WINDOWS 2003 DNS NAMESPACE QUESTION

Hi

Im setting up a small Windows 2003 network and am wondering what DNS
name i should use.

The charity use charityname.org.uk at present for their external DNS
name and I am thinking of using charityname.local for the internal DNS
name.

any comments on the wisdom of this approach ?

 

Thats the easiest way of doing it as it guarantees no internal/external
clashes.
--
Alex

Join dozens of newsgroup users in making a group charity purchase from
www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
£1450 raised so far

 

cheers Alex.

I assume the clients have their primary DNS set to the windows 2003
DNS server and that the server has the IP addresses of the ISP DNS set
to enable forwarding of requests for Internet names.

They are using a NAT broadband router , will that make any difference
?

 

Probably not what you meant, but it does not guarantee no external clashes.
Specifically, this may happen if a "local" TLD is created. Though that won't
happen, the proper solution would be to use a subdomain of
charityname.org.uk, eg local.charityname.org.uk.

Alex

 

Spot on.
Remember to delete the root DNS zone on the server (.) to allow it to
resolve outside names.

Disable the DHCP server on the router and create a DHCP scope on the server
--
Alex

Join dozens of newsgroup users in making a group charity purchase from
www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
£1450 raised so far

 

Which will never happen as "local" is now reserved for internal use.

That starts to get far too complicated for a network like this.
--
Alex

Join dozens of newsgroup users in making a group charity purchase from
www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
£1450 raised so far

 

cheers Alex.

 

I can't find anything to support this claim, although I already said it
won't happen.

Why? Unless there is something peculiar to the DNS server (I only know about
BIND), there's no reason it would be any different. I wasn't suggesting
delegating the zone.

Alex

 

Agreed , and I'm on Dial-up at the mo so I cant be arsed to find a
reference.

Its going to be more confusing for users for one thing and it really is an
unnecessary complication.
It will also affect the way non-fully-qualified names get resolved in
windows

--
Alex

"I laugh in the face of danger"
"Then I hide until it goes away"

www.drzoidberg.co.uk
www.sffh.co.uk
www.upce.org.uk

 

MS KB article 296250 recommend using the .local scenario.

problem may be with email addresses.

currently they are handled by the ISP .

if I install Exchange it will give the users the email address of


I suppose I can handle this with aliases or additional UPNs in Active
Directory ?

 

You can change the policy in exchange to automatically allocate

Yep you can have as many aliases as you feel are necessary.
Most of our users have a minimum of four





with more added as necessary to cope for people who send emails to steve
instead of stephen/steven etc

--
Alex

"I laugh in the face of danger"
"Then I hide until it goes away"

www.drzoidberg.co.uk
www.sffh.co.uk
www.upce.org.uk

 

Presenting "facts" and yet being unwilling to back them up hardly inspires
confidence in anything else you have to say. Which, BTW, seems to be nothing
but waffle in this case.

[snip]

Alex

 

MS KB article 296250 recommends using the .local approach.

That is good enough for me.

Agreed that .local is not reserved yet.

Thanks Zoidberg.

support.microsoft.com/kb/296250

 

Presenting "facts" and yet being unwilling to back them up hardly inspires

Separate internal and external names on separate servers. External
servers should include only those names that you want to be visible to
the Internet. Internal servers should contain names that are for
internal use. You can set your internal DNS servers to forward
requests that they cannot resolve to external servers for resolution.
Different types of clients require different kinds of name resolution.
Web proxy clients, for example, do not require external name
resolution because the proxy server does this on their behalf.
Overlapping internal and external namespaces are not recommended. In
most cases, the end result of this configuration is that computers
will be unable to locate needed resources because of receiving
incorrect IP addresses from DNS. This is particularly a concern when
Network Address Translation (NAT) is involved and the external IP
address is in an unreachable range for internal clients.
•
Make sure that root servers are not created unintentionally. Root
servers may be created by the Dcpromo Wizard, resulting in internal
clients being able to reach external clients or to reach parent
domains. If the "." zone exists, a root server has been created. It
may be necessary to remove this for proper name resolution to work.
For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
This seems to back up Alex/Zoidberg quite nicely.

