| Author |
Message |
Rich Roller
Guest
|
 Posted:
Sat Oct 22, 2005 12:50 am Post subject:
Router pointing to Windows DNS Server: OK? |
|
|
I've got a new, tiny, single-server WS2003 SP2 domain which has periodic
major slowdowns with external Internet communications. I'm running "ping -t
www.dell.com" and when it's good it's at 50ms but several times a day it'll
go to 800-1400ms!
If I reboot the Netgear router/gateway it usually fixes it and the ping's go
back to 50ms. The same seems true if I reboot the Verizon DSL box. So I'm
not sure where the problem lies but I'm wondering about the router, and in
particular how it points to the internal DNS server.
The router is also being the DHCP Server (I may change this over the the
WS2003 DC soon). But with this router there is only one place you can enter
static DNS servers. I have entered 10.11.0.21 (WS2003 DC/DNS) and
151.202.0.85 (Verizon). These same DNS entries get used by it's DHCP server
function and given out to the client PC's.
Finally the WS2003 DNS Server is set to point only to itself for DNS (TCPIP
Properties) and its DNS Server has at the moment only one forwarder
(151.202.0.85 Verizon).
So is there anything fundamentally wrong with this design, especially with
the static DNS entries on the router?
There's more I could say about the configuration of the LAN, a legacy NT
domain/trust still active, and the diagnostics I have run (generally good)
but I first wanted to do a reality check on the above design being kosher.
Thanks in advance for any comments/advice.
-Rich |
|
| Back to top |
|
 |
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Sat Oct 22, 2005 7:00 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Rich Roller <rich@*REMOVE-THIS*r2c.com> wrote:
| Quote: | I've got a new, tiny, single-server WS2003 SP2 domain which has
periodic major slowdowns with external Internet communications. I'm
running "ping -t www.dell.com" and when it's good it's at 50ms but
several times a day it'll go to 800-1400ms!
If I reboot the Netgear router/gateway it usually fixes it and the
ping's go back to 50ms. The same seems true if I reboot the Verizon
DSL box. So I'm not sure where the problem lies but I'm wondering
about the router, and in particular how it points to the internal DNS
server.
The router is also being the DHCP Server (I may change this over the
the WS2003 DC soon). But with this router there is only one place
you can enter static DNS servers. I have entered 10.11.0.21 (WS2003
DC/DNS) and 151.202.0.85 (Verizon). These same DNS entries get used
by it's DHCP server function and given out to the client PC's.
|
You are right you should move DHCP to the Win2k3 server, because you cannot
use Verizones DNS on any client in any position.
All client should use the server's IP for DNS, you can use the router or
Verizon as a forwarder for the Win2k3 DNS.
| Quote: | So is there anything fundamentally wrong with this design, especially
with the static DNS entries on the router?
|
The router should use the ISP for DNS, the server can forward to the router.
No client should use the router for DNS, this is the problem with using DHCP
on the router.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Sat Oct 22, 2005 7:42 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Thanks for the quick feedback Kevin. Very helpful.
See my comments/questions in-line below...
"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:uZAUtxq1FHA.3204@TK2MSFTNGP14.phx.gbl...
| Quote: | Rich Roller <rich@*REMOVE-THIS*r2c.com> wrote:
I've got a new, tiny, single-server WS2003 SP2 domain which has
periodic major slowdowns with external Internet communications. I'm
running "ping -t www.dell.com" and when it's good it's at 50ms but
several times a day it'll go to 800-1400ms!
If I reboot the Netgear router/gateway it usually fixes it and the
ping's go back to 50ms. The same seems true if I reboot the Verizon
DSL box. So I'm not sure where the problem lies but I'm wondering
about the router, and in particular how it points to the internal DNS
server.
The router is also being the DHCP Server (I may change this over the
the WS2003 DC soon). But with this router there is only one place
you can enter static DNS servers. I have entered 10.11.0.21 (WS2003
DC/DNS) and 151.202.0.85 (Verizon). These same DNS entries get used
by it's DHCP server function and given out to the client PC's.
