vijitc
asked on
How can properly setup MS Windows 2003 Redundant DNS, DNS forwarder and Suffix?
I've recently reviewed company DNS server settings and setup DNS inqury for a banch office LAN. It isn't a fresh questions and has definitely confused me.
Scenario: Windows 2003, AD integrated DNS, two internal DNS servers,
There are two networks, main office LAN (172.10.0.0, local domain: mainoffice.local)
DNS 1 (DNS1): 172.10.0.11 (TCP/IP setting: Preferred DNS is itselt 172.10.0.11 and Alernate DNS is 172.10.0.12; DNS Service Forwarder is Primary DNS of ISP: 202.10.0.1 );
DNS 2 (DNS2): 172.10.0.12 TCP/IP setting: Preferred DNS is itselt 172.10.0.12 and Alernate DNS is 172.10.0.11; DNS Service Forwarder is Secondary DNS od ISP: 202.10.0.129);
Branch office network (192.168.1.0, local domain: branchoffice.local)
DNS: 192.168.1.11
Site-site VPN has been setup between main office and branch office.
Everything was running perfectly until I wanted to resolve domain name of branchoffice.local from main office network and added 192.168.1.11 in DNS forwarder ( top one) on DNS server 1. The order of IP addresses in DNS Forwarder is 192.168.1.11 and 202.10.0.1.
First, internal users in main office complained Internet access is bit slow. I am assuming DNS request will check 192.168.1.11 first (it's located distantly) and then check ISP's DNS server 202.10.0.1.
Second, internal users in main office cannot ping / reach servers in branch office by hostname but hostname.branch.local. Once I changed TCP/IP DNS setting from Append parent suffix of primary DNS suffix to Append these Suffixes in order (mainoffice.local, branchoffice.local) and then it would be okay.
My questions are
1) How can I setup DNS properly (TCP/IP of DNS servers and DNS forwarder) so I won't slow down Internet access and also get branch office host name resolved?
2) How can I setup suffix in DNS settings rather than setting up DNS suffix in every clients one by one manually or deployed by GPO?
Thanks a lot!
Scenario: Windows 2003, AD integrated DNS, two internal DNS servers,
There are two networks, main office LAN (172.10.0.0, local domain: mainoffice.local)
DNS 1 (DNS1): 172.10.0.11 (TCP/IP setting: Preferred DNS is itselt 172.10.0.11 and Alernate DNS is 172.10.0.12; DNS Service Forwarder is Primary DNS of ISP: 202.10.0.1 );
DNS 2 (DNS2): 172.10.0.12 TCP/IP setting: Preferred DNS is itselt 172.10.0.12 and Alernate DNS is 172.10.0.11; DNS Service Forwarder is Secondary DNS od ISP: 202.10.0.129);
Branch office network (192.168.1.0, local domain: branchoffice.local)
DNS: 192.168.1.11
Site-site VPN has been setup between main office and branch office.
Everything was running perfectly until I wanted to resolve domain name of branchoffice.local from main office network and added 192.168.1.11 in DNS forwarder ( top one) on DNS server 1. The order of IP addresses in DNS Forwarder is 192.168.1.11 and 202.10.0.1.
First, internal users in main office complained Internet access is bit slow. I am assuming DNS request will check 192.168.1.11 first (it's located distantly) and then check ISP's DNS server 202.10.0.1.
Second, internal users in main office cannot ping / reach servers in branch office by hostname but hostname.branch.local. Once I changed TCP/IP DNS setting from Append parent suffix of primary DNS suffix to Append these Suffixes in order (mainoffice.local, branchoffice.local) and then it would be okay.
My questions are
1) How can I setup DNS properly (TCP/IP of DNS servers and DNS forwarder) so I won't slow down Internet access and also get branch office host name resolved?
2) How can I setup suffix in DNS settings rather than setting up DNS suffix in every clients one by one manually or deployed by GPO?
Thanks a lot!
