item 2 above? [DEAN] - Still need to do it manually, the only automagic stuff that occurs is zone population through dynamic update, zone replication when AD integrated or the zone creation during the initial forest install on the first DC. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Thanks a lot Dean. So tell me if I've got this right, so I'll know that I've finally wrapped my brain around it: 1. If I configure the baz.foo.com child domain, but make no changes to my DNS structure, then clients in the baz.foo.com domain will still point to the nameserver in foo.com. (Assuming that we're not all pointing out to an ISP DNS or something silly, obviously.) 2. If I want baz.foo.com to be responsible for its own DNS, I'll install a DNS server somewhere in the baz.foo.com domain, create a zone for baz.foo.com on the baz.foo.com NS, and create a delegation on the foo.com NS. At which point I can direct the baz.foo.com clients to the local NS for name resolution. 3. I need to configure some way for baz.foo.com to resolve queries for the rest of the world, either using a stub zone or some type of forwarding. 4. Stub/zones conditional forwarding will prevent the name resolution stupidity of a baz.foo.com client needing to go all the way out to the Internet and back just to locate a resource in foo.com. Hmmm, now try this one on for size: If I install DNS on the first DC for baz.foo.com, does the baz.foo.com zone get created locally automagically? Or do I still need to manually do the stuff in item 2 above? Thanks so much! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
First and foremost, Windows dynamic update doesn't create zones or the necessary records to provide for delegation. It does create A records, SRV records, CNAME records, subdomains and could create many other record types if you were to code it yourself. In your scenario, a subdomain named baz.foo.com will be created that somewhat mimics the zone content and hierarchy of its parent foo.com. If you wish to delegate authority over baz.foo.com to a.n.other name server, you should create the zone on the 2nd name server (baz.foo.com) and place a delegation to the 2nd name server on the first (assumes dyn. update is configured etc.). The resolver of the new DC creating the child can point to either of the two name servers. If you decide to use the 2nd name server, this assumes that resolution back up the namespace has been configured via - 1. stub zones (good idea) 2. conditional forwarding (not horrific by any means, I just prefer stub zones) 3. general forwarding (depends on the scenario) ... but not root hints (this won't work and shouldn't be used unless you have no desire to provide public name resolution for the Internet. If that is the case further configuration requirements exist in order to fully support it). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, January 14, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS question Morning all, So I've been reading through the Deployment Kit and the product docs for 2003, and I think I'm not grasping a small-but-fundamental point about how DNS zones relate to AD domains. Let's say I create a new child domain within AD. I've already got foo.com configured, and now I want to create baz.foo.com. So I run dcpromo to set up the first DC for baz.foo.com. What happens to the foo.com DNS zone file at this point? Is baz.foo.com automatically delegated to a new zone file through dcpromo? Or does it remain a part of the foo.com zone until I manually delegate it out? Does the answer to this change based on whether I'm using AD-integrated DNS or not? Thanks in advance for any insight! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question
Morning all, So I've been reading through the Deployment Kit and the product docs for 2003, and I think I'm not grasping a small-but-fundamental point about how DNS zones relate to AD domains. Let's say I create a new child domain within AD. I've already got foo.com configured, and now I want to create baz.foo.com. So I run dcpromo to set up the first DC for baz.foo.com. What happens to the foo.com DNS zone file at this point? Is baz.foo.com automatically delegated to a new zone file through dcpromo? Or does it remain a part of the foo.com zone until I manually delegate it out? Does the answer to this change based on whether I'm using AD-integrated DNS or not? Thanks in advance for any insight! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