You are right you should move DHCP to the Win2k3 server, because you
cannot
use Verizones DNS on any client in any position.
All client should use the server's IP for DNS, you can use the router or
Verizon as a forwarder for the Win2k3 DNS.
|
I guess the rationale for the clients having DNS as 1=DC, 2=ISP was for
fault tolerance. In a single server network if the clients only point DNS
to the DC and if it goes down then no-one can access the Internet. (a 2nd
server is not in the cards unfortunately for budget & political reasons)
| Quote: |
So is there anything fundamentally wrong with this design, especially
with the static DNS entries on the router?
The router should use the ISP for DNS, the server can forward to the
router.
No client should use the router for DNS, this is the problem with using
DHCP
on the router.
|
What are the pros/cons of having WS2003 DNS Server forwarders to router vs.
direct to ISP?
Also, do you think that the periodic slowness they've been experiencing is
due to the above configuration? My hunch said probably, but I couldn't
figure the reason, since the DNS actually seems to resolve fine... it's just
the response time from the target host which is slow. And why would it be
periodic and why would rebooting the router or DSL fix it temporarily?
The last questions are a little academic and so perhaps not as critical, if
in fact I can solve the speed problems through DNS changes.
-Rich |
|
| Back to top |
|
|
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Sat Oct 22, 2005 8:50 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Rich Roller <rich@*REMOVE-THIS*r2c.com> wrote:
| Quote: | Thanks for the quick feedback Kevin. Very helpful.
snip
I guess the rationale for the clients having DNS as 1=DC, 2=ISP was
for fault tolerance. In a single server network if the clients only
point DNS to the DC and if it goes down then no-one can access the
Internet. (a 2nd server is not in the cards unfortunately for budget
& political reasons)
|
In an Active Directory environment, this rationale is totally irrelevant.
Members and DC locate the DC by looking in DNS for its records, if you have
your ISP's DNS in the setup as anything but a forwarder, it will cause
errors and inconsistent behavior. If the DNS fails on the DC, internet
resolution will be the least of your worries. The clients will be looking
for the DC for user authentication for access to anything you do and the
client will slow to a creep. Stop your Virtual DC and you will see exactly
what I mean. DNS if set up properly uses very little system and CPU
resources so the is little sense in not running and using your own DNS
| Quote: | What are the pros/cons of having WS2003 DNS Server forwarders to
router vs. direct to ISP?
|
The router is closer and has it's own DNS cache, so it keeps you from having
to visit the ISP DNS for every query, this comes in real hand if you have
multiple users accessing the same sites all day.
| Quote: |
Also, do you think that the periodic slowness they've been
experiencing is due to the above configuration?
|
Absolutely.
| Quote: | My hunch said
probably, but I couldn't figure the reason, since the DNS actually
seems to resolve fine...
|
DNS resolution is one thing, locating the domain controller in DNS is
another. You simply cannot locate the DC in your ISP's DNS server.
| Quote: | it's just the response time from the target
host which is slow. And why would it be periodic and why would
rebooting the router or DSL fix it temporarily?
|
You have to understand how the Windows DNS client works, if the preferred is
only slightly slow to answer it will move the Alternate to the preferred
position and leave it there until TCP/IP is reset. During this time (If the
ISP DNS is configured as the alternate) the ISP DNS is being asked to find
the DC records, and since it can't it answers not found and that's the end
of the query, the DNS client WILL NOT run ask the other DNS just because the
other answered not found. Then, since the DC cannot be found, the client
will be very slow at everything you do, even opening a folder on your
desktop. Remember as an AD domain member, the DC will authenticate
everything a domain user does, even on their own desktop computer.
The periodic slowness will stop if the domain member uses the DC
exclusively. If you are sure you need a second DNS server, set up another
DC.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Sun Oct 23, 2005 8:50 pm Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Hi Kevin,
Thanks for all the time/thoughts/advice!
| Quote: | If the DNS fails on the DC, internet
resolution will be the least of your worries. The clients will be looking
for the DC for user authentication for access to anything you do and the
client will slow to a creep.
|
So basically you're saying that MS designed it's networking architecture to
be totally dependent on DC's, even if the function that the client is
performing (e.g. web browsing) is not by definition *have* dependent on a MS
DC.