ASKER
Thanks, hypercat!
I've changed general to DNS conditional forwarder on DNS to add 192.168.1.11 for domain branchoffice.local. I could reach / ping hostname.branchoffice.loca
Is any way I can directly ping / reach hostname in branchoffice.local without changing TCP/IP DNS suffix? (or without applying GPO)
What's the proper way to setup TCP/IP Preferred DNS and Alernate DNS for DNS servers? Accordinf to Microsoft, Preferred DNS should be setup itself (here is 172.10.0.11) and Alernate DNS is ISP's DNS server (Here 202.10.0.1 ). But some experts suggested Alernate DNS should be physical-close DNS server (in this case is 172.10.0.12). Which solution is reasonable?
TIA.
I've changed general to DNS conditional forwarder on DNS to add 192.168.1.11 for domain branchoffice.local. I could reach / ping hostname.branchoffice.loca
Is any way I can directly ping / reach hostname in branchoffice.local without changing TCP/IP DNS suffix? (or without applying GPO)
What's the proper way to setup TCP/IP Preferred DNS and Alernate DNS for DNS servers? Accordinf to Microsoft, Preferred DNS should be setup itself (here is 172.10.0.11) and Alernate DNS is ISP's DNS server (Here 202.10.0.1 ). But some experts suggested Alernate DNS should be physical-close DNS server (in this case is 172.10.0.12). Which solution is reasonable?
TIA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could always use WINS but still I don't see the benefit.
Use DNS and use FQDN when trying to connect to the other domain!
Or maybe consider move the bransch-office into the other domain instead...
Use DNS and use FQDN when trying to connect to the other domain!
Or maybe consider move the bransch-office into the other domain instead...
ASKER
Thanks hypercat.
I totally agree with AD-integrated DNS setting: point DNS of DNS server itself and use DNS forwarder for ISP's DNS.
I've also added a new DNS forwarder for branchoffice.local with an IP 192.168.1.11. Now I can ping any clients in branchoffice.local by pingping hostname.branchoffice.loca
I still have a question, how can I ping hostname (without suffix branchoffice.local ) ?
I totally agree with AD-integrated DNS setting: point DNS of DNS server itself and use DNS forwarder for ISP's DNS.
I've also added a new DNS forwarder for branchoffice.local with an IP 192.168.1.11. Now I can ping any clients in branchoffice.local by pingping hostname.branchoffice.loca
I still have a question, how can I ping hostname (without suffix branchoffice.local ) ?
You can't. Because the two domain names are different, you have the possibility of having the same host name in each domain, i.e., host1.mainoffice.local and host1.branchoffice.local. By the logic of DNS name resolution, the first part of the name that is resolved is the domain name. So, if you type "host1," DNS will reply with the IP address of "host1.mainoffice.local" because that is the local zone. If "host1.mainoffice.local" doesn't exist, then you'll get a name resolution failure. In order for DNS to know that it has to search outside the local zone for a host name - in your case by going to the conditional forwarder for the branchoffice.local domain - you have to append the domain name by searching for "host1.branchoffice.local.
In short, think of it as though the host was out on the Internet somewhere and you were trying to ping it. You can't do it unless you know the domain name.
In short, think of it as though the host was out on the Internet somewhere and you were trying to ping it. You can't do it unless you know the domain name.
ASKER
Thanks a lot.
I've added branchoffice.local as a DNS suffix for individual desktop, or we can batch change it by using GPO.
I've added branchoffice.local as a DNS suffix for individual desktop, or we can batch change it by using GPO.
Actually you can fool the client by Adding a host in your local DNS domain pointing to the remote clients ip. This works very well and I have never had a single issue with doing it this way. What you should allso have is a secondary domain for the remote domain and allow replication between these domains but only if they are trusted and on a secure link such as MPLS or VPN.
As to your other question, if you are using DHCP, then the easiest way to set this option is to use the DHCP Server (or Scope) options - option 015 DNS Domain Name.