?
Solved

I need supporting documents why DNS is needed on this scenario

Posted on 2006-04-28
18
Medium Priority
?
361 Views
Last Modified: 2010-04-18
Hello Experts,

Here is my situation:

950 Users about 50 of them are MAC(9.x and 10.x).  Two Windows 2003 DCs(one a GC).  6 Windows 2003 member servers, serving as SQL 2000, Exchange 2003 Enterprise Edition and file servers.

We are a private school.  We're issued public static IPs.  I know for a fact that we have external DNS(I am pretty sure they're unix boxes) because each time we add a new workstation, we have to call these guys above our local IT dept and provide the NIC mac addresss which they in turn provide us a new static IP.  All of our XP workstations preferred and alternate DNS settings on TCP/IP are pointing to these external DNS IPs.

What are we missing here?  Are we then wasting a lot of bandwidth for name resolutions since all these over 900 devices including servers resolve their names thru these external DNS?  Would it not be better if say one DC or another be configured as local DNS and then point the forwarders tab to these external DNS.  All the workstations then should be pointing to this local DNS and not to these external DNS.

I've been recommending a local DNS be configured in our environment but I keep getting a NO answer.

I appreciate any backing informations as to why I need a local DNS or why I don't need one.
0
Comment
Question by:jethro2731
  • 8
  • 5
  • 4
  • +1
18 Comments
 
LVL 6

Expert Comment

by:Nzarth
ID: 16567914
I would configure the DNS as you suggested.  It seems to be an awful waste of bandwidth for each machine to use the external DNS's instead of an internal one and also it would be slower at resolving.

I would have a local DNS server with forwarding to the external DNS servers.  It would be quicker and also you would have more control with the internal DNS server and therefore become more efficient.

;)
0
 

Author Comment

by:jethro2731
ID: 16568586
I appreciate your comments but do you have any supporting documents from either Microsoft or DNS Engineers that I can use to convince these guys?

I've been requesting this local DNS installation since our NOS were still Windows 2000 but I keep getting the NO answer.

0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16568988
What you are seeing is classic symptoms of UNIX network administrators with their blinkered view that Windows is not suitable to run any real networking protocols, like DNS. If they have the clout then you are probably on a loosing battle, because I am not aware of any documentation from Microsoft that states you MUST have their DNS servers running.

Active directory makes very heavy use of DNS. With the number of machines that you have the bandwidth use must be considerable. That would probably the most compelling argument.
If you were using DHCP instead of static IP addresses then you would have more of an argument. The UNIX people who are making the manual DNS entries probably feel that they have done enough.

If you challenge the UNIX administrators with anything from Microsoft, then they will turn round with anything from this first page of Google search: http://www.google.co.uk/search?hl=en&q=active+directory+unix+dns&meta=
Every article is about how BIND or similar DNS system can be used for active directory.

Afraid to say that bandwidth/performance is probably the only argument you will be able to use, and if they are prepared to pay for the bandwidth you are probably on a loosing battle.

Simon.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jethro2731
ID: 16569564
Thanks, Simon.  I understand that bandwidth/performace is one of my argument, however, since we upgraded from Windows 2K OS to Windows 2K3 and introducing Blade Servers, I started having all kinds of network related issues.  One of which is RPC Error Mappings.  Since yesterday we're having users' keep locking out.

The way they designed the network makes it very tedious to tweak all XP workstations TCP/IP settings since we use static for all the over 900 workstations.

I have all the event ID errors regarding these issues but these guys challenge me to send them the netlogon.dns files.

They claimed that out of 39 units we are the only complaining about their setup.  I found that this school is using 5 Unix Name Servers.  We are using T1 to T3 links.

What a waste of money for bandwidth and other resources!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16569602
Static IP addresses on a 900 user network has been designed purely to ensure that they keep their jobs. The admin overhead that would require is massive - I wouldn't dream of attempting to maintain that - DHCP all the way. Unfortunately if you deploy DHCP then you will need to have a Windows 200x DNS system or BIND with the relevant updates.

As for the lack of complaints, if people don't know any better or know that they going up against a brick wall, then people will stop complaining.

Don't know what they are asking for with "netlogon.dns" files. You could send them the event logs as the IDs on their own are close to useless. Most of them are probably timeout based errors.

Simon.
0
 
LVL 5

Expert Comment

by:mickinoz2005
ID: 16569680
my god that is the most ridiculous setup I have heard of, Absolutely sembee them lads are just clucthing at straws to keep their jobs. Surely if your workstations are pointing outside for dns you must be having massive problems with Active directory i don't even know how you are logging onto your servers. Active directory is built around DNS and requires it to be working seemlessly in order for AD to function properly.

