Solved

DNS & DHCP Questions

Posted on 2009-04-01
16
622 Views
Last Modified: 2012-06-27
I will start out by saying that my knowledge of DNS is pretty limited but I understand the basics. Looking at our Windows Small Business Server 2003 system I see quite a few directories in our DNS and I was wondering if someone would take a look at the screenshot of our current DNS structure and see if it appears normal to them. See the attached screenshot. This is a small network of about 20 PCs and this is the only server which runs Active Directory, DNS and is mostly used for file & printer sharing. Since this is Small Business Server I have realized that everything with the setup is heavily based on wizards so maybe some of these things are just normal to SBS but I have been working with a Server 2008 Standard server and notice quite a few differences in the DNS structures for environments that are pretty similar. Maybe it is just the newer server OS though.

 - 1
Our domain is NEA.local and I am not sure what the "standard" directories are in DNS but I thought it was kind of strange that we had two Forward Lookup Zones; one for our actual domain "NEA.local" and then another named "_msdcs.NEA.local". What is this Forward Lookup Zone used for?

 - 2
Another thing I notice is all the entries for "Default-First-Site-Name"? Where did this name come from or what is it referring to and why is it such a generic name?

 - 3
Finally, the server is not running DHCP at this time; our RV042 router is handling that. About 6 months ago we changed all of our IP addressing on the network from 192.168.1.X to 192.168.5.x but looking around in the DNS I see that there is a Reverse Lookup Zone still in there for the 192.168.1.X subnet and not 192.168.5.X subnet. What is the best way to correct this? Is it safe to just delete the 192.168.1.X subnet and run through the "New Zone" wizard to set up a new one for the 192.168.5.X subnet? We aren't really experiencing any issues traversing the network really but I do notice as an admin that I cannot ping hardly any of the workstations expect 3 of them and I can only connect to the admin shares (\\SYSTEM\C$) on those 3 as well. The rest as far as pings don't exist on the network. Rather this has anything to do with DNS or DHCP I don't know but I would tend to think so. Would it be more beneficial to configure the server to manage DHCP as well?

I apologize for the rather vague questions on the DNS directories but I just haven't been able to find to much information through searching for what the purposes for all these directories are. They all seem to contain for the most part the same records. If anyone has any links they could share that explain the directories within DNS it would be greatly appreciated. Thanks in advance for any help.
neadns.png
0
Comment
Question by:J-Reese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
16 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24040035
A forward lookup zone is used to find a machines IP address from the name - its done automatically so when you want to contact SERVER1, a DNS lookup is used to find the IP address of SEVER1 so that you can communicate with it.

The _msdcs zone and everything under it is used by active directory - it mainly contains SRV reccords so that machines can find domain controllers and other such stuff.

It makes a lot od sence to use windows DHCP - it itegrates fully with DNS and provides all of the options, some of which are generally missing from router based DNS.


BTW - all clients (and servers - including your DC) should point at the Windows DNS server ONLY as their preferred DNS server.

0
 
LVL 8

Expert Comment

by:halejr1
ID: 24040170
KCTS --

another note about forward lookup zones -- think of it as "WHERE TO LOOK WHEN YOU DON'T KNOW"
if the system cannot resolve an address request, it will go to the forward lookup zone.

As for DHCP -- many admins today still feel the need to maintain granular management of everything.  Some(not many) still resist DHCP and they statically control everything.  DHCP is the most efficient way to manage your environment.  With the exception of routers, servers and printers, and a few other enterprise hosts, DHCP simplifies the entire address management process by providing a centralized management console for all DHCP activities.
 
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 450 total points
ID: 24040252

1. It's a common way of setting up the zones. It must have been automatically configured which is fine. As KCTS says, the _msdcs zone contains the service records. They allow your network clients to find things, where AD is, where to change passwords, where to log on, etc, etc.

2. If you open up AD Sites and Services you'll see Default-First-Site-Name. Feel free to change it if you wish (right click, Rename).  But don't delete it, it only really comes into play when you have more than one site.

3. Yes, it's safe to delete the old zone for the old subnet.

The name resolution problems you're having suggest that you don't have many entries in your Forward Lookup Zone. If you select the zone and browse the Host (A) records, do you see any of your PCs?

Chris
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:J-Reese
ID: 24046215
@ KCTS & halejr
Thanks for the info. And after some more reading I think I will probably be moving DHCP over to the server. As far as the DHCP configuration for network printers & scanners; what is the proper way to set them up? Should set up reservations for them or do I just leave them set at their static addresses that they are at now outside of the pool?

@ Chris-Dent
In regards to the Host (A) records; each client has a record in the NEA.local FLZ and all of the IP addresses match what is in the current DHCP table in the router. This is why I thought it was a little strange.
0
 
LVL 8

Assisted Solution

by:halejr1
halejr1 earned 50 total points
ID: 24046430
I recommend that you put a strategy in place, i.e. on paper say something like this:

routers and switches address .1 -10 and .254
Servers .20 through .39
Printers .40 through .69
Workstations .100-.250
open for future
.11 through .19
.70 through .99
.251through .253

This example is for smaller networks with class-c subnets and fewer servers.  In a large enterprise you would likely have a subnet or multiple subnets dedicated for servers and resource hosts.  So in this example, all I need to do is set my DHCP scope for .100 through .250 giving me 150 hosts and I've isolated a segment for printers, etc.  Why this strategy and not just open it up for random chaos?  Well from a management prospective, I have a good handle on what my space allocation is, and if I am growing beyond that allocation, it's time for me to open up additional subnets, etc. with same standard address allocation.  Therefore when I see a host that is x.y.z.107 I know it's a workstation, and x.y.z.44 I know it's a printer -- you get the idea.  I call this managing with a PLAN.

