Router/Gateway setup with a Windows 2000 Server network

b4u · Mar 31, 2005

Hi,

I have the following config:

Server:
Windows 2000 Server
Static IP: 192.168.0.1
Domain Name: myofficedomain.com
AD, DNS and DHCP installed.
DHCP settings:
Leases from 192.168.0.100 up to 192.168.0.200
Options:
003 Router -> 192.168.0.5
006 DNS -> 192.168.0.5, 192.168.0.1 (on this sequence)

Workstations: (4 machines with identical setup, this is an example of one of them)
Dynamic IP, Dynamic DNS.
ipconfig /all returns:
IP: 192.168.0.100
Gateway: 192.168.0.5
DHCP Server: 192.168.0.1
DNS Server: 192.168.0.5, 192.168.0.1 (on this sequence)

Router/Gateway:
It's a Linksys AG041. It's connected 24/7 to the internet, and it's working (ADSL integrated modem works, ISP settings are ok).
Static IP: 192.168.0.5
DHCP on router: Disabled.

All subnet masks are configured to 255.255.255.0 (in all machines and router).

This way, I have internet working accross the network. It seems to be ok. But the way it's configured right know, the machines take a lot of time logging on to the domain ... maybe it's looking for DNS server on the web, I don't know ... but it takes a good 5 minutes for a 100Mbps network ... and before changing the settings on the DHCP, to include the IP of the router/gateway, it was a lot faster ...

My questions are:

1) If I ping "google.com", it will first check the first DNS on list, that is the router's address. It will then point to my ISP's dns server (router will do this automatically I believe). But what if I ping a machine on "myofficedomain.com"? It would first try to find it using my ISP's dns server ... then it would try on 192.168.0.1 (local domain server). What about security on this? My ISP shouldn't know the existence of my private domain name ... but if I query it, they can see it on the logs ... even if they don't retrieve it.

2) With this config, I lost the ability to ping a machine on "myofficedomain.com". Example: "station01.myofficedomain.com" no longer return IP and response time, it just fails to reach the destination. But "station.myoffice.com" seems to work ... is this the domain name I gave when setting up domain controler, for access of older operationg systems? But if I can't ping "station.myofficedomain.com" then my local DNS should be unreachable, right?

3) If I just put the router's IP on my DHCP option "006 DNS", will it work with local DNS on 192.168.0.1? If so, how come the router knows to check on that local IP?

4) Should it be a better option to set "006 DNS" on DHCP only to local DNS 192.168.0.1, and on the DNS config say something like "if the domain name isn't here (example: google.com), then make a search on 192.168.0.5 (which will make the router find on the web)"? How do I do that?

Thanks allot ... I really need to make this working

netsysadmin · Mar 31, 2005

Get rid of the 192.168.0.5 DNS entry on all machines and that will corect your slow login times. AD relies on DNS, because of this you should only point the server and workstations to the DNS that is setup for your AD domain. Your DNS server will know automatically when to look to the root servers on the internet for addresses when it cannot find them locally.

John

b4u · Mar 31, 2005

Originally posted by: netsysadmin
Get rid of the 192.168.0.5 DNS entry on all machines and that will corect your slow login times. AD relies on DNS, because of this you should only point the server and workstations to the DNS that is setup for your AD domain. Your DNS server will know automatically when to look to the root servers on the internet for addresses when it cannot find them locally.

John

What method does my local DNS server use to know that it has to contact 192.168.0.5 to resolve a name when it's not found locally?

I mean, I'm not sure without testing again, but I have the idea that when I had DNS on local computers only to 192.168.0.1 DNS (local server DNS), I could ping outside IPs, like the IP from google, but I couldn't ping the "google.com" directly ... so for IP it would directly use the gateway (since it wasn't a local IP), but for "google.com" it tried to use the server DNS (on 192.168.0.1) and didn't search outside the network.

Don't I need to config my DNS server to try a second DNS server if domain name is not found? I'm sorry to ask this again, but I'm not 100% sure that I'm not missing any slight config on my DNS server.

Thank you for your info and patience

nweaver · Mar 31, 2005

the ideal solution is to either put the router as secondary DNS, or to add a DNS forwarder to your DNS server. I wouldn't put it as the router, I would find what the router uses (ISP's DNS) and put that in directly.

OmegaXero · Mar 31, 2005

Go do your DNS management console and right click on your DNS server, select properties. Click on the Forwarders tab and make sure that you specify the IP of your linksys router there. This will tell your server to hand off any DNS requests that it cannot resolve locally to your router. Since the router is already plugged into your WAN connection it knows your ISP's primary and secondary DNS servers, it can resolve anything that your server cannot.

Make sure that you configure the DHCP scope on your server to point all your clients in the network to the server, NOT THE ROUTER. This will make all the clients in the network push their DNS requests to the server. However, since we configured a forwarder on your server, any requests that the server cannot grant will be forwarded to your router. This should resolve your issue.

nweaver · Mar 31, 2005

You the man Omega....been so long since I setup my DNS servers. I would still say don't use the router as the forwarder, but get the IP addresses of the ISP's DNS servers....

b4u · Mar 31, 2005

Thank you all for your answers ... I'll give them a try ...