Title: DNS Question Looks like the article defines several other syntax types (8-21, 8.21, etc.). Maybe trying one of the other syntax will help. Have you analyzed the traffic between client and DNS Server to see what information the client is providing? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question But I can’t get it to work. If I setup 8/21.203.10.in-addr.arpa and register a PTR record for 10.203.11.3 it creates a folder called 11 and places the PTR record of 3 in the 11 folder under the 8/21.203.10.in-addr.arpa folder but if you do a nslookup with the option setquery=ptr then you get a non-existent domain issue, even if you are doing a nslookup against the machine that holds the zone. How does everyone else setup their reverse lookup zones when they used a subnetted ip schema? Something other then 255.0.0.0, 255.255.0.0 and 255.255.255.0 Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Well there you go – learned something today J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question I was required to set this up on my external reverse look up zone since I was using a /26 subnet. Of course these were not dynamic updates they were static. I found this article from Microsoft http://support.microsoft.com/kb/q174419/ and it talks about how to create the zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Unfortunately and to the best of my knowledge, Reverse Lookup zones have no affinity to a given subnet mask. The zone name that you created will never be used by any client to register their IP address/name because as far as a reverse lookup zone name goes it is malformed – the subnet mask in any form should not appear in the name. To test this statement, manually create a PTR record in the zone and try to query for by using a “ping –a” command. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DNS Question
Title: DNS Question But I can’t get it to work. If I setup 8/21.203.10.in-addr.arpa and register a PTR record for 10.203.11.3 it creates a folder called 11 and places the PTR record of 3 in the 11 folder under the 8/21.203.10.in-addr.arpa folder but if you do a nslookup with the option setquery=ptr then you get a non-existent domain issue, even if you are doing a nslookup against the machine that holds the zone. How does everyone else setup their reverse lookup zones when they used a subnetted ip schema? Something other then 255.0.0.0, 255.255.0.0 and 255.255.255.0 Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Well there you go – learned something today J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question I was required to set this up on my external reverse look up zone since I was using a /26 subnet. Of course these were not dynamic updates they were static. I found this article from Microsoft http://support.microsoft.com/kb/q174419/ and it talks about how to create the zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Unfortunately and to the best of my knowledge, Reverse Lookup zones have no affinity to a given subnet mask. The zone name that you created will never be used by any client to register their IP address/name because as far as a reverse lookup zone name goes it is malformed – the subnet mask in any form should not appear in the name. To test this statement, manually create a PTR record in the zone and try to query for by using a “ping –a” command. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DNS Question
Title: DNS Question Well there you go – learned something today J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question I was required to set this up on my external reverse look up zone since I was using a /26 subnet. Of course these were not dynamic updates they were static. I found this article from Microsoft http://support.microsoft.com/kb/q174419/ and it talks about how to create the zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Unfortunately and to the best of my knowledge, Reverse Lookup zones have no affinity to a given subnet mask. The zone name that you created will never be used by any client to register their IP address/name because as far as a reverse lookup zone name goes it is malformed – the subnet mask in any form should not appear in the name. To test this statement, manually create a PTR record in the zone and try to query for by using a “ping –a” command. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DNS Question
Title: DNS Question I was required to set this up on my external reverse look up zone since I was using a /26 subnet. Of course these were not dynamic updates they were static. I found this article from Microsoft http://support.microsoft.com/kb/q174419/ and it talks about how to create the zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, December 09, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Question Unfortunately and to the best of my knowledge, Reverse Lookup zones have no affinity to a given subnet mask. The zone name that you created will never be used by any client to register their IP address/name because as far as a reverse lookup zone name goes it is malformed – the subnet mask in any form should not appear in the name. To test this statement, manually create a PTR record in the zone and try to query for by using a “ping –a” command. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DNS Question
Title: DNS Question Unfortunately and to the best of my knowledge, Reverse Lookup zones have no affinity to a given subnet mask. The zone name that you created will never be used by any client to register their IP address/name because as far as a reverse lookup zone name goes it is malformed – the subnet mask in any form should not appear in the name. To test this statement, manually create a PTR record in the zone and try to query for by using a “ping –a” command. Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 09, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
[ActiveDir] DNS Question
