Monday, October 10, 2005

Configure a Win2K DNS server to forward external requests

Jun 13, 2002
This experience is very interesting for me with my first real time encounter for Win2000 Network That’s why I like to share my this experience with all of you . Firstly I Introduce the concept & Then describe how to do this. You know how DNS is supposed to work. You type into your browser, your DNS server resolves the name into an IP address, and then your browser connects to the Web page at that address and displays it. However, after you set up Windows 2000 domain controllers, Active Directory, and a Windows 2000 DNS server, you may find that your systems are unable to resolve any Web addresses for resources outside your local network.

This problem occurs because Windows 2000 can sometimes configure its DNS server to act as a root server. As a root server, the DNS server will resolve only addresses that it has DNS records for (usually only local resources). I’m going to show you why this happens and how to fix it.

What's the problem?

In a Windows 2000 environment, DNS fills two roles. First, Windows 2000’s DNS can provide traditional Internet name resolution for clients on your network that need to access Internet resources. Second, Windows 2000’s DNS can provide access to Active Directory and local network resources.

When you first install DNS and Active Directory on your network, Windows 2000’s Setup program can cause these two roles to come into conflict with each other. Setup can accidentally configure DNS to resolve Active Directory resources but not allow clients to access Internet-based DNS servers.

When Setup runs, it checks your network for other DNS servers. If it doesn't’t find any, Setup assumes that it’s the only DNS server on the planet and sets itself up as a root server. By definition, root servers are authoritative. Basically, they are DNS know-it-alls that don’t require help from other DNS servers.

In a network that’s not connected to the Internet, having your main DNS server configured as a root server isn’t a problem. Because there aren’t any external addresses to worry about, the root server indeed knows all there is to know about addresses on your network. However, things become complicated when you connect your network to the Internet. At that point, your internal DNS server can’t know the address for every Internet resource, so it requires help from external DNS servers.

If Setup has configured your DNS server as a root server, the DNS server won’t look for help from external DNS servers. As a matter of fact, if you try to configure forwarders or root hints on a Windows 2000 DNS root server, it will refuse to accept the information.

Tearing it out by the root
So what do you do to allow your internal Windows 2000 DNS server to forward queries to external DNS servers for addresses it doesn’t know? You manually administer an attitude adjustment to your DNS server to make it realize that there are other DNS servers it should refer to, essentially removing the DNS server’s root server configuration.

To do so, click Start | Programs | Administrative Tools | DNS. This will start the DNS Management Console. Expand DNS Server object in the left pane. Expand the Forward Lookup Zones folder. Select the zone folder that is marked with a period, right-click on it, and select Delete. Delete ting the root "." forward zone, to convince your DNS server that there are at least 13 more knowledgeable name servers than itself. In addition, you will need to provide your machine with a list of those wise root name servers. This can be accomplished in two ways:
· By adding forwarders (usually your ISP's name servers);
· By adding root hints, or both. You do this in the mmc (Right-click your machine name>Properties>Forwarders: Check "enable forwarders" & enter their IP addresses (You can usually get a list of your ISP's name servers by using whois).

If you’re using Active Directory Integrated Zones, the DNS MMC will display a dialog box informing you that when you delete the zone, the MMC will also delete the zone from Active Directory and any DNS server that references Active Directory. Click Yes to remove the zone from both Active Directory and the DNS server.

Setting up forwarders
After you restart your Windows server, you can configure DNS to forward to other DNS servers. Start the DNS MMC again, right-click on your DNS server, and select Properties. When the Properties window for the server appears, click the Forwarders tab. Select the Enable Forwarders check box.

If this check box is grayed out, your DNS server is still configured as a root server. Check to make sure that you’ve selected the right DNS server and properly removed the root zone folder as mentioned above.

In the IP address field, enter the DNS servers you want to forward to. You’ll need to enter the IP address of each server one at a time, clicking Add after each one. When you have finished, click OK.

Going forward
Once you remove the DNS server’s root capability and configure forwarders on your DNS server, your workstations will be able to access both internal and external network resources. By doing this, you can save yourself the headache of entering multiple DNS addresses on client workstations (or setting them up in DHCP). Simply direct client requests to your Windows 2000 DNS server, and it will handle the requests that it can and forward all other requests to the external DNS servers.

1 comment:

Anonymous said...

Good source of information. Really its purely an experience.I didnt heard or learned abt it.