Configure client to connect to 2000 server without pointing to it as dns server

Posted on 2006-03-31
Last Modified: 2010-04-11
Current setup: We have a Windows 2000 server which is functioning ok.  Logging in is fast.  XP Pro clients point to the server as their one and only DNS server.  The server forwards any addresses it can't resolve.  We want XP Pro clients to be able to access the internet only for web browsing but the server to be isolated as much as possible from the internet for security reasons.

However Ive been requested to configure the XP Pro clients to NOT point to the server as their primary DNS server, the logic being that this frees the server from forwarding DNS requests and might improve security and performance.  I have read that pointing clients to the 2000 server as their DNS server is the prefered setup.

Q: How would it be possible to have the clients use the ISP DNS servers instead and still login to the domain quickly?
Question by:bigleon
    LVL 48

    Assisted Solution

    Hi bigleon,

    basically i wouldnt attempt this, DNS provides all your name resolution throughout your Domain, if you point your dns settings away from the server, your network is going to fall over.

    if you are trying to secure your server i would reccomend a product such as ISA

    just my thoughts...

    LVL 10

    Accepted Solution

    I agree with Jay Jay.  This would definitely not be a best practice and actually would cause a lot more problems than you'd want.  The best practices are to harden your server as much as possible, use split-brain DNS and slave the internal DNS server it to a couple of the ISP's DNS servers (or your own outside DNS) which sounds like your current setup.  Now, what is prompting this question?  If your server is overutilized, you may want to run perfmon and find out what exactly is the bottleneck and add the appropriate hardware to it.  

    Author Comment

    Thanks for your replies.
    The server is actually a new installation and is undergoing testing, it will probably not be overutilized (small company) and the issue was raised because our management is uneasy of the idea of having the file server doing dns duties and also wanting to tighten security.
    If i understand correctly, you're saying the current configuration is really the best practical way to proceed.

    If I don't hear any alternative suggestions soon, I will be splitting the points between the two of you, thanks for your time.
    LVL 2

    Expert Comment

    Your Internal PrimaryDNS server will hold the SOA and SRV (Service Records) for your domain. These support your clients logging into  the  domain, LDAP search against the the Global Catalog Server etc
    If you dont use this server with your client systems and opt to point them towards an  external server, they will not be able to log into the network and utilise Domain resources. You might wish  to configure a Secondary Server hosting a Secondary read-only  Zone? That way it can service you client pcs, and  free up the main server.
    LVL 10

    Expert Comment

    You could use a separate DNS appliance then.  Like the BlueCat Networks Adonis 1000:

    This appliance supports SRV records and AD.  However, I am not sure it would benefit your situation enough to warrant the expense...  Nevertheless, it looks cool!
    LVL 48

    Expert Comment

    thanks mate,  

    as far as security goes, DNS doesnt exactly provide a "hole" if you know what i mean... all it does is provide name resolution.

    tell them that, should settle their minds a bit :)


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now