Solved

How to configure win 2k3 DNS so it won't try to register it to internet dns roots?

Posted on 2007-03-22
8
250 Views
Last Modified: 2010-04-18
Hi

I have a win2k3 r2 server and it has dns and ad configured to it. I'm also going to configure exchange on it later. Now I need to know how I can stop the server from trying to register itself to Internet dns root servers? I'm using .fi instead of .local because I want the users to use the same login for email and domain. This is the only server in the domain. Only the mydomain.fi MX records should point to this server.

Servers DNS configuration:
The servers dns configuration points to itself as the primary dns server. Secondary dns is a public one. The has one forward lookup zone that is mydomain.fi. I don't use forwarders. Should I use them and remove all the root servers from the config?


This is what the server tries to do:

The dynamic registration of the DNS record '_ldap._tcp.1e0caf58-17a3-4a92-8e63-6e5648b23c41.domains._msdcs.mydomain.fi. 600 IN SRV 0 100 389 CTSRV.mydomain.fi.' failed on the following DNS server:

DNS server IP address: 212.86.0.9
Returned Response Code (RCODE): 5
Returned Status Code: 9017

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:juzamx3
8 Comments
 
LVL 21

Expert Comment

by:dan_blagut
ID: 18772988
Hi
Better leave the server to regester in its own DNS. You need this because of AD. Then you need to host the yourdomain.fi record at the ISP. And there you will add also the MX reccord. In that scenario form internet they see what your ISP show... meaning 3 or 4 reccord, and your client in the network will see full DNS reccord including the AD reccord. Be carefoull because if you lost the DNS you lost AD also.

Dan
0
 

Author Comment

by:juzamx3
ID: 18773229
But I don't wan't to register mydomain.fi to any ISP because www.mydomain.fi website is on a different server and I'm not hosting that server. All I need is the MX records to point to this server is this possible?

Doesn't Exchange need that I have forwarding zone mydomain.fi and that my AD domain is mydomain.fi? Or could I just rename my domain to mydomain.local and still point the MX of mydomain.fi to this server? This way the server wouldn't try to register it to ISP. I'm just learning Exchange :(
0
 
LVL 21

Accepted Solution

by:
dan_blagut earned 250 total points
ID: 18773362
OK then
On the IP config for the server put for DNS address local IP (meaning the server it self). With that your AD domain will be OK.
Configure the DNS server to use Forwarders and there put the DNS address from your ISP. That will allow to browse Internet. Add manually on the DNS zone a reccord for www with the IP from your hosted server.
When you will install Exchange send a request to append a MX record to your domain with your external IP and allow trafic to port 25.
The better option is to use yourdomain.local for intern and yourdomain.fi for extern, but can be done with only one domain. The ideea is to keep your DNS invisible from internet.
How is configurated your network now (routers, servers)?

Dan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:juzamx3
ID: 18774195
The situation is that this server is on a server hotell and the clients are on the customer site. Clients will use the server as mail server and they will also use erp on the server where they need windows authentication from the domain. Clients connect via VPN. The cu doesn't have any other server so can't use internal and external dns .

The server is behind firewall.

"Add manually on the DNS zone a reccord for www with the IP from your hosted server." hmm... why should I do this? Should I point every DNS record of mydomain.fi to this server on the serverhotel and then it would be responsible for the whole zone? This zone is now hosted by ISP and the cu would like to keep it this way. So is it possible to use the server mydomain.fi just as a mail server?
0
 
LVL 21

Expert Comment

by:dan_blagut
ID: 18774621
ok
you need a dns for your domain that must be on that server or other windows 2k server and must be keept private. you also need a dns zone with a www record and a mx record visible from internet. that allow users and servers to see your internet site and send you e-mails. in a standard network the internal zone is internal.local and the external is external.com. this two zones can be hosted on same server or on a diferent server, but the internal.local must remain private only for your clients computers. the external.com can be hosted anywhere.
in your case you have 2 zone (which have same name, but this is not a problem) one for local use that is hosted on  your server and a zone on ISP server. that is your external zone.
your clients computer will  use your server as dns server (that is a must for loging on the domain) so they don't have any ideea that you have 2 zones with same name, for that you need www record.
also your server must point to him self for dns. the name resolution for internet will be provided by your server by forwarder so your clients and the server will be able to browse the internet.
A last question: your clients computers made a vpn connection to server; do you use dns name or IP address for vpn server?

Dan
0
 
LVL 12

Assisted Solution

by:Donnie4572
Donnie4572 earned 250 total points
ID: 18775477
For the TCP/IP properties add only the inside active directory dns server. If you have two of them then you may add a second one.

It is bad idea for clients inside to go outside to resolve dns request.

Understand the difference between dns client and dns server. A dns client that is a member of active directory should never go outside for dns. A dns server can go outside but only in the way of forwarder.

On the dns server you may add a forwarder or you may allow the dns server to resolve the request directly from the root servers. It is better to add the inside ip address of your firewall as a forwarder and let the firewall proxy the the dns request it depends if your firewall supports dns proxy.

Also, you may add the ISP dns server as a forwarder but I don't like this one as your internet connection has additional point of failure because if your ISP dns is down your internet goes down.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20324338
Forced accept.

Computer101
EE Admin
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question