Configure client to connect to 2000 server without pointing to it as dns server

Current setup: We have a Windows 2000 server which is functioning ok.  Logging in is fast.  XP Pro clients point to the server as their one and only DNS server.  The server forwards any addresses it can't resolve.  We want XP Pro clients to be able to access the internet only for web browsing but the server to be isolated as much as possible from the internet for security reasons.

However Ive been requested to configure the XP Pro clients to NOT point to the server as their primary DNS server, the logic being that this frees the server from forwarding DNS requests and might improve security and performance.  I have read that pointing clients to the 2000 server as their DNS server is the prefered setup.

Q: How would it be possible to have the clients use the ISP DNS servers instead and still login to the domain quickly?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi bigleon,

basically i wouldnt attempt this, DNS provides all your name resolution throughout your Domain, if you point your dns settings away from the server, your network is going to fall over.

if you are trying to secure your server i would reccomend a product such as ISA

just my thoughts...

I agree with Jay Jay.  This would definitely not be a best practice and actually would cause a lot more problems than you'd want.  The best practices are to harden your server as much as possible, use split-brain DNS and slave the internal DNS server it to a couple of the ISP's DNS servers (or your own outside DNS) which sounds like your current setup.  Now, what is prompting this question?  If your server is overutilized, you may want to run perfmon and find out what exactly is the bottleneck and add the appropriate hardware to it.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bigleonAuthor Commented:
Thanks for your replies.
The server is actually a new installation and is undergoing testing, it will probably not be overutilized (small company) and the issue was raised because our management is uneasy of the idea of having the file server doing dns duties and also wanting to tighten security.
If i understand correctly, you're saying the current configuration is really the best practical way to proceed.

If I don't hear any alternative suggestions soon, I will be splitting the points between the two of you, thanks for your time.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

Your Internal PrimaryDNS server will hold the SOA and SRV (Service Records) for your domain. These support your clients logging into  the  domain, LDAP search against the the Global Catalog Server etc
If you dont use this server with your client systems and opt to point them towards an  external server, they will not be able to log into the network and utilise Domain resources. You might wish  to configure a Secondary Server hosting a Secondary read-only  Zone? That way it can service you client pcs, and  free up the main server.
You could use a separate DNS appliance then.  Like the BlueCat Networks Adonis 1000:

This appliance supports SRV records and AD.  However, I am not sure it would benefit your situation enough to warrant the expense...  Nevertheless, it looks cool!
thanks mate,  

as far as security goes, DNS doesnt exactly provide a "hole" if you know what i mean... all it does is provide name resolution.

tell them that, should settle their minds a bit :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.