Solved

DNS / Active Directory with external router/WAN connection?

Posted on 2003-12-05
10
953 Views
Last Modified: 2012-08-13
Guys -

It's been quite a while since I've set up AD/DNS, and that was in a corp. environment with a networking group to do the DNS stuff...

I have donated my time to a museaum to set up new computers for them.  Server is WIN2k running AD / integrated DNS.

Here is my config:  WAN/Router/firewall (DSL line).  Servers and workstations will have static inside (private) addresses.

My question - how to make the SERVER DNS provide OUTSIDE resoulution (internet sites like this one!) to the users inside?  I know this is an easy one for you guys.

Thanks.
John
0
Comment
Question by:Bigjohn-s
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Expert Comment

by:Casca1
ID: 9882861
You really don't WANT to; It's possible, but you have raised the threat level for your AD in doing so.
You best bet is to run a firewall and a DMZ, place your Webstuff and external DNS there, and the Museum intranet inside the firewall.
A little different configuration, but much safer.
0
 
LVL 2

Author Comment

by:Bigjohn-s
ID: 9883246
I must have not been clear.

I want to point the workstations to the internal DNS and have the internal DNS get its information from the WAN regarding locations of websites.  WE're not hosting a site on premises.

so - user at PC 10.0.0.5 has DNS set to server (10.0.0.20).  I've only got the default configuration for DNS that happens when you install AD.  I think that has ONE forward lookup zone.

What do I need to do to make certain that user at PC 10.0.0.5 can: a)authenticate with the local AD server (only one server on this net...), and surf the web?

John
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 9883505
Use a Forwarder in the DNS Properties.  You want to configure the forwarder to be the DNS server of your ISP.  This way your DNS will resolve internal resources and if a user wants out on the Internet, DNS querys will be forwarded to the ISP for resolution.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Author Comment

by:Bigjohn-s
ID: 9883710
Is that correct?  My fear was that 'forwarder' would make my DNS tell the 'WORLD' about stuff inside - thus creating security problem.
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 9883744
No - a forwarder will "Forward" requests that cannot be resolved locally.
0
 
LVL 6

Assisted Solution

by:Casca1
Casca1 earned 20 total points
ID: 9883861
Ocon answered that correctly. Additionally, if you have the "." listing in your DNS console, you will want to delete it. That "." tells your DNS it's the Root server. While your server may be the root for your network, it is not THE root. 8-)
If you don't remove the root zone, it will cause you ALL kinds of issues.
Once you do that and setup forwarding, you can set each client to use the DNS server, and it will work properly.
Ummm, any reason NOT to use DHCP? It makes your life easier in the extreme, and is REAL easy to set up in 2K.
0
 
LVL 2

Author Comment

by:Bigjohn-s
ID: 9883978
ok.  2 questions:

how do I add this forwarder, and where do I look in the DNS for the "."


I'm not using DHCP because it's a very small operation (3 users one server) and I don't want anyone plugging into the network and getting an address.
0
 
LVL 13

Accepted Solution

by:
ocon827679 earned 50 total points
ID: 9884018
On the server acting as your DNS.  Open the DNS admin console.  Start - Programs - Administrative Tools - DNS

Right-click on the server name and select Properties.
Open the "forwarders" tab.
Check the box labeled Forwarders.
Input the IP address of your ISP's sDNS server.

I believe that you will find the "." in the forward lookup zone of the DNS admin console.  If it is there, delete it.  If not, don't worry about it.
0
 
LVL 2

Author Comment

by:Bigjohn-s
ID: 9884044
thanks guys
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9884329
Nono, Thank you!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain .local to .co.uk 2 54
How to use 2 separate DNS names. 5 54
Migrating existing OnPremise servers to Azure ? 1 73
Duplicate SPN entries 1 23
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question