Also another point:

When I ping the google IP, I got a response ... but when ping on the DNS server described on the router (that should be my ISP's main DNS server) I got no response ... maybe this is because that DNS server only answers to a specific port of DNS (53 isn't it?). So if I could ping the ip with the port number correctly I would successfully get a hit, right?

As an example, an SMTP address ...

D:\>ping smtp.netcabo.pt

Pinging smtp.netcabo.pt [212.113.174.9] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 212.113.174.9:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

D:\>

Now I know that the smtp is working ... but on port 25 ... but how can I ping successfully?

I mean using: "ping smtp.netcabo.pt:25" doesn't work ...

nweaver · Mar 31, 2005

how about you set your DNS to the IP, and try and nslookup www.google.com. That would tell you that it's routing correctly.

b4u · Mar 31, 2005

I'm not corrently at the network, but I have a network test environment near me ... not the same, and it's an isolated network (no router/gateway available).

I was checking for those DNS forward settings, but when accessing the tab, I could not enter any option ... it displays the message:

"Forwarders are not available because this is a root server"

And everything in the tab is disabled ...

What should I configure to be able to set up a forwarder?

Thank you again ...

netsysadmin · Mar 31, 2005

I wouldnt worry about setting up forwarders with your DNS through your router/ISP. Your DNS server will know if the the needed lookup is not on its own network and automatically forward the request to the root servers on the internet. There is no need to put a middle man such as the ISP's DNS in the mix. If the ISP changes the DNS server IP or there server goes down then you have no DNS. If you leave the DNS on your DC's to automatically forward to the root servers you will never not get an answer, unless your server goes down and if that happens nothing will be functioning anyway.

John

netsysadmin · Mar 31, 2005

To add to that I prefer not to add a secondary DNS such as my ISP because its good to know when you DNS on your DC goes down. If you were to put in a secondary DNS such as your ISP it will mostly take you longer to discover that there is something wrong with the DNS on your DC since your clients will mask the issues by using the sencondaty DNS.

John

OmegaXero · Mar 31, 2005

John I see your point but the whole reason of having a secondary DNS at the ISP in the first place is so that in can mask a primary DNS failure. They're supposed to be redundant so that if the primary does go down you have a mostly intact working copy on the secondary DNS server that continues to do lookups while the ISP fixes the primary server. Chances are b4u doesn't want these guys yelling at him when the ISP goofs up and kills their primary server. That's why I suggested using the router as the forwarder, the router will automatically try the primary server at the ISP first, if that doesn't work it will try the secondary server.

Most linksys routers also dynamically update their DNS entries, so if the ISP suddenly goes and changes their DNS server the router will know this. Since the local server inside the network points straight to the router it will always be able to find an outside DNS. That's just my .02c.

netsysadmin · Mar 31, 2005

OmegaXero...Keep in mind he is hosting the primary DNS on his DC in his domain. I am ok with the secondary DNS, but his primary needs to be pointed to his DC's running DNS otherwise AD will serious have issues. That is why he has the slow logon times

Oh and why would you setup a fowarder in your DC's DNS to a ISP DNS Server? Your DNS server will forward to the root servers which is less hops than going through the ISP's busy DNS server.

John

OmegaXero · Mar 31, 2005

Originally posted by: OmegaXero
Make sure that you configure the DHCP scope on your server to point all your clients in the network to the server, NOT THE ROUTER. This will make all the clients in the network push their DNS requests to the server.

I think we all agree on him using his internal Windows server as his primary DNS server. We just seem to be at odds on how he goes about making sure that the windows server can forward requests to the internet.

b4u · Mar 31, 2005

Thank you for all the answers so far.

So let me just try to recap ...

I'll setup my DHCP option 006 DNS to 192.168.0.1 (local win DNS server). I also have 003 Router on 192.168.0.5 so it points the clients to the --- erm ... router

The question then resides on how to forward missing lookups to the internet ... so I will try to setup my DNS forward to point to the router's IP (192.168.0.5). But trying to do that on a test environment I couldn't set it up ... the forward tab of the DNS server properties is all disabled, with the message "Forwarders are not available because this is a root server".

Any missing point on my side? (most likelly so ...

)

Thank you.

netsysadmin · Mar 31, 2005

You do not need to do anything to your DNS server on your domain controller it will forward requests properly to the root servers on the internet as is.

John

b4u · Apr 1, 2005

Originally posted by: netsysadmin
You do not need to do anything to your DNS server on your domain controller it will forward requests properly to the root servers on the internet as is.

John

Well, I believe I should have done something wrong ... because before I add the rooter IP on the DHCP 006 DNS option list, I was unable to ping "google.com", only it's IP address of 216.239.57.99. And I had the rooter IP added to the 003 Router options on the DHCP.

