Some Basic, but real quick questions...

TechJunkyTechJunky Member Posts: 881
I go to work tomorrow... They want me to setup a 2003 server tomorrow, but the company doesnt really know much about computers. They have a website and email hosted by someone else. I was planning on setting up AD, but I know it requires a DNS server that allows Dynamic updates. They are using for their dns servers... I was curious if there was a way of finding out if the dns servers that are hosting their site allow dynamic updates, other than going into work tomorrow and just trying their domain name and see if it works. From the sounds of it, they only have one 2003 server that I can setup and I dont want to bog it down with multiple services if I dont have to. I plan on partitioning it into 2 partitions and installing, DCHP, RIS, AD, and maybe an Exchange server down the road. I really dont want to install a DNS server on this box as well.



  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Follow the wizards dude - follow the wizards icon_wink.gif
    FIM website of the year 2007
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I can almost guarantee you that you will need to install DNS on it if you want AD to work. You also don't want all their hosts private DNS exposed on a public Internet DNS server even if it would work, which it almost certainly won't. Their public DNS won't necessarily match their AD naming convention. It's standard procedure to use split-DNS, public and private. DNS won't bog down your server anyway, it's not very resourse intensive, especially with the small number of hosts you'll likely be dealing with. Just do like the man says - follow the wizards. I recommend looking up AD DNS best practices on technet before you go in.
    All things are possible, only believe.
  • Danman32Danman32 Member Posts: 1,243
    It isn't absolutely required to have dynamic DNS for AD, but it does help tremendously when the DNS isn't set up right. Without dynamic DNS, you have to configure the SRV records yourself, which IS required for AD.
    With dynamic DNS updates, the Netlogon and NetDiag /fix can update and correct any missing or incorrect records to resolve for DCs and the services they provide. Dynamic updates of client machines is usually not critical unless the clients have resources others need, IE file/print sharing and their IPs are not static.

    I too would say though, use at least one local DNS server hosting records for your AD domain.

    But you do have a few choices on how you will define your AD domain namespace.

    1. Share the Domain namespace with your public one. In other words, your AD domain name would be the same as your registered domain name. In this case, the AD and the public domains are really two separate ones that happen to share the same name. The difficulty you may come across here is if your users on your LAN need to access resources hosted outside of your network. The reason this is a problem is because your machines on your lan need to exclusively look to your local DNS server so they can find the domain controllers. The solution is to add records to your local DNS that matches the ones on the public DNS. For example, your domain is You have a web server with the URL hosted on internet with the IP You would add WWW to your local DNS mapping it to the proper IP. Accessing internet resources located on the internet from within your lan only by the domain name would not be possible however. In other words, you could not get to your public web site using the URL

    2. Your AD domain is a child domain of the public domain and you would host that zone locally only. Your local machines will still exclusively look to your local servers exclusively for name resolution, though if the public DNS hierarchy refers back to your child domain, using a public DNS server would work. The problem with this though is your local lan probably has a private address scheme that is not compatable with the internet, so issuing correct addresses from various sources would be a problem.

    3. Have totally separate domain names. Microsoft recommends using .local as the first label in your domain name, but any domain name with at least 2 labels would work. Using .local as the first label would guarantee though that it would not conflict with a name on the internet as .local is not a valid registerable domain.

    I usually recommend option 3, as it keeps what is local remaining local, and what is public remaining public without conflicts of name or IP address resolution. Your local machines would use the local DNS servers hosting your local DNS exclusively, and your DNS servers would forward requests out to the internet that it can't resolve on its own. You can use forwarders to send external queries directly to your ISP which would take advantage of any cached queries they may have. The down side of direct forwarding I have come across with clients though is when the ISP decommissions a DNS server you were forwarding to without telling you.
  • TechJunkyTechJunky Member Posts: 881
    Danman32: Thanks for the reply. That information is what I was wanting to know. I have setup AD before without a server that supports Dynamic DNS and from an administration point it was a hassle. I have had good luck in the past setting up the internal DNS server using method one. I made sure I set my forwarders to the correct DNS servers and never had any DNS issues. Since everything is local, and I am using NAT addresses I never came into a problem. I of course just made sure I never added the same records... IE: if the external dns already had this record.

    I plan on adding an internal website as well...

    Here are my plans...

    Internal IIS Server for company use only, Intranet site.

    DNS Server for AD local only to resolve internal address resolution within the domain.

    And of course make sure all of it is setup with AD.

    The only problems I have came into in the past is lets say I purchased and have records pointed to an external ip address... Lets say =

    I then want to setup my internal DNS server as =

    The forward lookup zones do not create correctly. They will only create the SOA, NS, and A records. The following is not created...

    Domain DNS Zones
    Forest DNS Zones

    I have tried in the past to use net stop netlogon, then net start netlogon. If that doesnt work I try netdiag /fix, if that doesnt work I try ipconfig /flushdns, then ipconfig /registerdns. If that doesnt work I check the Windows\Sysvol\sysvol\ and make sure it's not there. If thats not there I then check for the C:\Windows\NTDS\ntds.dit file and make sure its there. Depending on what files are there or arent there I will try the first above steps and see if that fixes the problem.

    However, the only real way I was able to fix the problem seemed as though if I didnt add a subdomain address to the domain name. If I setup my forwarding zone to use instead of and everything would work fine.

    Any ideas?

    As you can tell I have dealt with DNS a time or two. :D
  • Danman32Danman32 Member Posts: 1,243
    First off, you wouldn't be purchasing but rather and adding a A record WWW to the zone.