You should have One / two dns servers internally to manage all your internal requests and then they just forward any unknown, they will then cache those requests and never need to check again, well until cache is wiped or a reboot.

Again a major reason I would believe not to use this windows 95 approach is simply that Active directory is nothing without DNS.

I am in shock I must admit. The admin hours to manage this must be massive.

Michael



0
 
LVL 5

Expert Comment

by:mickinoz2005
ID: 16569683
Are these IP addresses you get in a private range or a public range. do you have a firewall in between you and the web.

Michael
0
 

Author Comment

by:jethro2731
ID: 16569754
Tell me about it!  We only have two techs, me being the Sr plus admin of these workstations plus now the blade servers for a total of 12 Windows 2003 Servers (2 + 1 DCs).

All our assigned Static IPs are public.  We have Nokia firewall but only few servers are behind firewall.  All these over 900 WS are outside the firewall.

0
 
LVL 5

Expert Comment

by:mickinoz2005
ID: 16572398
Aside from your own network as you describe are you connected to a larger network. I find it hard to believe that any isp would supply that many public ips to any company.  Plus i just could not see why you would set up a network using that config whether it be a unix network or a windows network.

Michael
0
 
LVL 5

Expert Comment

by:mickinoz2005
ID: 16572401
Do you not have lots of problems with your AD, lots of error in the event viewers of the pc's.

Michael
0
 

Author Comment

by:jethro2731
ID: 16573008
This was designed since the beginning.  I was a full time employee here early 90s and then left and came back just few months ago.

Our LAN, which compose of the devices I mentioned at the beginning of these request,
along with about 30 LANs spread within about 20 miles radius are all connected to these
5 Name Servers(Unix Boxes) as our main gateways to the Internet. The link between these
Name Servers is T1/T3.  We are not allowed to install/configure local DNS.



As I mentioned, all our XP workstations and servers have Public Static IPs assigned
by, I called the Empire, runs by Darth Vader.  Network Admin before me tried
installing DNS but end up being removed by these guys.  

Our LAN is growing.  I just configured a Blade Server(6 servers in a 8U rackmount) to
migrate old Windows 2000 Server. With this Blade, and 2 SQL, 1 Exchange, 1 Webserver all
in Windows 2003 OSes and about 800 XPs Pro and about 100 MACs, performance, bandwidth and
all kinds of network connectivities problems are our daily challenges.

We have a Nokia Firewall and only the Blade Server is behind the firewall.  The two DCs,
Exchange 2003 and all the workstations are all outside the firewall.

Here is my proposal to the empire: (please comment or asssist in anyway you can)

1. Configure local DNS on the two existing DCs and put them behind the firewall
2. We have 950 mailboxes, configure one the server in the Blade as a backend Exchange
   Server and the existing Exchange as a Front End and put it in the DMZ.
3. Configure one of the server in the Blade or DC as DHCP and remove all the over 1K assigned
static IPs in this DHCP.
4. Keep the existing webserver in the DMZ
5. All file servers and SQL and workstations must be behind the firewall.

What do you thinK?

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16573171
You were doing well until you said about putting an Exchange server in the DMZ. One of my pet hates, no one has ever given me a good reason why it is a good idea. See my blog here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

For DNS, just use forwarders on the domain controllers and point them to the Unix boxes. That should keep the WAN administrators happy.

Except that it isn't there machines doing the DNS.

mickinoz2005 - this is an educational network, which means that different rules apply. Plus up until the dotcom boom of the late nighties, it was very easy to get an entire class c subnet allocated to you. You didn't have to jump through the hoops that you do now to get them. If you have the subnet then most organisations will hang on to them.

Simon.
0
 

Author Comment

by:jethro2731
ID: 16573302
Simon, the Exchange 2003 now is already in the DMZ.  I don't know why they designed it like this.  I just want to protect it so I am planning to propose a backend Exchange Server.

Again the two DCs are also in the DMZ and so with the webserver.

To summarize this:

Current setup and servers in the DMZ:

1. Exchange 2003
2. Two DCs
3. Webserver
4. All workstations

I wish it's going to be that easy convicing those WAN Admins about my plan of the local DNS.
0
 

Author Comment

by:jethro2731
ID: 16573648
Hi Simon,

Any clue about this new issue:

I just completed migrating the SQL 2000 Server installed on Windows 2000 to the Blade Server.  The Blade Server and the SQL 2000 are both behind the firewall.  Now that SQL is migrated to the Blade (Windows 2003), it is not accessible by our users.  Now, here is the skinny of the matter, if I make the SQL as DC, it will be accessible but if it is a member server it is NOT!