My oh my ...

netsysadmin · Apr 1, 2005

If you are having issues with your DNS on your DC fowarding to the root servers just go to the dns server and look for a zone that is just a period. That is the root zone that was created when you DCPromoed you server. Just delete that zone and that will allow you DNS to foward requests to the root servers on the internet. I included some extra instructions below to add fowarders. Though you dont need to configure fowarders I figured I would include the instructions in case you still wanted too.

John

-----------
To Remove the Root DNS Zone
1. In DNS Manager, expand the DNS Server object. Expand the Forward Lookup Zones folder.
2. Right-click the "." zone, and then click Delete.

------------------
To Configure Forwarders
1. In DNS Manager, right-click the DNS Server object, and then click Properties.
2. Click the Forwarders tab.
3. Click to select the Enable Forwarders check box.
4. In the IP address box, type the first DNS server to which you want to forward, and then click Add.
5. Repeat step 4 until you have added all the DNS servers to which you want to forward.

b4u · Apr 1, 2005

Man, thank you for your precious help here! Really!

Let me recap your steps ... to configure a forwarder, I have to overpass the message that says "Forwarders are not available because this is a root server".

To do that, I have to remove this server from being a root server, and by that you mean removing the period (".") entry from the DNS server config. Right?

So that period says to the server (itself) that "the search stops here". Is that it?

And another question: how does the server know where to forward to, to find root servers on the internet? I mean, he must go through the router, but how does he know about it? Is it because of the 003 Router option set on the DHCP, the gateway I see on ipconfig, or some other way to "find the way out"?

Thank you again!

OmegaXero · Apr 1, 2005

The server actually doesn't know where to forward to on the internet. It just knows that whatever addresses it can't resolve will be handled by a server that is higher up. So when you type in google.com your local Windows Server just forwards the request on to your router, which forwards the requets out to your ISP, so on and so forth. It just keep going down the line until eventually the request reaches a server that actually has the contents of google.com. And then the request comes all the way back. Pretty amazing considering this entire process takes maybe 500ms.

netsysadmin · Apr 1, 2005

The root servers should already be configured on the DNS server. In the DNS Management console, right-click the server name, and then click Properties. Then just click the Root Hints tab. Your DNS server's root servers are listed on this tab, but the root hints tab will only be available after you delete the root zone first.

By the way the DNS server knows to use the default gateway of the router to look for the root servers on the internet. It knows where the root server are because of the roots hint list.

"So that period says to the server (itself) that "the search stops here". Is that it?"
[hThat is exactly what it is doing!!]

John

b4u · Apr 1, 2005

Man, I've just tested it on my test environment ... works beautifully ... WOW!

Now I must update the production network ...

Just one quick question: when I deleted the "period" zone, he asked for confirmation since it was going to remove it from AD also. Then, I closed DNS and opened again ... as you said, the DNS Root Hints tab was populated ... you say it retrieved the data from the gateway defined router. That is, the gateway I have defined in "ipconfig", am I correct?

This seems to work

Now to production ...

I'm learning everyday ... thank you for your help! Much appreciated!

b4u · Apr 1, 2005

I have one more question ... they never end, do they

I configured my test environment with a router based on linux ... IPCop. Internet shared correctly, but don't know why, the DHCP server couldn't be deactivated on the router ... so workstations will lease from router instead of server.

So I changed router software to another linux based one ... m0n0wall. This one deactivated successfully the DHCP and workstations leased from the server ... perfect.

But I had only one problem ... when I removed the "period" zone from the DNS server, I was connected using IPCop ... the connection was the same. The DNS auto-populated the Root Hints List, and worked fine.

Now changed to m0n0wall, and the only way I could set it to work, was by adding a forwarder to the router's IP address 192.168.0.5 ... shouldn't the root hints work the same way? Are they auto-updated, or not? Is it possible for me to auto-update them?

(As I said, both IPCop and m0n0wall had the same WAN connection ... with different nics and mac addresses, but still the connection was the same ...)

Thank you.

netsysadmin · Apr 1, 2005

Here is page on the MS Technet site that has a lot of DNS info
DNS Info

Here is how to restore the root hints if they are damaged or missing
Restore root hints

John

b4u · Apr 5, 2005

Well, yesterday evening I went to the office to try and setup the DNS with the knowledge I got here ... and now everything works like a charm!

Thank you very much for all your help and info on the subject!

Nice to find people that help on this forums ... that's why I always return here, sooner or latter

Router/Gateway setup with a Windows 2000 Server network

Golden Member

Senior member

Golden Member

Diamond Member

Senior member

Diamond Member

Golden Member

Diamond Member

Golden Member

Senior member

Senior member

Senior member

Senior member

Senior member

Golden Member

Senior member

Golden Member

Senior member

Golden Member

Senior member

Senior member

Golden Member

Golden Member

Senior member

Golden Member