Dns on 2000 member server.

05/09/2006, 20h37

Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 on
a 2k member server.
The ISA2004 server has a internet connection.

Could I install DNS on the ISA2004 member server, and have it's dns point to
itself, and have forwarder entries that would be the ISP dns?

thx jason

05/09/2006, 21h26

jason sigurdur wrote:
> Hi, currently I have 13 Dc's using integrated AD. I just setup a
> ISA2004 on a 2k member server.
> The ISA2004 server has a internet connection.
>
> Could I install DNS on the ISA2004 member server, and have it's dns
> point to itself, and have forwarder entries that would be the ISP dns?

If it is on a member server, the member server must use the internal DNS in
TCP/IP properties of the internal interface.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

05/09/2006, 23h15

"jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message
news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl...
> Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
> on a 2k member server.
> The ISA2004 server has a internet connection.
>
> Could I install DNS on the ISA2004 member server,

Yes.

> and have it's dns point to itself,

Not unless it can resolve "internal resource records" which
is a bad idea for such machines.

As a MEMBER machine it must be able to find the DCs to
authenticate itself -- soe that all of the features of ISA will
work, such as access security control using groups.

> and have forwarder entries that would be the ISP dns?

Yes.

I have systems set up this way in fact (with my one correction):

DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
CLIENT DNS settings for that "server" set to an INTERNAL DNS
server though (and if you are forced to use a DHCP address on
the external NIC you must override the DNS setting to avoid
multiple incompatible settings.)
Internal DNS servers forward to the "firewall DNS" server.
Firewall DNS service either recurses physically OR forwards to
the ISP

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> thx jason
>

06/09/2006, 16h21

Hi, thx for the reply.

If I understand correctly. I can install DNS on my ISA server.
1. The dns settings on the ISA server will point to my DC with integrated
DNS on the local subnet.
2. The dns settings on DC will have forwarding entries that point to the ISA
server.

If the above is a correct assumtion the dns on the ISA server will be no
more than a Cache dns server for external resolution.

Would it be possible to install dns on the isa server and do zone transfers
from a dc and use it for internal dns and use it's forwarding entries for
external resolution?

thx jason
"Herb Martin" <news@LearnQuick.com> wrote in message
news:uw9H6lT0GHA.1288@TK2MSFTNGP03.phx.gbl...
> "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message
> news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl...
>> Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
>> on a 2k member server.
>> The ISA2004 server has a internet connection.
>>
>> Could I install DNS on the ISA2004 member server,
>
> Yes.
>
>> and have it's dns point to itself,
>
> Not unless it can resolve "internal resource records" which
> is a bad idea for such machines.
>
> As a MEMBER machine it must be able to find the DCs to
> authenticate itself -- soe that all of the features of ISA will
> work, such as access security control using groups.
>
>> and have forwarder entries that would be the ISP dns?
>
> Yes.
>
> I have systems set up this way in fact (with my one correction):
>
> DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
> CLIENT DNS settings for that "server" set to an INTERNAL DNS
> server though (and if you are forced to use a DHCP address on
> the external NIC you must override the DNS setting to avoid
> multiple incompatible settings.)
> Internal DNS servers forward to the "firewall DNS" server.
> Firewall DNS service either recurses physically OR forwards to
> the ISP
>
>
>
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>>
>> thx jason
>>
>
>

06/09/2006, 16h30

"jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message
news:uz8kWgc0GHA.4920@TK2MSFTNGP06.phx.gbl...
> Hi, thx for the reply.
>
> If I understand correctly. I can install DNS on my ISA server.
> 1. The dns settings on the ISA server will point to my DC with integrated
> DNS on the local subnet.

Yes (technically to the "internal DNS server set" which happens to be
the DC-DNS in your case.)

The reason that it must do this as a "DNS client" is that this machine is
a MEMBER of the domain. That is the only thing that really makes sense
with ISA usually because it needs to be able to take advantage of user
authenticate in order to control access to the Internet.

(You could forego such features and remove the ISA from the domain and
it would work more like 'ordinary' firewalls.)

> 2. The dns settings on DC will have forwarding entries that point to the
> ISA server.

Yes, but let's clarify: The FORWARDING settings on the DNS service
will do this. Note the distinction between "client DNS settings" for the
ISA server, and the FORWARDING settings for the internal DNS
servers. The "client DNS" settings on the DC, and all internal or domain
machines will be similar to the ISA member server.