Title: DNS Question I am trying to create a DNS Reverse Look up zone for a subnet that has a /21 subnet mask. Now how do I create just one zone? I created the zone 8/21.203.10.in-addr.arpa on the Windows 2003 DNS Server but my servers are getting an error when trying to register DNS PTR Records. Event ID 11160 Event Type: Information Event Source: DnsApi Event Category: None Event ID: 11160 Date: 12/9/2004 Time: 11:03:25 AM User: N/A Computer: TCCHCCFP01 Description: The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {2107EBC8-41E4-4FD0-B090-7AA39B224864} Host Name : tcchccfp01 Adapter-specific Domain Suffix : tcchcc.chcsnet.org DNS server list : 10.203.11.1, 10.203.11.2 Sent update to server : 192.175.48.1 IP Address : 10.203.11.3 The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 39 23 00 00 9#.. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DNS question
Well, I kinda figured this one out, but I'm still not sure how it's happening. The whole point of this was to move the external-facing SMTP connector from an exch 5.5 box to a new E2K3 box. Didn't want to change external DNS if I didn't have to. I changed the static NAT mapping in our PIX to point to the new server. I figured that maybe there was something with the PIX doing it, even though the config doesn't show it (and no, smtp fixup isn't on). Once I did that, the DNS entry changed immediately. I still don't know how, though. Something to wade through Cisco's site and research, I guess. In my spare time. Your test, which was exactly what I was looking for, BTW, showed that the auth record is indeed an outside DNS server. So somehow, the PIX is natting the DNS entry? Strange. The connector works fine, and mail is flowing. We'll see where it goes for a while... Thanks, Deji. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Deji > Akomolafe > Sent: Friday, September 17, 2004 8:52 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS question > > nslookup > set q=ns > mail.essexcredit.com > > That will give you the nameserver's IP and name. From > outside, your nameserver is a.ns.interland.net. Do the same > from inside and you are on your way > > > Sincerely, > > Dèjì Akómöláfé, MCSE MCSA MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were > worried about Yesterday? -anon > > ____________ > > From: Charlie Kaiser > Sent: Fri 9/17/2004 5:06 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS question > > > OK; Friday afternoon, brain fade time... > I have my production internal domains. W2K3 AD, AD-integrated DNS. > External-facing DNS is hosted by ISP. If I dig or nslookup for > mail.essexcredit.com from an outside host, I get our proper public IP > address. If I do the same from inside, I get our private Nat'd IP > address. I seem to remember setting up an alias for it, but I need to > change it now and I can't for the life of me remember where it is. > Nslookup gives the correct address, but with > "non-authoritative answer". > Dig gives me: > C:\Dig>dig mail.essexcredit.com > > ; <<>> DiG 9.2.3 <<>> mail.essexcredit.com > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;mail.essexcredit.com. IN A > > ;; ANSWER SECTION: > mail.essexcredit.com. 1273IN A > > ;; Query time: 40 msec > ;; SERVER: #53(inside DNS server address) > ;; WHEN: Fri Sep 17 17:01:08 2004 > ;; MSG SIZE rcvd: 54 > > I don't have a domain zone for essexcredit.com, although I > think I might > have at one point when we were doing some testing. If it had been > removed, say, 5 months ago, would that record still be there? > How can I find the DNS server that is authoritative for this > record so I > can change it? > Thanks! > > ** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
nslookup set q=ns mail.essexcredit.com That will give you the nameserver's IP and name. From outside, your nameserver is a.ns.interland.net. Do the same from inside and you are on your way Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Fri 9/17/2004 5:06 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS question OK; Friday afternoon, brain fade time... I have my production internal domains. W2K3 AD, AD-integrated DNS. External-facing DNS is hosted by ISP. If I dig or nslookup for mail.essexcredit.com from an outside host, I get our proper public IP address. If I do the same from inside, I get our private Nat'd IP address. I seem to remember setting up an alias for it, but I need to change it now and I can't for the life of me remember where it is. Nslookup gives the correct address, but with "non-authoritative answer". Dig gives me: C:\Dig>dig mail.essexcredit.com ; <<>> DiG 9.2.3 <<>> mail.essexcredit.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.essexcredit.com. IN A ;; ANSWER SECTION: mail.essexcredit.com. 1273IN A ;; Query time: 40 msec ;; SERVER: #53(inside DNS server address) ;; WHEN: Fri Sep 17 17:01:08 2004 ;; MSG SIZE rcvd: 54 I don't have a domain zone for essexcredit.com, although I think I might have at one point when we were doing some testing. If it had been removed, say, 5 months ago, would that record still be there? How can I find the DNS server that is authoritative for this record so I can change it? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question
