AD and DNS Guide for Windows 2003 Server behind NAT

I have been running a Windows 2003 Server with AD and DNS for about 6 months.  I am searching for a good guide/link that will describe how to set AD and DNS on W2K3 when it is behind a NAT "firewall".  

Since this is a common small business setup I would THINK that there would be tons of info on this but to date I have not found anything that REALLY addresses the issues head on.

My AD and DNS set-up works but not well.  The clients use the W2K3 server as its primary DNS and DNS forwards the query requests properly (i.e., people can use the Internet).  However - there are tons of DNS subsystem errors in the DNS event viewer.  It also takes 4 minutes for Windows 2000 clients to logon and XP clients 2 minutes to logon.  Very frustrating to users and this sysadmin.  

Bottom line: I need a guide that addresses how to set-up up AD and DNS services on a NAT LAN.  

Any ideas would be great.  

Who is Participating?
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerConnect With a Mentor IT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
In an AD Environment, the Microsoft recommended Best practices is to setup DNS in this fashion.

Pick your primary DNS server, usually the first DC in the network.  Point the DNS settings on it's NIC to itself.  So, if it's IP address is, then the primary DNS setting should be this.  On the other DNS servers, also point their primary DNS to the IP address of the primary server.  The secondary setting should point to themselves.  All other servers and workstations, whether static or DHCP, should be configured to use the primary DNS server first, the in this example and for one of the other DNS servers as secondary.  Do not put your ISP's DNS anywhere in the servers or workstations.

The only place your ISP's DNS settings will be are in the DNS settings on the router or firewall, whatever one holds your public IP address.

Don't use any forwarders in your DNS servers unless required by your ISP or unless you really need the last iota of performance out of it.  While it can give a tiny amount of performance, it also introduces a single point of failure.  Best practices again, is not to use forwarders, but let the server resolve to the Internet Root Servers as designed.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You say, Small Business setup.  Are you using SBS2003?  If so, your DNS may not have installed correctly and you just need to reinstall properly with the wizards.  If you are using SBS2003, let me know and I can provide further info.

Jeff @
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.