 

Presenting "facts" and yet being unwilling to back them up hardly inspires

Separate internal and external names on separate servers. External
servers should include only those names that you want to be visible to
the Internet. Internal servers should contain names that are for
internal use. You can set your internal DNS servers to forward
requests that they cannot resolve to external servers for resolution.
Different types of clients require different kinds of name resolution.
Web proxy clients, for example, do not require external name
resolution because the proxy server does this on their behalf.
Overlapping internal and external namespaces are not recommended. In
most cases, the end result of this configuration is that computers
will be unable to locate needed resources because of receiving
incorrect IP addresses from DNS. This is particularly a concern when
Network Address Translation (NAT) is involved and the external IP
address is in an unreachable range for internal clients.
•
Make sure that root servers are not created unintentionally. Root
servers may be created by the Dcpromo Wizard, resulting in internal
clients being able to reach external clients or to reach parent
domains. If the "." zone exists, a root server has been created. It
may be necessary to remove this for proper name resolution to work.
For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
This seems to back up Alex/Zoidberg quite nicely.

 

Presenting "facts" and yet being unwilling to back them up hardly inspires

MS KB 254680

Separate internal and external names on separate servers. External
servers should include only those names that you want to be visible to
the Internet. Internal servers should contain names that are for
internal use. You can set your internal DNS servers to forward
requests that they cannot resolve to external servers for resolution.
Different types of clients require different kinds of name resolution.
Web proxy clients, for example, do not require external name
resolution because the proxy server does this on their behalf.
Overlapping internal and external namespaces are not recommended. In
most cases, the end result of this configuration is that computers
will be unable to locate needed resources because of receiving
incorrect IP addresses from DNS. This is particularly a concern when
Network Address Translation (NAT) is involved and the external IP
address is in an unreachable range for internal clients.
•
Make sure that root servers are not created unintentionally. Root
servers may be created by the Dcpromo Wizard, resulting in internal
clients being able to reach external clients or to reach parent
domains. If the "." zone exists, a root server has been created. It
may be necessary to remove this for proper name resolution to work.
For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:


This seems to back up Alex/Zoidberg quite nicely.

 

Sadly, but (from past experience) not too surprisingly, without any sound
reason.

Alex

 

[I wrote:]

The portion you quoted has nothing to do with it, it is only talking about
server configuration issues which apply regardless of what domain you use.

Alex

 

i would be interested to hear of your experiences using both these
approaches.

 

I don't have experience with Windows 2003 Server (as I have indicated
before). However, I do have considerable DNS knowledge and experience.

With reference to the KB article, using the same name as a domain hosted
externally can indeed cause the problem described. Specifically, names that
should be resolved by the external server will not be since they are in a
domain for which the local server is configured as authoritative.

Using a subdomain (as I originally suggested) avoids this problem to an
extent; queries for names in the parent domain will be resolved by the
external server (after being forwarded by the internal server). The problem
above will return only if a records with the name of the internal domain are
created on the external server.

The article also says "If at any time, the start of authority for the
registered domain [...] adds records for sub-domains, the currently
configured private sub-domain may become public." I assume this refers to
adding NS records to delegate the subdomain to the internal server.

What it fails to mention is that if a subdomain is used, there's no real
reason for the two described problems to occur provided that:
- the same person is responsible for both external and internal domains, or
- the people responsible for the two talk to each other.

My experience is that one of these two situations will apply.

Applying this to the case in question, if you use
something.charityname.org.uk, there will be no DNS problems (and the
subdomain will remain "private") so long as there are no records at/under
something.charityname.org.uk on the external server. What I am saying is
that the absence of such records is easily guaranteed in practice (for
sensible values of 'something', ie not 'www' or the like).

Alex