OK; Friday afternoon, brain fade time... I have my production internal domains. W2K3 AD, AD-integrated DNS. External-facing DNS is hosted by ISP. If I dig or nslookup for mail.essexcredit.com from an outside host, I get our proper public IP address. If I do the same from inside, I get our private Nat'd IP address. I seem to remember setting up an alias for it, but I need to change it now and I can't for the life of me remember where it is. Nslookup gives the correct address, but with "non-authoritative answer". Dig gives me: C:\Dig>dig mail.essexcredit.com ; <<>> DiG 9.2.3 <<>> mail.essexcredit.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.essexcredit.com. IN A ;; ANSWER SECTION: mail.essexcredit.com. 1273IN A ;; Query time: 40 msec ;; SERVER: #53(inside DNS server address) ;; WHEN: Fri Sep 17 17:01:08 2004 ;; MSG SIZE rcvd: 54 I don't have a domain zone for essexcredit.com, although I think I might have at one point when we were doing some testing. If it had been removed, say, 5 months ago, would that record still be there? How can I find the DNS server that is authoritative for this record so I can change it? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
That was it. Thanks guys... John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 10:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS Question I had the same problem with 3 workstations in a similar environment. It was because we still had a mapped drive that did not exist anymore. Not saying that is your resolution but just throwing in my experiences. "John Parker" <[EMAIL PROTECTED] m> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] DNS Question 06/08/2004 10:50 AM Please respond to [EMAIL PROTECTED] tivedir.org Hey all. I am running win2k fully spacked on a win2k active directory domain. I have one machine... (Mine) that has the following issue When I go to save a document and I click the Drop down to select a location, My system takes up to 30 seconds to display the tree. And when using my browser, it takes roughly the same amount of time When I type in a URL. I have gone through my settings but cannot find anything obviously amis. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. ---End of Line--- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS Question
I had the same problem with 3 workstations in a similar environment. It was because we still had a mapped drive that did not exist anymore. Not saying that is your resolution but just throwing in my experiences. "John Parker" <[EMAIL PROTECTED] m> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] DNS Question 06/08/2004 10:50 AM Please respond to [EMAIL PROTECTED] tivedir.org Hey all. I am running win2k fully spacked on a win2k active directory domain. I have one machine... (Mine) that has the following issue When I go to save a document and I click the Drop down to select a location, My system takes up to 30 seconds to display the tree. And when using my browser, it takes roughly the same amount of time When I type in a URL. I have gone through my settings but cannot find anything obviously amis. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. ---End of Line--- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
Have you got an old invalid share mapped? This will cause both issues you mention. -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: 08 June 2004 15:51 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Question Hey all. I am running win2k fully spacked on a win2k active directory domain. I have one machine... (Mine) that has the following issue When I go to save a document and I click the Drop down to select a location, My system takes up to 30 seconds to display the tree. And when using my browser, it takes roughly the same amount of time When I type in a URL. I have gone through my settings but cannot find anything obviously amis. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. ---End of Line--- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Question
Hey all. I am running win2k fully spacked on a win2k active directory domain. I have one machine... (Mine) that has the following issue When I go to save a document and I click the Drop down to select a location, My system takes up to 30 seconds to display the tree. And when using my browser, it takes roughly the same amount of time When I type in a URL. I have gone through my settings but cannot find anything obviously amis. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. ---End of Line--- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
My experience is that you can change one from AD integrated to Standard Primary and change the others to standard secondaries from the new primary without much worry. If you're at all worried, I'd reverse the process - change all the secondaries first, and have the last change you make be the change of one from AD-Int to Primary. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Hughes. Daryn (IT Solutions) [mailto:[EMAIL PROTECTED] > Sent: Friday, December 12, 2003 8:08 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS question > > > All, > > Here's a problem you guys might be able to help us with. > > Background: > We have setup an Active Directory-integrated zone which > replicates to three > of our domain controllers. In addition, we have setup > secondary zones on a > Windows NT servers to support existing clients with static > DNS settings. On > the Zone Transfer tab we have specified to "Allow Zone > Transfers" "to the > following servers", the ip address of the NT DNS server. > The zones transferred ok. > > Problem: > The following day the Zone Transfer tab had changed. "Allow > Zone Transfers" > was un-selected and the options beneath, greyed out. The ip > address of the > NT DNS server was removed. > > The result is that the AD DNS server is refusing to transfer to the NT > server. > Not sure if this is by design or is a bug. > > Our proposed solution, is to change the zone back to a > standard primary. > > My question is: > If we change the zone back on one server, I suspect that we > will end up with > the same standard primary zone on all three servers. Is there > a documented > procedure to change a Active Directory integrated zone to a > standard primary > when there are several AD servers hosting the zone. > > thanks in advance > > regards > Daryn Hughes > > > * ** *** ** * ** *** ** * ** *** ** * > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. > Any views or opinions presented are solely those of the > author, and do not necessarily > represent those of ESB. > If you have received this email in error please notify the sender. > > Although ESB scans e-mail and attachments for viruses, it > does not guarantee > that either are virus-free and accepts no liability for any > damage sustained > as a result of viruses. > > * ** *** ** * ** *** ** * ** *** ** * > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question for a Parent/Child domain
> Just not comfortable with how DNS is still setup, so have a > few questions: > > 1. Presently, the DHCP scopes point clients to the parent.com DNS > servers. Since all users and computers are in the > child.parent.com domain, > wouldn't the best practice be to point all DHCP clients to the > child.parent.com domain DNS servers? Does it make a > difference that these > clients use the DNS servers in the root (parent) domain? I'd probably point the clients to the child domain DNS, yes, but it all depends on how you want to run DNS as an overall scheme. Seeing as this is an empty root (which is exactly what I run as well), I'd set the child domain up to handle all resolving tasks. I'd probably also include secondaries of the parent(root) domain's zone as well. > 2. Presently, the child.parent.com forward lookup zone > is housed in the > root of the DNS - i.e. - there is a DNS Forward Lookup Zone > setup just for > this child domain. There is also a separate lookup zone for > the parent.com > domain. Shouldn't the child domain zone be listed under the > parent.com > domain zone? Does it make a difference? Yes, it makes a difference, but no one isn't necessarily better than the other. Listed individually (as they are) simply means they aren't directly aware of each other - they are two discrete zones. You probably just need to add a delegation of the child zone from the parent zone and you'll fix most of your issues. > 3. There are a number of websites hosted in the DMZ, so > there are a > number of Forward Lookup Zones. If I move the DHCP scope to > point to the > child DNS servers, should I then move these website zones to > the child DNS > servers to ensure the best possible performance? Probably not necessary. DNS is a pretty efficient process, once everything is configured properly. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question for a Parent/Child domain
I have a customer that has been experiencing name resolution issues. They have a Windows 2000 Active Directory with parent.com and child.parent.com domains. I made some changes that have fixed the problems for now by removing orphaned secondary DNS zones with no Primary and ensuring there are only AD-Integrated DNS zones. Also removed WINS from the environment. Just not comfortable with how DNS is still setup, so have a few questions: 1. Presently, the DHCP scopes point clients to the parent.com DNS servers. Since all users and computers are in the child.parent.com domain, wouldn't the best practice be to point all DHCP clients to the child.parent.com domain DNS servers? Does it make a difference that these clients use the DNS servers in the root (parent) domain? 2. Presently, the child.parent.com forward lookup zone is housed in the root of the DNS - i.e. - there is a DNS Forward Lookup Zone setup just for this child domain. There is also a separate lookup zone for the parent.com domain. Shouldn't the child domain zone be listed under the parent.com domain zone? Does it make a difference? 3. There are a number of websites hosted in the DMZ, so there are a number of Forward Lookup Zones. If I move the DHCP scope to point to the child DNS servers, should I then move these website zones to the child DNS servers to ensure the best possible performance? Thanks for any help with this long-winded question! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS question