Good Luck and feedback or criticism is always welcome and most times appreciated.

Thanks.
0
 
LVL 8

Expert Comment

by:halejr1
ID: 24046447
One last thing, the open blocks, for future -- there is not a logical reason, other than space for those things not accounted for -- or technology that has evolved and maybe needs special attention.  You never know... the minute you make a plan that seems bullet proof, something changes....  but this does not mean that planning is a waste of time.  manage for progress, manage for success, manage for simplicity as best you can.  -ok.. so I am long winded, but you get the picture.
0
 
LVL 2

Author Comment

by:J-Reese
ID: 24048870
@halejr1
I do already have a plan in place that I am using with our current setup on the router. Granted this is only  a network of 20 clients, 1 server, 6 printers and 1 copier/scanner on the network but I figured this out rather quickly after I came on board here and made up a plan whenever I changed our whole IP addressing scheme over because when I walked into the network there were printers all over the network mixed in with the DHCP pool and plenty of other issues.

Right now I use the following:
5.1 - Router
5.2 - WAP
5.3 - WAP
5.5 - Server
5.10 - 5.19 - Network Printers & Scanners
5.50 - 5.99 - DHCP

I just wasn't sure if the proper method was to assign static IP address to the printers or leave them on DHCP but set up reservations for them.
0
 
LVL 2

Author Comment

by:J-Reese
ID: 24048895
Also, I forgot to add that I am planning to setup DHCP and make some DNS changes over this coming weekend so I am going to leave the thread open just in case I have some other questions with the DHCP configuration or still need some help figuring out why I can't access the clients or ping them over the network.
0
 
LVL 2

Author Comment

by:J-Reese
ID: 24087412
Well I installed DHCP this weekend and made a few configuration changes to DNS to work with DHCP and it appears that everything is functioning normally and I haven't had any new issues resulting from the changes.

However, I still have the issue of only being able to ping and connect to admin shares on 4 of the workstations on the network out of 18 workstations that are currently up and running. I can't ping by host name or IP address and everything seems to match from DHCP to DNS to looking at the actual workstation's IP address so I don't know what is causing this. Every system in the office is on the domain and by looking at the Event Viewer logs on many of the systems I can't contact over the weekend everything appears to be fine with no errors of any type reported.

What could be the problem that I am unable to ping or connect to the admin shares of these workstations?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 450 total points
ID: 24087485

Windows Firewall?

I take it the name resolves to the correct IP if you run "nslookup <pcname>"?

Chris
0
 
LVL 8

Expert Comment

by:halejr1
ID: 24087603
J -- chris is probably right ... it may be a local client windows firewall issue.  Best way to t-shoot is disable WFW for one of the problem clients, wait a few seconds, then test.  If it works, then you need to look at improvising the policy to include netbios traffic and windows stuff.
0
 
LVL 2

Author Comment

by:J-Reese
ID: 24088796
Yep, the workstations were resolving okay using NSLOOKUP and it sure was Windows Firewall being the culprit. Strange though how a few obviously have the exceptions enabled yet I didn't do it. I will have to look into what all they have opened up to compare to the majority of others that are not accessible.

As far as accessing the admin shares I noticed on one system I am looking at (over Remote Desktop) that in Windows Firewall | Exceptions tab that File and Printer Sharing was not allowed in the firewall so I allowed that exception and now I have access to admin shares. Which makes total sense since it is a share but I would think that setting would somehow get enabled by default when joining a system to the domain.

It turns out that enabling File and Printer sharing also opens up TCP port 445 which will then allow ping acknowledgments; but just for reference it can also be enabled individually within Windows Firewall | Advanced tab and then Settings under the ICMP section. Check the box next to Allow incoming echo request .

Are there any other benifits to enabling the other ICMP options in there? I notice there are quite a few other options that sound like they could be beneficial to network communication but I don't know if they are needed or not. I guess it is my choice but I just wonder if not having these as an allowed exception would every come up as an issue like the ping acknoledgement being disabled.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24088897

> Are there any other benifits to enabling the other ICMP options in there?

Not for simple networking, no.

You might consider setting up a few Group Policies to manage the firewall settings for you, saves messing around with it in future :)

Chris
0
 
LVL 2

Author Comment

by:J-Reese
ID: 24088928
I actually just did that thinking that I don't want to go around to all these systems and it worked on the workstation I was connected to using Remote Desktop by me physically running gpupdate but is there a way I can force a gpupdate from the server to all the workstations?

It's not a necessity but I would like to see if my results work sooner than tomorrow morning :)
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24088976

Only if you were to use something like PSExec wrapped up in a bit of scripting. Of course, to do that you'd need to be able to get onto the machines in the first place which might not be easy if the Firewall is still preventing access.

Might be worth a shot though, PSExec is here:

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Chris
0
 
LVL 8

Expert Comment

by:halejr1
ID: 24089195
J - thanks for the recognition... I always appreciate points!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question