For this this particular company, their Internet connection and their
externally-hosted Email are their highest priorites. The Windows Server
(DC) is basically a glorified file & print server and as such is secondary.
So actually if the DC goes down Internet resolution is the most of my
worries, not the least of them. That is why it would be nice to have some
fault tolerance so that if the DC and it's DNS Server go down, then they
aren't suddenly without Internet & Email. If the clients DNS pointed
somewhere other than the DC then they should still be able to do
Internet/Email. That was the rationale for having DHCP giveout DNS #1=DC,
DNS#2=ISP.
Without having a 2nd DNS/DC server, is there no other way of providing
fault-tolerance for their Internet-related DNS??
| Quote: |
Also, do you think that the periodic slowness they've been
experiencing is due to the above configuration?
Absolutely.
....
desktop. Remember as an AD domain member, the DC will authenticate
everything a domain user does, even on their own desktop computer.
The periodic slowness will stop if the domain member uses the DC
exclusively. If you are sure you need a second DNS server, set up another
DC.
|
I will most likely try this. But the weird thing is that they have not been
experiencing overall slowness, just with Internet queries/communications.
Their local communications, e.g. printing via server queues, are as fast as
always. And I've never heard or seen of any delays in opening up local
files/folders.
The other weird thing is that the slowness is usually cleared up by a router
or DSL reboot. Does that make sense in the context of your explanation of
MS DNS/DC dependency?
And the only need for a 2nd DNS/DC server, is to create fault-tolerance and
reduced dependence on a single-DC sceanario, especially if what you say is
true... if you lose the only DC then you're hosed with everything domain or
non-domain.
Hmm... lots for me to consider!
-Rich |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Mon Oct 24, 2005 7:46 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Kevin,
I tried your recommendations on my own home network and I think I did notice
some of the speed differences between the two different configurations.
It's hard to be 100% with quick testing but it seemed so. I will try it
next on my customer's production network.
So obviously the main thing that bugs me is the fault-tolerance issue.
Before, each client machine had DNS#1=DC and DNS#2=ISP, which had some
fault-tolerance. If I get rid of their DNS#2, your belief is that I'll see
most/all their speed problems go away.
But if instead I changed it so it was DNS#1=DC and DNS#2=router/gateway,
would you expect that the speed problems would be similar. I think your
answer will be YES but I figured I'd ask.
I'm trying to come up with a way that, in the event of the Win Srvr failing,
the clients would just automatically bypass it in order to resolve Internet
queries, without me having to do anything.
If this is not possible, then in the event of server failure, I would either
have to temporarily re-enable DHCP Server function on the router (to allow
them to use ISP DNS servers), or change each client so as to use static DNS.
Both are not ideal and the latter obviously quite unattractive.
Thanks again for your feedback.
-Rich
"Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
news:eTc2YOA2FHA.2064@TK2MSFTNGP09.phx.gbl...
| Quote: | Hi Kevin,
Thanks for all the time/thoughts/advice!
If the DNS fails on the DC, internet
resolution will be the least of your worries. The clients will be looking
for the DC for user authentication for access to anything you do and the
client will slow to a creep.
So basically you're saying that MS designed it's networking architecture
to be totally dependent on DC's, even if the function that the client is
performing (e.g. web browsing) is not by definition *have* dependent on a
MS DC.
For this this particular company, their Internet connection and their
externally-hosted Email are their highest priorites. The Windows Server
(DC) is basically a glorified file & print server and as such is
secondary.
So actually if the DC goes down Internet resolution is the most of my
worries, not the least of them. That is why it would be nice to have some
fault tolerance so that if the DC and it's DNS Server go down, then they
aren't suddenly without Internet & Email. If the clients DNS pointed
somewhere other than the DC then they should still be able to do
Internet/Email. That was the rationale for having DHCP giveout DNS #1=DC,
DNS#2=ISP.
Without having a 2nd DNS/DC server, is there no other way of providing
fault-tolerance for their Internet-related DNS??