Remember our environment, the two DCs are outside the firewall.

I have been working for 16 hours now straight doing the migration of over 120 databases about 18GB size of DBs.  the db migration was successful but it is not accessible.  

Is this a DNS or the Blade issue?

I tried making the SQL inside the blade as DC and it work but we don't like it as DC, we want it just like the old box as member server.

Thanks a lot,


0
 
LVL 104

Expert Comment

by:Sembee
ID: 16577185
Oh dear.

This network looks like it is in an awful mess.
Someone has been taken in by the FUD that the DMZ is the best place for everything that faces the internet (it is not), but has discovered that Exchange doesn't work when there is a firewall between the servers and the domain controllers.

With the brick wall of the Unix administrators, I think you are just going to spend all your time banging your head against a brick wall.

If it was me, I would be brushing up my CV and talking to recruiters.

Considering what you have outlined as the network topology in the previous posting, I wouldn't even begin to try and diagnose where the problem is. The list is just too long.
Network development in that environment is going to be close to impossible unless you continue with the flawed strategy that has already been started, with all servers in the DMZ.

Do you know any network penetration consultants? Perhaps get them in to write a report stating that the network is wide open to attacks. Considering that you are an educational establishment, that would be unacceptable.

Simon.
0
 

Author Comment

by:jethro2731
ID: 16578495
Simon,

Exchange Server 2003, Webserver and the two Windows 2003 DCs are both outside the firewall.   The file servers and SQL Servers are behind the firewall.

My problems right now is accessing the SQL.

The school is very slow making decisions to any consultant.  Our firewall is two years behind in terms of updates, firmwares, etc.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16580132
They need to learn that being two years behind in IT is like being 10 years behind in everything else.
While you have the servers separated by the firewall you will have any number of problems. All the time the firewalls are in the way diagnosing any problems will be next to impossible.

Simon.
0
 

Author Comment

by:jethro2731
ID: 16581345
Simon,

Thanks for all your input.  I just completed meeting with our local IT staff and the IT Director.  For now, the IT Director suggestion is to put the Blade Server outside the firewall as well to get rid of the AD, replications problems between those two DCs I mentioned that are outside the firewall.  Instead of updating the existing firewall or replacing it, the decision is put those servers all outside the firewall!!!  I was asked to meet with those Unix Admin guys and support my claims as to why we need a local DNS instead of theirs!  

BTW,

The link between us and these Unix guys is OC3.  What a waste of money isn't it?

Another thing that does not make perfectly sense to me is that if put the Blade server outside the firewall, all replications and file sharings issues are gone!  If I put the Blade behind the firewall, file shares are not available to our users NOT UNLESS I manually put a hosts file on the workstations and Blade server.  Remember one the server inside the Blade is also a DC(windows 2003).

The Windows 2000 file servers which are also behind the firewall, don't have file sharing problems.  Users can access resources on these Windows 2000 servers.  These servers are old so we're migrating them to the Blade.

Inside the Blade Server are 6 Windows 2003 servers.  If you make one of these as a DC and share the files, users will be able to access them.  File shares on a Windows 2003 member inside the Blade are not accessible.  So by way of process of elimination, you will start thinking it's the firewall problem.  I called Nokia and Checkpoint but they won't talk to me until I renew my subscription and update the firmware.

Here's the main skinny then, if I migrate all our SQL, file servers to this Blade, to make the file shares accessible, I have to make them all DC controllers(I experimented one of them this weekend) but if users change their password, file sharings are not available and users who changed their password keep getting lock out account.  We have to rese their password back to the old password to access their share.

So, the bottom line, 2000 servers are accessible behind the firewall but not 2003!  This is where I thought I need a local DNS installed on the 2003 servers.

The Blade Servers have two fiber link with MAC Address and therefore, with two static IPs.  Inside of them are six Windows 2003 servers and each with NIC.  They're all accessible to our users as long as they're all DCs, if you make them as member server, no access to their shares!

As of this hour, all are happy they access their shares because the Blade Server is outside the firewall.  So, is it the Blade? or is it the  firewall?

Obviously, the firewall last update was 2001.  Then, one of the difference between 2000 server and 2003 is their security? DNS?  Again, 2000 servers behind this firewall are accessble.  2003 Servers are accessible as long as they are DC.

Thanks for joining me on this experience.  Lots of things to learn.  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question