?
Solved

DNS doubts

Posted on 2009-04-21
17
Medium Priority
?
423 Views
Last Modified: 2013-11-25
Hi friends !

I am working as system and network administrator in an educational institute. Currently we are facing problem of slow internet connectivity and one expert from outside analyzed our network and told us that there are too many NETBIOS broadcasts in your network.

Just 2 hours before, we had following servers:

1. Routing and Remote Access Server (For Routing and NATTING and Caching)
2. Domain Controller + DNS + DHCP Server on the same machine. Our internal domain name is something like xxx.local

Now, I feel that our users are not interested in Domain Environment and even the IT staffs are not taking care of domain rules and policies. For example, if a PC named pc1.xxx.local is replaced or repaired, then IT staff person doesnt give the same name to the replaced pc and that pc remains in workgroup. The same way, end users have been given their domain user accounts but they are not using them.

In this situation, I decided and removed DC and DNS as well (Though I have backup). Now, the only servers remaining are:

1. Routing and Remote Access Server
2. DHCP Server that distribute IPs in range (172.20.0.101  172.20.255.254) and Router address as 172.20.0.1 and DNS Server addresses of ISP DNS Server.

I am also planning to stop using this Microsoft based RRAS Server and replace it with OpenSUSE 11 Proxy and Firewall.

My doubts are&because I dont have any DNS Server internally,

1. All internet browsers requests for resolving website IP addresses is going directly to ISP DNS Servers. WILL THERE BE ANY NEGATIVE IMPACT ON NETWORK.
2. And local resources can not be resolved by their names. Though, I dont have any file server or any server that needs name resolution, yet I dont know whether DNS is required here or not.

Please tell me if you can foresee some problems that may come in future due to NO DNS SERVER in my environment. Also tell me how to stop the NETBIOS broadcasts ?

Regards,

Hemant
0
Comment
Question by:JatinHemant
  • 9
  • 8
17 Comments
 
LVL 27

Accepted Solution

by:
bluntTony earned 2000 total points
ID: 24196762
If you just have a simple workgroup setup (and you're happy with this), unless users start complaining of slow internet access, then using an external DNS I can't see a problem with. Anyway, a typical setup for an internal DNS server is to forward all external queries to the ISP DNS server anyway, so your just removing a 'go-between'.
For resolving internal host names, you might be able to get away with NetBIOS resolution. If you have one single subnet, you could get away with using just broadcast based resolution and no WINS server (although this does mean an increase in broadcast traffic - you would have to decide for yourself by monitoring the network if this was becoming unacceptably high).
If you have multiple subnets, in order to use NetBIOS name resolution you would have to install the WINS service on your Windows server, and configure your DHCP scope option to make the clients 'h' or 'p' nodes. H uses WINS, then broadcast if that fails. P uses just WINS. The default node for non WINS clients is 'B' - broadcast only.
So in answer to your last question, in order to keep name resolution in a non DNS environment and also eliminate broadcasts, install WINS, then configure DHCP to give the client the WINS server address, and make them P nodes.
0
 

Author Comment

by:JatinHemant
ID: 24201598
Thanks for your detailed explainantion.

I have installed DHCP, DNS, ADS, Exchange, ISA etc. But sincerely speaking, I have never installed WINS. Well, I am installing and configuring it. I will soon let you know about my experience.

But tell me, to handle / reduce the broadcasts, does WINS work better than DNS Server ?

Regards,

Hemant

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24202379
To eliminate NetBIOS broadcasts, you would either have to disable NetBIOS, in which case you would need DNS, or you could run WINS and configure the clients as P nodes, in which case you could alongside DNS or by itself.
Can I ask why you want to remove DNS from your network?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:JatinHemant
ID: 24202893
Thanks for your support.

Well...as you said, I feel that disabling NetBIOS broadcasts and using DNS will be a better solution than using WINS Server. (as DNS is advance than WINS). This way I can use DNS (in Workgroup Environment) to keep all the entries for internal resources and will forward queries for internet website and resources.

But I don't know how to disable NetBIOS broadcasts ? Is it possible through DHCP ? I mean...

Do I need to disable NetBIOS broadcasts in each PC or I can make some settings in DHCP so that this setting (to disable NetBIOS) can be distributed to all clients automatically.


As you had asked....
*****Can I ask why you want to remove DNS from your network?*****

Ok...I removed DNS because I suspeted many NETBIOS broadcasts in my network making big network congestion and thus resulting in poor (TOO SLOW) internet connectivity.