Also, do you think that the periodic slowness they've been
experiencing is due to the above configuration?
Absolutely.
...
desktop. Remember as an AD domain member, the DC will authenticate
everything a domain user does, even on their own desktop computer.
The periodic slowness will stop if the domain member uses the DC
exclusively. If you are sure you need a second DNS server, set up another
DC.
I will most likely try this. But the weird thing is that they have not
been experiencing overall slowness, just with Internet
queries/communications. Their local communications, e.g. printing via
server queues, are as fast as always. And I've never heard or seen of any
delays in opening up local files/folders.
The other weird thing is that the slowness is usually cleared up by a
router or DSL reboot. Does that make sense in the context of your
explanation of MS DNS/DC dependency?
And the only need for a 2nd DNS/DC server, is to create fault-tolerance
and reduced dependence on a single-DC sceanario, especially if what you
say is true... if you lose the only DC then you're hosed with everything
domain or non-domain.
Hmm... lots for me to consider!
-Rich
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Mon Oct 24, 2005 8:34 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
In news:uV1PwUE2FHA.1028@TK2MSFTNGP12.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
| Quote: | Kevin,
I tried your recommendations on my own home network and I think I did
notice some of the speed differences between the two different
configurations. It's hard to be 100% with quick testing but it seemed
so. I will try it next on my customer's production network.
So obviously the main thing that bugs me is the fault-tolerance issue.
Before, each client machine had DNS#1=DC and DNS#2=ISP, which had some
fault-tolerance. If I get rid of their DNS#2, your belief is that
I'll see most/all their speed problems go away.
But if instead I changed it so it was DNS#1=DC and
DNS#2=router/gateway, would you expect that the speed problems would
be similar. I think your answer will be YES but I figured I'd ask.
I'm trying to come up with a way that, in the event of the Win Srvr
failing, the clients would just automatically bypass it in order to
resolve Internet queries, without me having to do anything.
If this is not possible, then in the event of server failure, I would
either have to temporarily re-enable DHCP Server function on the
router (to allow them to use ISP DNS servers), or change each client
so as to use static DNS. Both are not ideal and the latter obviously
quite unattractive.
Thanks again for your feedback.
-Rich
|
Actually Rich, fault tolerance for the AD domain is important otherwise the
clients won't be able to logon, have super long logon times (up to 10
minutes), authenticate to resources, or send and receive email if using an
Exchange 2000 or 2003 system. From what you are saying, it *appears* that
your clients are using some external POP3 email service and not using
Exchange internally. Is that correct?
Having "fault tolerance" for AD means to list multiple DNS servers that ONLY
host or have a reference to the DNS servers hosting the AD DNS Domain name.
You can always setup a separate DNS server internally, whether it is on
another DC or a member server. Just insure that it is hosting a copy of the
zone whether thru AD Integrated zones on a DC, or as a secondary zone on a
non-DC. Configure a forwarder on each server to point to the ISP. This will
increase efficiency for your internal clients to "find" AD domain services
and for Internet resolution.
Also you must keep in mind the way the DNS client side resolver works. If
the first entry does not answer after a couple tries, then it is removed
from the "eligible resolvers list" and moves on to the next entry without
ever going back to the first entry unless the machine is either restarted,
set the TTL for the resolvers to 0, or restart the DNS Client service. Of
course restarting either the services or making reg changes are not the
recommended way to perform this. Now you can see why mixing internal and
external can be detrimental.
It's recommended to ONLY use the internal DNS servers in an AD environment
to insure AD functionality.
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Mon Oct 24, 2005 8:50 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Thanks Ace. You might not have seen my earlier posts but the network in
question is tiny... single-server. For several reasons a 2nd DC/DNS server
is not real likely. I fully realize that a 2nd server is ideal for
"Microsoft fault-tolerance".
What I was getting at was a little different however. Assuming that this
customer stays with a single-server, then it would be nice if in the event
that that single Win Srvr was down, that the users could still effectively
resolve and connect to the Internet. In essence to temporarily bypass the
Win Srvr DC dependency.