> The only problem was that I couldn't configure the DNS to use forwarders > unless I would DELETE THE "." DOMAIN :-) Aaa That'll help. All the best, Andy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Thanks for the info. Andy, many have reported the bug to me but I consider it bad practice (as you've determined yourself) to configure resolvers in this way and am, thus, unfamiliar with the exact outcome of doing so in a corporate environment. I may well prove out the logic that causes it one of these days but, quite frankly, I really can't be bothered :) I just configured a half-hearted equivalent on my own setup at home and, sure enough, within a couple of minutes local resolution was failing (apart from those entries already cached) and I was subsequently unable to administer AD due to the negative Reponses received for the critical _ldap and _kerberos SRV records. PS - I've now changed it back :o Dean -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andy Grafton Sent: Monday, February 25, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS question Dean writes; > It has been reported (though I've not personally experienced it) that the > DNS client tends to preference either the public servers or the alternate > server ... this being the case, resolution against the zone(s) representing > Active Directory will eventually fail. I've experienced this and have concluded that putting an external (non-AD) DNS server in the clients' "alternates" list for DNS servers is something to avoid. Rather use forwarding to help the internal server(s) resolve the names. Right-click the server in DNS MMC, do properties...forwarders tab, add your favoured external DNS servers there. Seems to work OK. All the best, Andy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
AW: [ActiveDir] DNS question
Thank you everybody for your help!! > > It has been reported (though I've not personally > experienced it) that the > > DNS client tends to preference either the public servers or > the alternate > > server ... this being the case, resolution against the zone(s) > representing > > Active Directory will eventually fail. > > I've experienced this and have concluded that putting an > external (non-AD) > DNS server in the clients' "alternates" list for DNS servers > is something to > avoid. I have experienced the same - that's why I wasn't sure about. > Rather use forwarding to help the internal server(s) resolve > the names. > Right-click the server in DNS MMC, do properties...forwarders > tab, add your > favoured external DNS servers there. The only problem was that I couldn't configure the DNS to use forwarders unless I would DELETE THE "." DOMAIN :-) => Thanks to Joshua Morgan to study Q260371! It seems to work now!! Stay Active ;-) Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS question
Dean writes; > It has been reported (though I've not personally experienced it) that the > DNS client tends to preference either the public servers or the alternate > server ... this being the case, resolution against the zone(s) representing > Active Directory will eventually fail. I've experienced this and have concluded that putting an external (non-AD) DNS server in the clients' "alternates" list for DNS servers is something to avoid. Rather use forwarding to help the internal server(s) resolve the names. Right-click the server in DNS MMC, do properties...forwarders tab, add your favoured external DNS servers there. Seems to work OK. All the best, Andy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
I'm afraid that's incorrect, this configuration will inevitably cause an Active Directory failure for that particular client. The alternate resolvers are designed for fault tolerance not load balancing or distributed resolution paths and are *only* used in the event the active name server fails to respond or states that it failed to complete the query. In addition, the fault tolerant design of the DNS client allows it to re-order the resolution sequence dynamically when unable to contact the active name server, i.e. - alternate becomes preferred and vice versa ... and so on, this ordering is not changed back until similar conditions once again trigger the re-ordering process. It has been reported (though I've not personally experienced it) that the DNS client tends to preference either the public servers or the alternate server ... this being the case, resolution against the zone(s) representing Active Directory will eventually fail. In order to resolve public domains as well as the private internal domains, configure the internal name servers to forward to the public ISP name servers. Configure each client with at least two name servers, both of which are internal. PS - The use of recursion (root hints) can be considered an alternative configuration scenario but tends to place more load on the internal name servers than simply forwarding. In order to enable either solution, the root "." zone must NOT be present. HTH Dean -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 25, 2002 8:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] DNS question Change the DNS properties under your adapter TCP/IP settings Put both your internal and external DNS servers in, and then resolutions will be attempted in turn. BR Robert Rutherford "Mike Tonazzi" <[EMAIL PROTECTED] To: <[EMAIL PROTECTED]> t> cc: Sent by: Subject: [ActiveDir] DNS question [EMAIL PROTECTED] ivedir.org 25/02/2002 13:19 Please respond to ActiveDir Hello It's like in real life: You've heard it 1000 times, but when you need to implement it, you forgot how I have a well running AD network with 25 workstations. I installed a direct connection to the Internet through a firewall, this works fine for TCP/IP. But I cannot resolve the DNS requests for the Internet domains and my local domain at the same time. Either the DNS for internet requests works (we have a external DNS), but then the workstations won't see the domain controller (what I understand as everywhere is written to have DNS properly conifguerd...). Or the workstations are able to see the DC, but then they cannot resolve Internet-DNS requests (because the DC does not allow to refer to an external DNS server - it's outlined). What have I missed? Thank you in advandce! Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK Printing Machines Ltd., or its affiliates. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
You may also take a look at Q260371 Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] Sent: Monday, February 25, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS question Hello It's like in real life: You've heard it 1000 times, but when you need to implement it, you forgot how I have a well running AD network with 25 workstations. I installed a direct connection to the Internet through a firewall, this works fine for TCP/IP. But I cannot resolve the DNS requests for the Internet domains and my local domain at the same time. Either the DNS for internet requests works (we have a external DNS), but then the workstations won't see the domain controller (what I understand as everywhere is written to have DNS properly conifguerd...). Or the workstations are able to see the DC, but then they cannot resolve Internet-DNS requests (because the DC does not allow to refer to an external DNS server - it's outlined). What have I missed? Thank you in advandce! Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS question
Did you set up your DNS before or After your Internet connection was up? Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -Original Message- From: Mike Tonazzi [mailto:[EMAIL PROTECTED]] Sent: Monday, February 25, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS question Hello It's like in real life: You've heard it 1000 times, but when you need to implement it, you forgot how I have a well running AD network with 25 workstations. I installed a direct connection to the Internet through a firewall, this works fine for TCP/IP. But I cannot resolve the DNS requests for the Internet domains and my local domain at the same time. Either the DNS for internet requests works (we have a external DNS), but then the workstations won't see the domain controller (what I understand as everywhere is written to have DNS properly conifguerd...). Or the workstations are able to see the DC, but then they cannot resolve Internet-DNS requests (because the DC does not allow to refer to an external DNS server - it's outlined). What have I missed? Thank you in advandce! Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS question
Change the DNS properties under your adapter TCP/IP settings Put both your internal and external DNS servers in, and then resolutions will be attempted in turn. BR Robert Rutherford "Mike Tonazzi" <[EMAIL PROTECTED] To: <[EMAIL PROTECTED]> t> cc: Sent by: Subject: [ActiveDir] DNS question [EMAIL PROTECTED] ivedir.org 25/02/2002 13:19 Please respond to ActiveDir Hello It's like in real life: You've heard it 1000 times, but when you need to implement it, you forgot how I have a well running AD network with 25 workstations. I installed a direct connection to the Internet through a firewall, this works fine for TCP/IP. But I cannot resolve the DNS requests for the Internet domains and my local domain at the same time. Either the DNS for internet requests works (we have a external DNS), but then the workstations won't see the domain controller (what I understand as everywhere is written to have DNS properly conifguerd...). Or the workstations are able to see the DC, but then they cannot resolve Internet-DNS requests (because the DC does not allow to refer to an external DNS server - it's outlined). What have I missed? Thank you in advandce! Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK Printing Machines Ltd., or its affiliates. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS question
Hello It's like in real life: You've heard it 1000 times, but when you need to implement it, you forgot how I have a well running AD network with 25 workstations. I installed a direct connection to the Internet through a firewall, this works fine for TCP/IP. But I cannot resolve the DNS requests for the Internet domains and my local domain at the same time. Either the DNS for internet requests works (we have a external DNS), but then the workstations won't see the domain controller (what I understand as everywhere is written to have DNS properly conifguerd...). Or the workstations are able to see the DC, but then they cannot resolve Internet-DNS requests (because the DC does not allow to refer to an external DNS server - it's outlined). What have I missed? Thank you in advandce! Regards, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/