See...The very first time when I installed DNS in our network, I had isntalled it in the same installation of Active DIrectory (dcpromo). Before that there was no DNS. Means I installed DNS at the same time of Domain Controller Installation. While installing, it asked me the name for the domain and I gave: xxx.local, thus netbios name xxx was automatically taken from the installation.

Later on, I realized that our users only need internet and file and printer sharing. No security is needed. So I removed AD.

Now, I don't know how to configure DNS in workgroup environment, means:

1. How clients will make entry in DNS ? (Will I have to check Non-secure and Secure Updates)
2. Do I need to give the same xxx.local in Domain Name while installing DNS. But I DON'T want Active Directory.

Please help me sort out this serious issue.

Regards,

Hemant



0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24203909
OK, it is possible to disable NetBIOS using a Windows 2003 DHCP server (see here : http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm - look for the section describing the DHCP option to do this). Other than that, there's group policy but that's not an option for you.
In reference to : "...I removed DNS because I suspeted many NETBIOS broadcasts in my network making big network congestion .." - this logic I'm afraid is flawed. By removing DNS, the only thing you would achieve would be to increase NetBIOS broadcasts. A client will most of the time try to resolve names via DNS first, then NetBIOS if this fails. If your clients are B nodes types (which by default they would be), then they would resort to broadcasts. So by removing DNS you've increased NetBIOS broadcasts.
You can install DNS in a workgroup OK, although you've hit on one major security flaw with this - for clients to dynamically update DNS, you would have to allow secure and non-secure updates. This does leave your DNS server open to updates from untrusted machines.
As far as your DNS namespace goes, you can use whatever you want, although it would make good sense to use the same as your workgroup name. E.g. if your workgroup is call NETWORK, make your internal DNS namespace network.local. Then have your DNS server forward queries for external namespaces to your ISP's DNS server. Using forwarding instead of getting your DNS server to do the work saves loading your server with queries.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24203973
One thing I forgot to mention - with DNS in a workgroup envirmonemt, you would need to configure each machines primary DNS suffix to match your DNS namespace. That's in System Properties | Computer Name | Click 'Change' | Click 'More' | 'Primary DNS suffix for this computer'.
Making changes like this globally becomes tricky in a workgroup environment, which is where you'll notice the advantages of the centralised management a domain offers.
0
 

Author Comment

by:JatinHemant
ID: 24204174
Thanks for your replies.

I have also disabled NetBIOS over TCP/IP in all client PCs by making this entry in DHCP Scope option:
*************************************************************
Option Name: 001 Microsoft Disable Netbios Option
Vendor: Microsoft Windows 2000 Options
Value: 0x2
Class: None
*************************************************************
Now, NetBIOS is disabled and I HAVE TO use DNS for internal hostname resolutions.

I understood everything from your comment. (ID: 24203909). BUT...I could not get much from your last comment. (Comment ID: 24203973).

You mean to say that if I use xxx.local as my domain name then I will need to go to every PC to change Primary DNS Suffix to xxx.local ?

If yes, is there no way to distribute this DNS Suffix through DHCP ? (Will 0015 DNS Domain Name not work !!! )

Or, Can Host not make entry in DNS via DHCP ? I mean can DHCP not provide the list of hostnames (i.e. PCs) to DNS ?

Regards,

Hemant
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24204742
Sorry, yes, you can set this via DHCP. This sets the connection-specific suffix rather than the primary suffix which I described earlier, but the end result is basically the same.
You'll see the DNS suffix added to the properties of the clients' NIC rather than in system properties.
With regards to DHCP performing DNS updates - you can configure the DHCP server to do this for the client if you prefer, or providing your clients are 2000 and later, they can do it themselves. Have a look at this article : http://support.microsoft.com/kb/816592.
 
0
 

Author Comment

by:JatinHemant
ID: 24205104
Thanks for the reply.

I am reading the link you provided. But I am not getting how to set DHCP for "Distributing connection-specific suffix" to clients.

Regards,

Hemant
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24205671
The link I provided was referring to how dynamic updates can be handled by DHCP.
To set the clients' DNS suffix, you do use the option you mentioned earlier - 00015 DNS Domain Name. Once a client has renewed it's lease (ipconfig -renew), check it's suffix using ipconfig -all.
 
0
 

Author Comment

by:JatinHemant
ID: 24205943
Thanks...

I used this option and then I went to client machine and released and renewed IP address. I could see xxx.local in DNS Suffix Seach List and Connection-specific DNS Suffix. But it is still not appearing in DNS.

What is that in the link you provided:
*******************************************************
How DHCP/DNS update interaction works
You can use the DHCP server to register and update the PTR and A resource records on behalf of the server's DHCP-enabled clients. When you do this, you must use an additional DHCP option, the Client FQDN option (option 81). This option lets the client send its FQDN to the DHCP server in the DHCPREQUEST packet. This enables the client to notify the DHCP server as to the service level it requires.
*******************************************************

Is there no need to include this option 81 ? But I didn't see it in DHCP ?