(BTW, they are doing Exchange but it's externally hosted, but what's really
most important about this is that it goes via the Internet)
I hope that clarifies why I was asking Kevin what I was asking.
-Rich
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23oHjnvE2FHA.3192@TK2MSFTNGP15.phx.gbl...
| Quote: | In news:uV1PwUE2FHA.1028@TK2MSFTNGP12.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
Kevin,
I tried your recommendations on my own home network and I think I did
notice some of the speed differences between the two different
configurations. It's hard to be 100% with quick testing but it seemed
so. I will try it next on my customer's production network.
So obviously the main thing that bugs me is the fault-tolerance issue.
Before, each client machine had DNS#1=DC and DNS#2=ISP, which had some
fault-tolerance. If I get rid of their DNS#2, your belief is that
I'll see most/all their speed problems go away.
But if instead I changed it so it was DNS#1=DC and
DNS#2=router/gateway, would you expect that the speed problems would
be similar. I think your answer will be YES but I figured I'd ask.
I'm trying to come up with a way that, in the event of the Win Srvr
failing, the clients would just automatically bypass it in order to
resolve Internet queries, without me having to do anything.
If this is not possible, then in the event of server failure, I would
either have to temporarily re-enable DHCP Server function on the
router (to allow them to use ISP DNS servers), or change each client
so as to use static DNS. Both are not ideal and the latter obviously
quite unattractive.
Thanks again for your feedback.
-Rich
Actually Rich, fault tolerance for the AD domain is important otherwise
the clients won't be able to logon, have super long logon times (up to 10
minutes), authenticate to resources, or send and receive email if using an
Exchange 2000 or 2003 system. From what you are saying, it *appears* that
your clients are using some external POP3 email service and not using
Exchange internally. Is that correct?
Having "fault tolerance" for AD means to list multiple DNS servers that
ONLY host or have a reference to the DNS servers hosting the AD DNS Domain
name. You can always setup a separate DNS server internally, whether it is
on another DC or a member server. Just insure that it is hosting a copy of
the zone whether thru AD Integrated zones on a DC, or as a secondary zone
on a non-DC. Configure a forwarder on each server to point to the ISP.
This will increase efficiency for your internal clients to "find" AD
domain services and for Internet resolution.
Also you must keep in mind the way the DNS client side resolver works. If
the first entry does not answer after a couple tries, then it is removed
from the "eligible resolvers list" and moves on to the next entry without
ever going back to the first entry unless the machine is either restarted,
set the TTL for the resolvers to 0, or restart the DNS Client service. Of
course restarting either the services or making reg changes are not the
recommended way to perform this. Now you can see why mixing internal and
external can be detrimental.
It's recommended to ONLY use the internal DNS servers in an AD environment
to insure AD functionality.
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were
to respond to it through that community's website, I may not see your
reply unless that website posts replies back to the original Microsoft
forum. Therefore, please direct all replies ONLY to the Microsoft public
newsgroup this thread originated in so all can benefit or ensure the web
community posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Mon Oct 24, 2005 8:50 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
In news:e20MhJF2FHA.1256@TK2MSFTNGP09.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
| Quote: | Thanks Ace. You might not have seen my earlier posts but the network
in question is tiny... single-server. For several reasons a 2nd
DC/DNS server is not real likely. I fully realize that a 2nd server
is ideal for "Microsoft fault-tolerance".
What I was getting at was a little different however. Assuming that
this customer stays with a single-server, then it would be nice if in
the event that that single Win Srvr was down, that the users could
still effectively resolve and connect to the Internet. In essence to
temporarily bypass the Win Srvr DC dependency.
(BTW, they are doing Exchange but it's externally hosted, but what's
really most important about this is that it goes via the Internet)
I hope that clarifies why I was asking Kevin what I was asking.
