Solved

How to configure win 2k3 DNS so it won't try to register it to internet dns roots?

Posted on 2007-03-22
8
246 Views
Last Modified: 2010-04-18
Hi

I have a win2k3 r2 server and it has dns and ad configured to it. I'm also going to configure exchange on it later. Now I need to know how I can stop the server from trying to register itself to Internet dns root servers? I'm using .fi instead of .local because I want the users to use the same login for email and domain. This is the only server in the domain. Only the mydomain.fi MX records should point to this server.

Servers DNS configuration:
The servers dns configuration points to itself as the primary dns server. Secondary dns is a public one. The has one forward lookup zone that is mydomain.fi. I don't use forwarders. Should I use them and remove all the root servers from the config?


This is what the server tries to do:

The dynamic registration of the DNS record '_ldap._tcp.1e0caf58-17a3-4a92-8e63-6e5648b23c41.domains._msdcs.mydomain.fi. 600 IN SRV 0 100 389 CTSRV.mydomain.fi.' failed on the following DNS server:

DNS server IP address: 212.86.0.9
Returned Response Code (RCODE): 5
Returned Status Code: 9017

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:juzamx3
8 Comments
 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
Hi
Better leave the server to regester in its own DNS. You need this because of AD. Then you need to host the yourdomain.fi record at the ISP. And there you will add also the MX reccord. In that scenario form internet they see what your ISP show... meaning 3 or 4 reccord, and your client in the network will see full DNS reccord including the AD reccord. Be carefoull because if you lost the DNS you lost AD also.

Dan
0
 

Author Comment

by:juzamx3
Comment Utility
But I don't wan't to register mydomain.fi to any ISP because www.mydomain.fi website is on a different server and I'm not hosting that server. All I need is the MX records to point to this server is this possible?

Doesn't Exchange need that I have forwarding zone mydomain.fi and that my AD domain is mydomain.fi? Or could I just rename my domain to mydomain.local and still point the MX of mydomain.fi to this server? This way the server wouldn't try to register it to ISP. I'm just learning Exchange :(
0
 
LVL 21

Accepted Solution

by:
dan_blagut earned 250 total points
Comment Utility
OK then
On the IP config for the server put for DNS address local IP (meaning the server it self). With that your AD domain will be OK.
Configure the DNS server to use Forwarders and there put the DNS address from your ISP. That will allow to browse Internet. Add manually on the DNS zone a reccord for www with the IP from your hosted server.
When you will install Exchange send a request to append a MX record to your domain with your external IP and allow trafic to port 25.
The better option is to use yourdomain.local for intern and yourdomain.fi for extern, but can be done with only one domain. The ideea is to keep your DNS invisible from internet.
How is configurated your network now (routers, servers)?

Dan
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:juzamx3
Comment Utility
The situation is that this server is on a server hotell and the clients are on the customer site. Clients will use the server as mail server and they will also use erp on the server where they need windows authentication from the domain. Clients connect via VPN. The cu doesn't have any other server so can't use internal and external dns .

The server is behind firewall.

"Add manually on the DNS zone a reccord for www with the IP from your hosted server." hmm... why should I do this? Should I point every DNS record of mydomain.fi to this server on the serverhotel and then it would be responsible for the whole zone? This zone is now hosted by ISP and the cu would like to keep it this way. So is it possible to use the server mydomain.fi just as a mail server?
0
 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
ok
you need a dns for your domain that must be on that server or other windows 2k server and must be keept private. you also need a dns zone with a www record and a mx record visible from internet. that allow users and servers to see your internet site and send you e-mails. in a standard network the internal zone is internal.local and the external is external.com. this two zones can be hosted on same server or on a diferent server, but the internal.local must remain private only for your clients computers. the external.com can be hosted anywhere.
in your case you have 2 zone (which have same name, but this is not a problem) one for local use that is hosted on  your server and a zone on ISP server. that is your external zone.
your clients computer will  use your server as dns server (that is a must for loging on the domain) so they don't have any ideea that you have 2 zones with same name, for that you need www record.
also your server must point to him self for dns. the name resolution for internet will be provided by your server by forwarder so your clients and the server will be able to browse the internet.
A last question: your clients computers made a vpn connection to server; do you use dns name or IP address for vpn server?

Dan
0
 
LVL 12

Assisted Solution

by:Donnie4572
Donnie4572 earned 250 total points
Comment Utility
For the TCP/IP properties add only the inside active directory dns server. If you have two of them then you may add a second one.

It is bad idea for clients inside to go outside to resolve dns request.

Understand the difference between dns client and dns server. A dns client that is a member of active directory should never go outside for dns. A dns server can go outside but only in the way of forwarder.

On the dns server you may add a forwarder or you may allow the dns server to resolve the request directly from the root servers. It is better to add the inside ip address of your firewall as a forwarder and let the firewall proxy the the dns request it depends if your firewall supports dns proxy.

Also, you may add the ISP dns server as a forwarder but I don't like this one as your internet connection has additional point of failure because if your ISP dns is down your internet goes down.
0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
Forced accept.

Computer101
EE Admin
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now