• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Configure client to connect to 2000 server without pointing to it as dns server

Current setup: We have a Windows 2000 server which is functioning ok.  Logging in is fast.  XP Pro clients point to the server as their one and only DNS server.  The server forwards any addresses it can't resolve.  We want XP Pro clients to be able to access the internet only for web browsing but the server to be isolated as much as possible from the internet for security reasons.

However Ive been requested to configure the XP Pro clients to NOT point to the server as their primary DNS server, the logic being that this frees the server from forwarding DNS requests and might improve security and performance.  I have read that pointing clients to the 2000 server as their DNS server is the prefered setup.

Q: How would it be possible to have the clients use the ISP DNS servers instead and still login to the domain quickly?
2 Solutions
Hi bigleon,

basically i wouldnt attempt this, DNS provides all your name resolution throughout your Domain, if you point your dns settings away from the server, your network is going to fall over.

if you are trying to secure your server i would reccomend a product such as ISA

just my thoughts...

I agree with Jay Jay.  This would definitely not be a best practice and actually would cause a lot more problems than you'd want.  The best practices are to harden your server as much as possible, use split-brain DNS and slave the internal DNS server it to a couple of the ISP's DNS servers (or your own outside DNS) which sounds like your current setup.  Now, what is prompting this question?  If your server is overutilized, you may want to run perfmon and find out what exactly is the bottleneck and add the appropriate hardware to it.  
bigleonAuthor Commented:
Thanks for your replies.
The server is actually a new installation and is undergoing testing, it will probably not be overutilized (small company) and the issue was raised because our management is uneasy of the idea of having the file server doing dns duties and also wanting to tighten security.
If i understand correctly, you're saying the current configuration is really the best practical way to proceed.

If I don't hear any alternative suggestions soon, I will be splitting the points between the two of you, thanks for your time.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Your Internal PrimaryDNS server will hold the SOA and SRV (Service Records) for your domain. These support your clients logging into  the  domain, LDAP search against the the Global Catalog Server etc
If you dont use this server with your client systems and opt to point them towards an  external server, they will not be able to log into the network and utilise Domain resources. You might wish  to configure a Secondary Server hosting a Secondary read-only  Zone? That way it can service you client pcs, and  free up the main server.
You could use a separate DNS appliance then.  Like the BlueCat Networks Adonis 1000:

This appliance supports SRV records and AD.  However, I am not sure it would benefit your situation enough to warrant the expense...  Nevertheless, it looks cool!
thanks mate,  

as far as security goes, DNS doesnt exactly provide a "hole" if you know what i mean... all it does is provide name resolution.

tell them that, should settle their minds a bit :)


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now