-Rich
|
Hi Rich,
Yes that does clarify it a bit more. However, the recommendation (the ruling
on the field - had to say that after watching football all day!), still
stands to insure AD functionality, as I mentioned previously mentioned, or
else users will have more problems than just trying to get to the Internet,
which I believe Kevin already stated. Besides, if they can't resolve names
on the Internet, wouldn't that tell you there's something wrong with the DC
and must be attended to immediately anyway?
btw- Just to clear things up, it's not based on "Microsoft fault tolerance",
but rather "fault tolerance", and no matter what for, and in this case AD
and DNS in your case, is based on the way AD and DNS works. Whether fault
tolerance is configured for DNS, domain controllers, or even redundant Cisco
routers for that matter, it just means to have an additional identically
configured resources to take over when the other resource fails. Cluster
services on the high end, is a good example.
Having an additional DNS server in case the first fails, it another example,
which is ESPECIALLY important with AD, and as I said before, is to insure AD
functionality which equates to continued user productivity and AD
availability. Fault tolerance with DNS *means* pointing to another DNS
server that is hosting the same exact data or has a reference to it. I doubt
the ISP's has that info on their server for the AD domain.
I understand you can't install an additional server in this case, but it is
still recommended to only use the internal DNS. Look at it this way, it will
alert the users to contact you if something is not working. But for AD
functionality, use ONLY the internal DNS, unless the ISP's DNS has info
about the AD domain (highly doubt that).
I hope I was clear on why to use only the internal DNS servers. :-)
Ace |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Tue Oct 25, 2005 12:50 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Ace,
I do understand the issue of why things work better if the clients point DNS
to MS DC/DNS servers only. And by switching to that I have seen some
improvements.
I think you & I could probably argue fault-tolerance for a long time...
Your definition of fault tolerance is narrower than mine. You argue for
redundant DC's, DNS servers, etc. And on larger nets, or in all cases that
budget allows, this makes total sense.
But in smaller nets, e.g. the ones that might consider using Windows Small
Business Server, this kind of redundancy and complexity often beyond their
budget.
So, in my broader definition of fault-tolerance, you could lose the only MS
DC/DNS server and still have the clients resolve OK to the Internet by using
a secondary or tertiary non-MS DNS server/router. But as you guys have very
clearly articulated, AD is just not happy unless it's the only DNS that the
clients point to.
With NT4 domains, I think my broader fault-tolerance was more do-able,
because NT domain communication was not intergrated with DNS as AD is. If
you lost your only NT PDC/DNS server, you'd get calls from users about
domain resources being unavailable, but they could still use their Internet
functions. And with smaller companies I find that the Internet represents a
larger % of their critical processes and priorities.
Over the years I've spent an awful lot of time working on and with MS
networks. My take, especially since the advent of AD, is that they require
a level of investment/complexity that is oftentimes ill-suited to small
businesses. This thread is a case in point.
That gripe aside, I very much appreciate the time that both you & Kevin have
taken to discuss my issues.
Thanks.
-Rich
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:OLx$AsF2FHA.3756@tk2msftngp13.phx.gbl...
| Quote: | In news:e20MhJF2FHA.1256@TK2MSFTNGP09.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
Thanks Ace. You might not have seen my earlier posts but the network
in question is tiny... single-server. For several reasons a 2nd
DC/DNS server is not real likely. I fully realize that a 2nd server
is ideal for "Microsoft fault-tolerance".
What I was getting at was a little different however. Assuming that
this customer stays with a single-server, then it would be nice if in
the event that that single Win Srvr was down, that the users could
still effectively resolve and connect to the Internet. In essence to
temporarily bypass the Win Srvr DC dependency.
(BTW, they are doing Exchange but it's externally hosted, but what's
really most important about this is that it goes via the Internet)
I hope that clarifies why I was asking Kevin what I was asking.
-Rich
Hi Rich,
Yes that does clarify it a bit more. However, the recommendation (the
ruling on the field - had to say that after watching football all day!),
still stands to insure AD functionality, as I mentioned previously
mentioned, or else users will have more problems than just trying to get
to the Internet, which I believe Kevin already stated. Besides, if they
can't resolve names on the Internet, wouldn't that tell you there's
something wrong with the DC and must be attended to immediately anyway?
btw- Just to clear things up, it's not based on "Microsoft fault
tolerance", but rather "fault tolerance", and no matter what for, and in
this case AD and DNS in your case, is based on the way AD and DNS works.