> If the above is a correct assumtion the dns on the ISA server will be no
> more than a Cache dns server for external resolution.

Correct. What else did you wish it to be?

> Would it be possible to install dns on the isa server and do zone
> transfers from a dc and use it for internal dns and use it's forwarding
> entries for external resolution?

Yes, but now you have to deal with the issue of possibly exposing that
sensitive information to the Internet (hackers and crackers.) Why would
you wish to do this?

The KEY to the above recommendations are that you are treating the
"ISA Server" as an INTERNAL CLIENT, but using it for EXTERNAL
DNS Resolution and Gateway/Firewall access as a Server.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> thx jason
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:uw9H6lT0GHA.1288@TK2MSFTNGP03.phx.gbl...
>> "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message
>> news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl...
>>> Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004
>>> on a 2k member server.
>>> The ISA2004 server has a internet connection.
>>>
>>> Could I install DNS on the ISA2004 member server,
>>
>> Yes.
>>
>>> and have it's dns point to itself,
>>
>> Not unless it can resolve "internal resource records" which
>> is a bad idea for such machines.
>>
>> As a MEMBER machine it must be able to find the DCs to
>> authenticate itself -- soe that all of the features of ISA will
>> work, such as access security control using groups.
>>
>>> and have forwarder entries that would be the ISP dns?
>>
>> Yes.
>>
>> I have systems set up this way in fact (with my one correction):
>>
>> DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet
>> CLIENT DNS settings for that "server" set to an INTERNAL DNS
>> server though (and if you are forced to use a DHCP address on
>> the external NIC you must override the DNS setting to avoid
>> multiple incompatible settings.)
>> Internal DNS servers forward to the "firewall DNS" server.
>> Firewall DNS service either recurses physically OR forwards to
>> the ISP
>>
>>
>>
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>>
>>> thx jason
>>>
>>
>>
>
>

05/09/2006, 20h37	#1
jason sigurdur Messages: n/a Hébergeur:	Dns on 2000 member server. Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 on a 2k member server. The ISA2004 server has a internet connection. Could I install DNS on the ISA2004 member server, and have it's dns point to itself, and have forwarder entries that would be the ISP dns? thx jason

05/09/2006, 21h26	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Dns on 2000 member server. jason sigurdur wrote: > Hi, currently I have 13 Dc's using integrated AD. I just setup a > ISA2004 on a 2k member server. > The ISA2004 server has a internet connection. > > Could I install DNS on the ISA2004 member server, and have it's dns > point to itself, and have forwarder entries that would be the ISP dns? If it is on a member server, the member server must use the internal DNS in TCP/IP properties of the internal interface. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

05/09/2006, 23h15	#3
Herb Martin Messages: n/a Hébergeur:	Re: Dns on 2000 member server. "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl... > Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 > on a 2k member server. > The ISA2004 server has a internet connection. > > Could I install DNS on the ISA2004 member server, Yes. > and have it's dns point to itself, Not unless it can resolve "internal resource records" which is a bad idea for such machines. As a MEMBER machine it must be able to find the DCs to authenticate itself -- soe that all of the features of ISA will work, such as access security control using groups. > and have forwarder entries that would be the ISP dns? Yes. I have systems set up this way in fact (with my one correction): DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet CLIENT DNS settings for that "server" set to an INTERNAL DNS server though (and if you are forced to use a DHCP address on the external NIC you must override the DNS setting to avoid multiple incompatible settings.) Internal DNS servers forward to the "firewall DNS" server. Firewall DNS service either recurses physically OR forwards to the ISP -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > > thx jason >