Regards,

Hemant



0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24207112
Hi there,
Option 81 I think is actually the DNS tab on the server properties menu in DHCP (confusing, I know!). It's a while since I've configured a workgroup, but check the following:
1. You have set the primary DNS suffix of the DHCP and DNS server to be that of your DNS zone.
2. You have configured the DNS tab in DHCP to enable dynamic updates (set it to 'always'). Do this on both the DHCP server properties, and the properties of the DHCP scope itself.
3. You also need to make sure that 'Use this connection's DNS suffix in DNS registration' is ticked in the TCP/IP properties of the client's NIC (Advanced | DNS)
Then renew the client lease. You should be getting Host records drop into DNS. I'm not going to ask you about whether you've configured the correct DNS server address for the clients etc, as I think you'll have covered that.
How many machines do you have? If you have to manually perform step 3 on each machine, how possible is this? Bear in mind that workgroups become a nightmare to manage for more than a handful of machines. I'm not sure if there is any way to centrally set this on each client, barring a script of some sort. I'll let you know if I find something...
0
 

Author Comment

by:JatinHemant
ID: 24212111
Thanks for your comment.

Let me again go through the steps you suggested.

We have arround 350 PCs connected to network (wired) and for wireless (it is changing always).

Well as you told to ensure client settings (step 3), I checked in some PCs and it seems it is by default just like default NetBIOS settings in WINS tab to take the settings first from DHCP and then enable NetBIOS otherwise.

Am I right ? If yes, then is there any need to verify it in all the PCs.

Regards
0
 

Author Comment

by:JatinHemant
ID: 24212255
Sorry...

No..."Use ths connection's suffix in DNS registration is not by default enable." I was wrong

So what to do then, because:

1. If is definate that we have many number of PCs, and they can increase only, NOT decrease.

2. I don't want to use domain as here no body is interested in it. And even our IT staff don't comply with the policies. Also we want to switch over Linux step by step. (Means first I will replace RRAS with OpenSUSE and install Squid as proxy and caching.)

3. And somebody told me that if I install domain controller and PCs are just member of the domain but users don't use domain users account and they continue to use local administrator account then also domain services are used by the client PCs every minute thus busying the network always.

Should I go back to WINS as we are not running severs inside!  I will configure WINS for P-node.

Give me suggestion.

Regards,

Hemant
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24213068
Wow, with 350 PCs in a workgroup, are you sure this is good idea? How are you going to manage 350 computers/users with no centralised management?
You say nobody is interested in it, but I would say it's up to you as the network admin, and educate your IT staff. Bear in mind that workgroups are only really beneficial for about 20 PCs - above that management becomes a living nightmare (my opinion at least). 350 and rising is MASSIVE for a workgroup.
What's your physical set up like? How many subnets do you have? Switches or hubs? You might be able to do things here to reduce traffic.
Anyhow, using a domain aside, your two options are:
1. Use WINS, configure clients as P nodes. This can all be done via DHCP.
2. Use DNS, set the primary DNS suffix of each client to your DNS name. This would require you to remotely execute a script which edits the registry of every machine. The script itself is quite simple and you can use a tool, psexec to remotely execute it.
Also bear in mind that you've got a load of machines that still think they're joined to a domain.
0
 

Author Comment

by:JatinHemant
ID: 24213403
Thanks for your reply.

First, Well...for domain issue, I will again explain my IT staff about the strong features and centralized machenism provided by domain. Only after getting approval, I will wish to go for domain because if I do it without the agreement of our IT staff, they may not co-operate me in domain implementation and complying with the domain policies. (Also, we have to buy additional CALs for the PCs we purchase in future. Here people are interested in OPEN SOURCE)

Second,  I think installing WINS Server and making all clients as P-node will be the suitable solution. (As you had already given the same solution right on your first reply. But I was not able to get it that time as I want not able to think so many factors.)

Well...Let me close the discussion and award you the points. You have been very supportive in this long discussion.

If you want to give some technical comment, you are most welcome.

Regards,

Hemant
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24214184
I think this may be the simpler option for you.
Maybe once WINS is setup and settled down, you can then look at introducing DNS gradually. I would really urge you to use a directory service though, whether it be AD or the linux directory service. Unfortunately I can't comment on much about Linux as I don't know too much about it...
Good luck with the project and I hope it all goes well for you....
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Resolve DNS query failed errors for Exchange
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month16 days, 13 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question