Whether fault tolerance is configured for DNS, domain controllers, or even
redundant Cisco routers for that matter, it just means to have an
additional identically configured resources to take over when the other
resource fails. Cluster services on the high end, is a good example.
Having an additional DNS server in case the first fails, it another
example, which is ESPECIALLY important with AD, and as I said before, is
to insure AD functionality which equates to continued user productivity
and AD availability. Fault tolerance with DNS *means* pointing to another
DNS server that is hosting the same exact data or has a reference to it. I
doubt the ISP's has that info on their server for the AD domain.
I understand you can't install an additional server in this case, but it
is still recommended to only use the internal DNS. Look at it this way, it
will alert the users to contact you if something is not working. But for
AD functionality, use ONLY the internal DNS, unless the ISP's DNS has info
about the AD domain (highly doubt that).
I hope I was clear on why to use only the internal DNS servers. :-)
Ace
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Tue Oct 25, 2005 7:51 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
In news:O9VV%23YO2FHA.476@TK2MSFTNGP15.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
| Quote: | Ace,
I do understand the issue of why things work better if the clients
point DNS to MS DC/DNS servers only. And by switching to that I have
seen some improvements.
I think you & I could probably argue fault-tolerance for a long
time...
Your definition of fault tolerance is narrower than mine. You argue
for redundant DC's, DNS servers, etc. And on larger nets, or in all
cases that budget allows, this makes total sense.
But in smaller nets, e.g. the ones that might consider using Windows
Small Business Server, this kind of redundancy and complexity often
beyond their budget.
So, in my broader definition of fault-tolerance, you could lose the
only MS DC/DNS server and still have the clients resolve OK to the
Internet by using a secondary or tertiary non-MS DNS server/router. But as
you guys have very clearly articulated, AD is just not happy
unless it's the only DNS that the clients point to.
With NT4 domains, I think my broader fault-tolerance was more do-able,
because NT domain communication was not intergrated with DNS as AD
is. If you lost your only NT PDC/DNS server, you'd get calls from
users about domain resources being unavailable, but they could still
use their Internet functions. And with smaller companies I find that
the Internet represents a larger % of their critical processes and
priorities.
Over the years I've spent an awful lot of time working on and with MS
networks. My take, especially since the advent of AD, is that they
require a level of investment/complexity that is oftentimes
ill-suited to small businesses. This thread is a case in point.
That gripe aside, I very much appreciate the time that both you &
Kevin have taken to discuss my issues.
Thanks.
-Rich
|
It's always a pleasure, Rich. I can understand small businesses not being
able to afford redundancies, whatever the definition is. Unfortunate this is
the case with some installations. But for the price of SBS you get alot with
it. :-)
Cheers!
Ace |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Tue Oct 25, 2005 4:50 pm Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Well guys. I'm sorry to report that my Internet slowdown is back with a
vengeance this morning. So apparently the changes I made 2 nights ago to
the DNS/DHCP as per this thread, did not solve that.
As I think I said at the very beginning of this thread, My Internet problem
is intermittent and thus harder to troubleshoot. But I do now know that the
DNS stuff we've been discussing (and which I implemented) didn't really
address it.
Maybe I have problems with my router/gateway device. I will be focusing on
that very closely now. :-(
-Rich
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:uLAZE8Q2FHA.4008@tk2msftngp13.phx.gbl...
| Quote: | In news:O9VV%23YO2FHA.476@TK2MSFTNGP15.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
Ace,
I do understand the issue of why things work better if the clients
point DNS to MS DC/DNS servers only. And by switching to that I have
seen some improvements.
I think you & I could probably argue fault-tolerance for a long
time...
Your definition of fault tolerance is narrower than mine. You argue
for redundant DC's, DNS servers, etc. And on larger nets, or in all
cases that budget allows, this makes total sense.
But in smaller nets, e.g. the ones that might consider using Windows
Small Business Server, this kind of redundancy and complexity often
beyond their budget.