06/09/2006, 16h21	#4
jason sigurdur Messages: n/a Hébergeur:	Re: Dns on 2000 member server. Hi, thx for the reply. If I understand correctly. I can install DNS on my ISA server. 1. The dns settings on the ISA server will point to my DC with integrated DNS on the local subnet. 2. The dns settings on DC will have forwarding entries that point to the ISA server. If the above is a correct assumtion the dns on the ISA server will be no more than a Cache dns server for external resolution. Would it be possible to install dns on the isa server and do zone transfers from a dc and use it for internal dns and use it's forwarding entries for external resolution? thx jason "Herb Martin" <news@LearnQuick.com> wrote in message news:uw9H6lT0GHA.1288@TK2MSFTNGP03.phx.gbl... > "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message > news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl... >> Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 >> on a 2k member server. >> The ISA2004 server has a internet connection. >> >> Could I install DNS on the ISA2004 member server, > > Yes. > >> and have it's dns point to itself, > > Not unless it can resolve "internal resource records" which > is a bad idea for such machines. > > As a MEMBER machine it must be able to find the DCs to > authenticate itself -- soe that all of the features of ISA will > work, such as access security control using groups. > >> and have forwarder entries that would be the ISP dns? > > Yes. > > I have systems set up this way in fact (with my one correction): > > DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet > CLIENT DNS settings for that "server" set to an INTERNAL DNS > server though (and if you are forced to use a DHCP address on > the external NIC you must override the DNS setting to avoid > multiple incompatible settings.) > Internal DNS servers forward to the "firewall DNS" server. > Firewall DNS service either recurses physically OR forwards to > the ISP > > > > > > -- > Herb Martin, MCSE, MVP > Accelerated MCSE > http://www.LearnQuick.Com > [phone number on web site] > >> >> thx jason >> > >

06/09/2006, 16h30	#5
Herb Martin Messages: n/a Hébergeur:	Re: Dns on 2000 member server. "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message news:uz8kWgc0GHA.4920@TK2MSFTNGP06.phx.gbl... > Hi, thx for the reply. > > If I understand correctly. I can install DNS on my ISA server. > 1. The dns settings on the ISA server will point to my DC with integrated > DNS on the local subnet. Yes (technically to the "internal DNS server set" which happens to be the DC-DNS in your case.) The reason that it must do this as a "DNS client" is that this machine is a MEMBER of the domain. That is the only thing that really makes sense with ISA usually because it needs to be able to take advantage of user authenticate in order to control access to the Internet. (You could forego such features and remove the ISA from the domain and it would work more like 'ordinary' firewalls.) > 2. The dns settings on DC will have forwarding entries that point to the > ISA server. Yes, but let's clarify: The FORWARDING settings on the DNS service will do this. Note the distinction between "client DNS settings" for the ISA server, and the FORWARDING settings for the internal DNS servers. The "client DNS" settings on the DC, and all internal or domain machines will be similar to the ISA member server. > If the above is a correct assumtion the dns on the ISA server will be no > more than a Cache dns server for external resolution. Correct. What else did you wish it to be? > Would it be possible to install dns on the isa server and do zone > transfers from a dc and use it for internal dns and use it's forwarding > entries for external resolution? Yes, but now you have to deal with the issue of possibly exposing that sensitive information to the Internet (hackers and crackers.) Why would you wish to do this? The KEY to the above recommendations are that you are treating the "ISA Server" as an INTERNAL CLIENT, but using it for EXTERNAL DNS Resolution and Gateway/Firewall access as a Server. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > thx jason > "Herb Martin" <news@LearnQuick.com> wrote in message > news:uw9H6lT0GHA.1288@TK2MSFTNGP03.phx.gbl... >> "jason sigurdur" <jason.sigurdur@aspenview.org> wrote in message >> news:ODHcxKS0GHA.2636@TK2MSFTNGP06.phx.gbl... >>> Hi, currently I have 13 Dc's using integrated AD. I just setup a ISA2004 >>> on a 2k member server. >>> The ISA2004 server has a internet connection. >>> >>> Could I install DNS on the ISA2004 member server, >> >> Yes. >> >>> and have it's dns point to itself, >> >> Not unless it can resolve "internal resource records" which >> is a bad idea for such machines. >> >> As a MEMBER machine it must be able to find the DCs to >> authenticate itself -- soe that all of the features of ISA will >> work, such as access security control using groups. >> >>> and have forwarder entries that would be the ISP dns? >> >> Yes. >> >> I have systems set up this way in fact (with my one correction): >> >> DNS on the Gateway/Firewall/Proxy/ISA for resolving the Internet >> CLIENT DNS settings for that "server" set to an INTERNAL DNS >> server though (and if you are forced to use a DHCP address on >> the external NIC you must override the DNS setting to avoid >> multiple incompatible settings.) >> Internal DNS servers forward to the "firewall DNS" server. >> Firewall DNS service either recurses physically OR forwards to >> the ISP >> >> >> >> >> >> -- >> Herb Martin, MCSE, MVP >> Accelerated MCSE >> http://www.LearnQuick.Com >> [phone number on web site] >> >>> >>> thx jason >>> >> >> > >

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email