    You could make a child domain for your local network, the internet wouldn't care, and since you own the parent domain, there's no chance of conflict unless you create the conflict.

    When the _ subdomains don't get created, there's usually one of two reasons: there's no DNS server hosting a zone for your active directory domain that the DC has access to, or you have dynamic DNS updates turned off in your zone. Since 2003 tends to side on security now, I suspect that may be your problem. Try setting DNS to allow unsecure updates util you get the records and AD replication straightened out. Then you can set it to secure again. After setting the zone to allow unsecure updates, run netdiag /fix again. If that doesn't work, note the error given in the DNS test. It should clue you into why it could not fixt the records. That and check event logs on the DNS server and DC.
  • TechJunkyTechJunky Member Posts: 881
    I have updates allowed for both the forward zones and reverse zones. Sorry about the domain thing. Yes I am aware that you purchase and not It has an A record pointing for so their site resolves via web.

    I guess the best explanation would be to let ya know the company name so you can do a dig or nslookup or whatever you prefer.

    I show these records when I do a nslookup.

    Non-authoritative answer: nameserver = nameserver = internet address = MX preference = 0, mail exchanger nameserver = nameserver = internet address = internet address = internet address =

    So I was wanting to setup for internal use only.. .IE:

    I am using 2003 server. I get three options for how to create the zone... setup in forest, setup in domain, setup throughout domain controllers for this domain. I went with domain controllers for this domain.

    Here is the netdiag /fix print out.

    C:\Program Files\Support Tools>netdiag /fix


    Computer Name: SERVER
    DNS Host Name:
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
    List of installed hotfixes :

    Netcard queries test . . . . . . . : Passed

    Per interface results:

    Adapter : Local Area Connection 4

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : Server
    IP Address . . . . . . . . :
    Subnet Mask. . . . . . . . :
    Default Gateway. . . . . . :
    Dns Servers. . . . . . . . :

    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
    r Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Global results:

    Domain membership test . . . . . . : Passed

    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    1 NetBt transport currently configured.

    Autonet address test . . . . . . . : Passed

    IP loopback ping test. . . . . . . : Passed

    Default gateway test . . . . . . . : Passed

    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.

    Winsock test . . . . . . . . . . . : Passed

    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '

    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    The browser is bound to 1 NetBt transport.

    DC discovery test. . . . . . . . . : Passed

    DC list test . . . . . . . . . . . : Passed

    Trust relationship test. . . . . . : Skipped

    Kerberos test. . . . . . . . . . . : Passed

    LDAP test. . . . . . . . . . . . . : Passed

    Bindings test. . . . . . . . . . . : Passed

    WAN configuration test . . . . . . : Skipped
    No active remote access connections.

    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

    The command completed successfully

    C:\Program Files\Support Tools>
    Thanks again for the help.
  • TechJunkyTechJunky Member Posts: 881
    I dont know. I have never had any luck setting up a forward zone for anything other then the parent domain. IE: for forward domain. Then you can just create A records within that forward lookup zone of for local, www, mail, ad, or whatever you want. I always thought setting up a sub domain name as the forward lookup zone was incorrect. It has always worked the way I have been doing it and I have never had any bad side effects. The way I think you are describing I have heard from a few other people but in a BIG domain environment I have never seen it setup this way. It has always been setup the way I put my DNS servers together. So I will just stick with what works.
  • Danman32Danman32 Member Posts: 1,243
    Your DNS test passed as did the rest of the netdiag tests so you should have all your records needed on server for the zone, and that's the only server that matters for your AD.
    If you are at 2003 native function level, you probably also have a zone for on that server.

    What's out on the internet is irrelevant to your AD.

    As for your AD integrated replication choices, you can leave it at the defaults but here's what it means.

    To all DNS servers in the forest: all domain controllers in the forest, not just this domain, that also have DNS servers installed will get this data.

    To all DNS servers in the domain: All DCs in this domain that have DNS installed will get the data.

    To all DCs in the domain: All DCs in this domain will get the zone data, regardless if they have DNS installed or not. Only replicates within the domain, not the forest. This is how W2K operates, which was a problem for the _MSDCS records that needed to be forest-wide so that forest-wide FSMO role holders could be found across domains.

    It seems you already created your AD, but if you have your domain/forest at 2003 native function level, you can change the domain name if you wish to

    If you want to leave things as they are, add an A record for WWW on the zone for on the server resolving to the public IP address of your hosted website so that your users can get to it since your local server is authoritive for as far as they are concerned.

    For forwarding, in the DNS manager go to the properties of the server object, select the forwarders tab, and add the ISP's DNS addresses (or any other valid DNS server on the internet that allows unrestricted public queries) for All Other DNS Domains. This tab may be disabled if you have a dot zone '.' in your forward lookup zones. If so, remove the dot zone, restart the manager and try adding the forwarder again.

    Once your network is set up properly, your machines on your lan would query your server for DNS lookups. If your server can't resolve it, it will query one of your forwarders. If you don't have forwarders configured, it can do the internet lookups on its own using the root hints, but I often find that problematic.
  • TechJunkyTechJunky Member Posts: 881
    Thanks for the clarification. I already knew that information, but I defiantly bet it is helpful to someone else on this site. And yes, I am already using forwarders etc. It is working real smooth.

    Thanks again, and I hope other people on this site find this information useful.
Sign In or Register to comment.