So, in my broader definition of fault-tolerance, you could lose the
only MS DC/DNS server and still have the clients resolve OK to the
Internet by using a secondary or tertiary non-MS DNS server/router. But
as you guys have very clearly articulated, AD is just not happy
unless it's the only DNS that the clients point to.
With NT4 domains, I think my broader fault-tolerance was more do-able,
because NT domain communication was not intergrated with DNS as AD
is. If you lost your only NT PDC/DNS server, you'd get calls from
users about domain resources being unavailable, but they could still
use their Internet functions. And with smaller companies I find that
the Internet represents a larger % of their critical processes and
priorities.
Over the years I've spent an awful lot of time working on and with MS
networks. My take, especially since the advent of AD, is that they
require a level of investment/complexity that is oftentimes
ill-suited to small businesses. This thread is a case in point.
That gripe aside, I very much appreciate the time that both you &
Kevin have taken to discuss my issues.
Thanks.
-Rich
It's always a pleasure, Rich. I can understand small businesses not being
able to afford redundancies, whatever the definition is. Unfortunate this
is the case with some installations. But for the price of SBS you get alot
with it. :-)
Cheers!
Ace
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Wed Oct 26, 2005 12:50 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
In news:ex9zXuW2FHA.400@TK2MSFTNGP09.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
| Quote: | Well guys. I'm sorry to report that my Internet slowdown is back
with a vengeance this morning. So apparently the changes I made 2
nights ago to the DNS/DHCP as per this thread, did not solve that.
As I think I said at the very beginning of this thread, My Internet
problem is intermittent and thus harder to troubleshoot. But I do
now know that the DNS stuff we've been discussing (and which I
implemented) didn't really address it.
Maybe I have problems with my router/gateway device. I will be
focusing on that very closely now. :-(
-Rich
|
Sad to hear. What namebrand device?
Ace |
|
| Back to top |
|
|
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Wed Oct 26, 2005 8:50 pm Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
Ace Fekay [MVP]
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote:
| Quote: | In news:ex9zXuW2FHA.400@TK2MSFTNGP09.phx.gbl,
Rich Roller <rich@*REMOVE-THIS*r2c.com> made this post, which I then
commented about below:
Well guys. I'm sorry to report that my Internet slowdown is back
with a vengeance this morning. So apparently the changes I made 2
nights ago to the DNS/DHCP as per this thread, did not solve that.
As I think I said at the very beginning of this thread, My Internet
problem is intermittent and thus harder to troubleshoot. But I do
now know that the DNS stuff we've been discussing (and which I
implemented) didn't really address it.
Maybe I have problems with my router/gateway device. I will be
focusing on that very closely now. :-(
-Rich
Sad to hear. What namebrand device?
|
I think the problem hear is the DNS loop Rich set up by forwarding the
Router to the DC and forwarding the DC to the router. He should take the DC
out of the router, and forward only from the DC to the router. The router
should only forward to the ISP. If he really thinks he needs two DNS server
I suggest putting BIND PE on a workstation, with a secondary of the AD
domain on it.
This won't help authentication if the DC goes down and everything will be
woefully slow if the DC does go down, but it makes the AD members happy as
for as finding the DC in both DNS servers. Something that will never happen
if he uses the ISP or router DNS on the client.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Thu Oct 27, 2005 12:51 am Post subject:
Re: Router pointing to Windows DNS Server: OK? |
|
|
In news:OILWHym2FHA.3420@TK2MSFTNGP15.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made this post, which I
then commented about below:
| Quote: | I think the problem hear is the DNS loop Rich set up by forwarding the
Router to the DC and forwarding the DC to the router. He should take
the DC out of the router, and forward only from the DC to the router.
The router should only forward to the ISP. If he really thinks he
needs two DNS server I suggest putting BIND PE on a workstation, with
a secondary of the AD domain on it.
This won't help authentication if the DC goes down and everything
will be woefully slow if the DC does go down, but it makes the AD
members happy as for as finding the DC in both DNS servers. Something
that will never happen if he uses the ISP or router DNS on the client.
|
That could be a good point and a nice solution. Let's see if Rich will go
for that.
Ace |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in