WINDOWS 2003 DNS NAMESPACE QUESTION

Discussion in 'DIY Computers' started by sam1967, Dec 5, 2004.

  1. sam1967

    sam1967 Guest

    Hi

    Im setting up a small Windows 2003 network and am wondering what DNS
    name i should use.

    The charity use charityname.org.uk at present for their external DNS
    name and I am thinking of using charityname.local for the internal DNS
    name.

    any comments on the wisdom of this approach ?
     
    sam1967, Dec 5, 2004
    #1
    1. Advertisements

  2. sam1967

    Dr Zoidberg Guest

    Thats the easiest way of doing it as it guarantees no internal/external
    clashes.
    --
    Alex

    Join dozens of newsgroup users in making a group charity purchase from
    www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
    £1450 raised so far
     
    Dr Zoidberg, Dec 5, 2004
    #2
    1. Advertisements

  3. sam1967

    sam1967 Guest

    cheers Alex.

    I assume the clients have their primary DNS set to the windows 2003
    DNS server and that the server has the IP addresses of the ISP DNS set
    to enable forwarding of requests for Internet names.

    They are using a NAT broadband router , will that make any difference
    ?
     
    sam1967, Dec 5, 2004
    #3
  4. sam1967

    Alex Fraser Guest

    Probably not what you meant, but it does not guarantee no external clashes.
    Specifically, this may happen if a "local" TLD is created. Though that won't
    happen, the proper solution would be to use a subdomain of
    charityname.org.uk, eg local.charityname.org.uk.

    Alex
     
    Alex Fraser, Dec 5, 2004
    #4
  5. sam1967

    Dr Zoidberg Guest

    Spot on.
    Remember to delete the root DNS zone on the server (.) to allow it to
    resolve outside names.
    Disable the DHCP server on the router and create a DHCP scope on the server
    --
    Alex

    Join dozens of newsgroup users in making a group charity purchase from
    www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
    £1450 raised so far
     
    Dr Zoidberg, Dec 6, 2004
    #5
  6. sam1967

    Dr Zoidberg Guest

    Which will never happen as "local" is now reserved for internal use.
    That starts to get far too complicated for a network like this.
    --
    Alex

    Join dozens of newsgroup users in making a group charity purchase from
    www.oxfamunwrapped.com Full details at www.drzoidberg.co.uk - over
    £1450 raised so far
     
    Dr Zoidberg, Dec 6, 2004
    #6
  7. sam1967

    sam1967 Guest

    cheers Alex.
     
    sam1967, Dec 6, 2004
    #7
  8. sam1967

    Alex Fraser Guest

    I can't find anything to support this claim, although I already said it
    won't happen.
    Why? Unless there is something peculiar to the DNS server (I only know about
    BIND), there's no reason it would be any different. I wasn't suggesting
    delegating the zone.

    Alex
     
    Alex Fraser, Dec 6, 2004
    #8
  9. sam1967

    Dr Zoidberg Guest

    Agreed , and I'm on Dial-up at the mo so I cant be arsed to find a
    reference.
    Its going to be more confusing for users for one thing and it really is an
    unnecessary complication.
    It will also affect the way non-fully-qualified names get resolved in
    windows

    --
    Alex

    "I laugh in the face of danger"
    "Then I hide until it goes away"

    www.drzoidberg.co.uk
    www.sffh.co.uk
    www.upce.org.uk
     
    Dr Zoidberg, Dec 6, 2004
    #9
  10. sam1967

    sam1967 Guest

    MS KB article 296250 recommend using the .local scenario.

    problem may be with email addresses.

    currently they are handled by the ISP .

    if I install Exchange it will give the users the email address of


    I suppose I can handle this with aliases or additional UPNs in Active
    Directory ?
     
    sam1967, Dec 6, 2004
    #10
  11. sam1967

    Dr Zoidberg Guest

    You can change the policy in exchange to automatically allocate

    Yep you can have as many aliases as you feel are necessary.
    Most of our users have a minimum of four





    with more added as necessary to cope for people who send emails to steve
    instead of stephen/steven etc

    --
    Alex

    "I laugh in the face of danger"
    "Then I hide until it goes away"

    www.drzoidberg.co.uk
    www.sffh.co.uk
    www.upce.org.uk
     
    Dr Zoidberg, Dec 6, 2004
    #11
  12. sam1967

    Alex Fraser Guest

    Presenting "facts" and yet being unwilling to back them up hardly inspires
    confidence in anything else you have to say. Which, BTW, seems to be nothing
    but waffle in this case.

    [snip]

    Alex
     
    Alex Fraser, Dec 6, 2004
    #12
  13. sam1967

    sam1967 Guest

    MS KB article 296250 recommends using the .local approach.

    That is good enough for me.

    Agreed that .local is not reserved yet.

    Thanks Zoidberg.

    support.microsoft.com/kb/296250
     
    sam1967, Dec 7, 2004
    #13
  14. sam1967

    sam1967 Guest

    Presenting "facts" and yet being unwilling to back them up hardly inspires
    Separate internal and external names on separate servers. External
    servers should include only those names that you want to be visible to
    the Internet. Internal servers should contain names that are for
    internal use. You can set your internal DNS servers to forward
    requests that they cannot resolve to external servers for resolution.
    Different types of clients require different kinds of name resolution.
    Web proxy clients, for example, do not require external name
    resolution because the proxy server does this on their behalf.
    Overlapping internal and external namespaces are not recommended. In
    most cases, the end result of this configuration is that computers
    will be unable to locate needed resources because of receiving
    incorrect IP addresses from DNS. This is particularly a concern when
    Network Address Translation (NAT) is involved and the external IP
    address is in an unreachable range for internal clients.

