PHWinfo - Afficher un message

28/10/2006, 16h03

Moondoggy wrote:
> We just took over responsibilty for our external dns here at my
> company. Previously we were only responsible for the internal DNS.
>
> To make a long story short, we migrated external DNS zones from one
> server running Incognito DNS to two special Windows 2003 domain
> controllers sitting on the corporate LAN that are providing Active
> Directory authentication for a special in-house domain. We then
> created two member servers in the DMZ that hold secondary copies of
> the zones that are the actual DNS's that the rest of the world sees.
> Our internal DNS servers are protected by the firewall and cannot be
> reached from the outside world.
>
> When we migrated the zones off of the incognito DNS server we first
> set the the zones up on the DC's as secondaries and then changed them
> from Secondary to Active Directory Integrated zones. When we did
> this Active Directory immediately created an NS record in the zone
> for each of the DC's. I went into properties and deleted the NS
> records for the two DC's leaving the two original public NS records
> "as is" but later on when we refreshed the zones we noted that the NS
> records for the 2 DC's were automatically re-created.
>
> Bottom line is that we do not want to advertise the existence of our
> Internal Name Servers to the public though sites like
> WWW.DNSREPORTS.COM dispite the fact that these two DC's cannot be
> reached. Short of converting the zones from AD Integrated to Primary
> (file) on one DC and creating them as secondaries on the second DC is
> there any way that we can leave them AD integrated and not publicly
> advertise their existence to the world?

This KB article tells you two ways to stop the NS record autocreation. you
should carefully read the entire section to understand the effects of doing
this.
267855 - Problems with Many Domain Controllers with Active Directory
Integrated DNS Zones
http://support.microsoft.com/kb/267855

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

28/10/2006, 16h03	#3
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: How to hide stealth Name Servers in DNS Moondoggy wrote: > We just took over responsibilty for our external dns here at my > company. Previously we were only responsible for the internal DNS. > > To make a long story short, we migrated external DNS zones from one > server running Incognito DNS to two special Windows 2003 domain > controllers sitting on the corporate LAN that are providing Active > Directory authentication for a special in-house domain. We then > created two member servers in the DMZ that hold secondary copies of > the zones that are the actual DNS's that the rest of the world sees. > Our internal DNS servers are protected by the firewall and cannot be > reached from the outside world. > > When we migrated the zones off of the incognito DNS server we first > set the the zones up on the DC's as secondaries and then changed them > from Secondary to Active Directory Integrated zones. When we did > this Active Directory immediately created an NS record in the zone > for each of the DC's. I went into properties and deleted the NS > records for the two DC's leaving the two original public NS records > "as is" but later on when we refreshed the zones we noted that the NS > records for the 2 DC's were automatically re-created. > > Bottom line is that we do not want to advertise the existence of our > Internal Name Servers to the public though sites like > WWW.DNSREPORTS.COM dispite the fact that these two DC's cannot be > reached. Short of converting the zones from AD Integrated to Primary > (file) on one DC and creating them as secondaries on the second DC is > there any way that we can leave them AD integrated and not publicly > advertise their existence to the world? This KB article tells you two ways to stop the NS record autocreation. you should carefully read the entire section to understand the effects of doing this. 267855 - Problems with Many Domain Controllers with Active Directory Integrated DNS Zones http://support.microsoft.com/kb/267855 -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================