Configure client to connect to 2000 server without pointing to it as dns server

Current setup: We have a Windows 2000 server which is functioning ok.  Logging in is fast.  XP Pro clients point to the server as their one and only DNS server.  The server forwards any addresses it can't resolve.  We want XP Pro clients to be able to access the internet only for web browsing but the server to be isolated as much as possible from the internet for security reasons.

However Ive been requested to configure the XP Pro clients to NOT point to the server as their primary DNS server, the logic being that this frees the server from forwarding DNS requests and might improve security and performance.  I have read that pointing clients to the 2000 server as their DNS server is the prefered setup.

Q: How would it be possible to have the clients use the ISP DNS servers instead and still login to the domain quickly?
bigleonAsked:
Who is Participating?
 
plemieux72Commented:
I agree with Jay Jay.  This would definitely not be a best practice and actually would cause a lot more problems than you'd want.  The best practices are to harden your server as much as possible, use split-brain DNS and slave the internal DNS server it to a couple of the ISP's DNS servers (or your own outside DNS) which sounds like your current setup.  Now, what is prompting this question?  If your server is overutilized, you may want to run perfmon and find out what exactly is the bottleneck and add the appropriate hardware to it.  
0
 
Jay_Jay70Commented:
Hi bigleon,

basically i wouldnt attempt this, DNS provides all your name resolution throughout your Domain, if you point your dns settings away from the server, your network is going to fall over.

if you are trying to secure your server i would reccomend a product such as ISA

just my thoughts...

Cheers!
0
 
bigleonAuthor Commented:
Thanks for your replies.
The server is actually a new installation and is undergoing testing, it will probably not be overutilized (small company) and the issue was raised because our management is uneasy of the idea of having the file server doing dns duties and also wanting to tighten security.
If i understand correctly, you're saying the current configuration is really the best practical way to proceed.

If I don't hear any alternative suggestions soon, I will be splitting the points between the two of you, thanks for your time.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
mattacukCommented:
Your Internal PrimaryDNS server will hold the SOA and SRV (Service Records) for your domain. These support your clients logging into  the  domain, LDAP search against the the Global Catalog Server etc
If you dont use this server with your client systems and opt to point them towards an  external server, they will not be able to log into the network and utilise Domain resources. You might wish  to configure a Secondary Server hosting a Secondary read-only  Zone? That way it can service you client pcs, and  free up the main server.
0
 
plemieux72Commented:
You could use a separate DNS appliance then.  Like the BlueCat Networks Adonis 1000:
http://www.bluecatnetworks.com/products/adonis-dns-dhcp-appliances/adonis1000/overview/

This appliance supports SRV records and AD.  However, I am not sure it would benefit your situation enough to warrant the expense...  Nevertheless, it looks cool!
0
 
Jay_Jay70Commented:
thanks mate,  

as far as security goes, DNS doesnt exactly provide a "hole" if you know what i mean... all it does is provide name resolution.

tell them that, should settle their minds a bit :)

cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.