    Make sure that root servers are not created unintentionally. Root
    servers may be created by the Dcpromo Wizard, resulting in internal
    clients being able to reach external clients or to reach parent
    domains. If the "." zone exists, a root server has been created. It
    may be necessary to remove this for proper name resolution to work.
    For additional information, click the article number below to view the
    article in the Microsoft Knowledge Base:
    This seems to back up Alex/Zoidberg quite nicely.
     
    sam1967, Dec 7, 2004
    #14
  15. sam1967

    sam1967 Guest

    Presenting "facts" and yet being unwilling to back them up hardly inspires
    Separate internal and external names on separate servers. External
    servers should include only those names that you want to be visible to
    the Internet. Internal servers should contain names that are for
    internal use. You can set your internal DNS servers to forward
    requests that they cannot resolve to external servers for resolution.
    Different types of clients require different kinds of name resolution.
    Web proxy clients, for example, do not require external name
    resolution because the proxy server does this on their behalf.
    Overlapping internal and external namespaces are not recommended. In
    most cases, the end result of this configuration is that computers
    will be unable to locate needed resources because of receiving
    incorrect IP addresses from DNS. This is particularly a concern when
    Network Address Translation (NAT) is involved and the external IP
    address is in an unreachable range for internal clients.

    Make sure that root servers are not created unintentionally. Root
    servers may be created by the Dcpromo Wizard, resulting in internal
    clients being able to reach external clients or to reach parent
    domains. If the "." zone exists, a root server has been created. It
    may be necessary to remove this for proper name resolution to work.
    For additional information, click the article number below to view the
    article in the Microsoft Knowledge Base:
    This seems to back up Alex/Zoidberg quite nicely.
     
    sam1967, Dec 7, 2004
    #15
  16. sam1967

    sam1967 Guest

    Presenting "facts" and yet being unwilling to back them up hardly inspires
    MS KB 254680

    Separate internal and external names on separate servers. External
    servers should include only those names that you want to be visible to
    the Internet. Internal servers should contain names that are for
    internal use. You can set your internal DNS servers to forward
    requests that they cannot resolve to external servers for resolution.
    Different types of clients require different kinds of name resolution.
    Web proxy clients, for example, do not require external name
    resolution because the proxy server does this on their behalf.
    Overlapping internal and external namespaces are not recommended. In
    most cases, the end result of this configuration is that computers
    will be unable to locate needed resources because of receiving
    incorrect IP addresses from DNS. This is particularly a concern when
    Network Address Translation (NAT) is involved and the external IP
    address is in an unreachable range for internal clients.

    Make sure that root servers are not created unintentionally. Root
    servers may be created by the Dcpromo Wizard, resulting in internal
    clients being able to reach external clients or to reach parent
    domains. If the "." zone exists, a root server has been created. It
    may be necessary to remove this for proper name resolution to work.
    For additional information, click the article number below to view the
    article in the Microsoft Knowledge Base:


    This seems to back up Alex/Zoidberg quite nicely.
     
    sam1967, Dec 7, 2004
    #16
  17. sam1967

    Alex Fraser Guest

    Sadly, but (from past experience) not too surprisingly, without any sound
    reason.

    Alex
     
    Alex Fraser, Dec 7, 2004
    #17
  18. sam1967

    Alex Fraser Guest

    [I wrote:]
    The portion you quoted has nothing to do with it, it is only talking about
    server configuration issues which apply regardless of what domain you use.

    Alex
     
    Alex Fraser, Dec 7, 2004
    #18
  19. sam1967

    sam1967 Guest

    i would be interested to hear of your experiences using both these
    approaches.
     
    sam1967, Dec 7, 2004
    #19
  20. sam1967

    Alex Fraser Guest

    I don't have experience with Windows 2003 Server (as I have indicated
    before). However, I do have considerable DNS knowledge and experience.

    With reference to the KB article, using the same name as a domain hosted
    externally can indeed cause the problem described. Specifically, names that
    should be resolved by the external server will not be since they are in a
    domain for which the local server is configured as authoritative.

    Using a subdomain (as I originally suggested) avoids this problem to an
    extent; queries for names in the parent domain will be resolved by the
    external server (after being forwarded by the internal server). The problem
    above will return only if a records with the name of the internal domain are
    created on the external server.

    The article also says "If at any time, the start of authority for the
    registered domain [...] adds records for sub-domains, the currently
    configured private sub-domain may become public." I assume this refers to
    adding NS records to delegate the subdomain to the internal server.

    What it fails to mention is that if a subdomain is used, there's no real
    reason for the two described problems to occur provided that:
    - the same person is responsible for both external and internal domains, or
    - the people responsible for the two talk to each other.

    My experience is that one of these two situations will apply.

    Applying this to the case in question, if you use
    something.charityname.org.uk, there will be no DNS problems (and the
    subdomain will remain "private") so long as there are no records at/under
    something.charityname.org.uk on the external server. What I am saying is
    that the absence of such records is easily guaranteed in practice (for
    sensible values of 'something', ie not 'www' or the like).

    Alex
     
    Alex Fraser, Dec 7, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.