We help IT Professionals succeed at work.

Configure client to connect to 2000 server without pointing to it as dns server

bigleon asked
Medium Priority
Last Modified: 2010-04-11
Current setup: We have a Windows 2000 server which is functioning ok.  Logging in is fast.  XP Pro clients point to the server as their one and only DNS server.  The server forwards any addresses it can't resolve.  We want XP Pro clients to be able to access the internet only for web browsing but the server to be isolated as much as possible from the internet for security reasons.

However Ive been requested to configure the XP Pro clients to NOT point to the server as their primary DNS server, the logic being that this frees the server from forwarding DNS requests and might improve security and performance.  I have read that pointing clients to the 2000 server as their DNS server is the prefered setup.

Q: How would it be possible to have the clients use the ISP DNS servers instead and still login to the domain quickly?
Watch Question

Top Expert 2006
Hi bigleon,

basically i wouldnt attempt this, DNS provides all your name resolution throughout your Domain, if you point your dns settings away from the server, your network is going to fall over.

if you are trying to secure your server i would reccomend a product such as ISA

just my thoughts...


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
I agree with Jay Jay.  This would definitely not be a best practice and actually would cause a lot more problems than you'd want.  The best practices are to harden your server as much as possible, use split-brain DNS and slave the internal DNS server it to a couple of the ISP's DNS servers (or your own outside DNS) which sounds like your current setup.  Now, what is prompting this question?  If your server is overutilized, you may want to run perfmon and find out what exactly is the bottleneck and add the appropriate hardware to it.  


Thanks for your replies.
The server is actually a new installation and is undergoing testing, it will probably not be overutilized (small company) and the issue was raised because our management is uneasy of the idea of having the file server doing dns duties and also wanting to tighten security.
If i understand correctly, you're saying the current configuration is really the best practical way to proceed.

If I don't hear any alternative suggestions soon, I will be splitting the points between the two of you, thanks for your time.

Your Internal PrimaryDNS server will hold the SOA and SRV (Service Records) for your domain. These support your clients logging into  the  domain, LDAP search against the the Global Catalog Server etc
If you dont use this server with your client systems and opt to point them towards an  external server, they will not be able to log into the network and utilise Domain resources. You might wish  to configure a Secondary Server hosting a Secondary read-only  Zone? That way it can service you client pcs, and  free up the main server.
You could use a separate DNS appliance then.  Like the BlueCat Networks Adonis 1000:

This appliance supports SRV records and AD.  However, I am not sure it would benefit your situation enough to warrant the expense...  Nevertheless, it looks cool!
Top Expert 2006

thanks mate,  

as far as security goes, DNS doesnt exactly provide a "hole" if you know what i mean... all it does is provide name resolution.

tell them that, should settle their minds a bit :)

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.