General discussion

Locked

DNS on 2K Domain

By jlbpotter ·
I have a domain with 2 W2K domain controllers and all of my client PCs are XP pro. My main domain controller has DNS installed on it because that is necessary for AD. (I don't know enough about DNS as you'll see). My DNS server is also my DHCP server. My DNS server is not a true DNS because it does not resolve internet names just local names. In my DHCP package I have configured WINS, default gateway, and IP address. I do not send out a DNS server address. This is how we limit internet access. We have a couple of DNS server addresses provided to us by AT&T. For users who are authorized for Internet access, a IT technician will go to the machine and put the provided DNS server IP addresses which allows them internet access. For example, myW2K DNS server address is 192.168.0.10 but the ones we use to access the internet are say 12.156.25.83 (provided by AT&T). This works fine until the domain password for the user has been changed and he has a static DNS server address that is not theone for his domain controller. It will not let him log on because it kind find the DC. Another example, I tried changing the computer name of a PC on the domain that had a static DNS for internet access and it would not allow me because it could notcontact the DC to verify my password. Once I took out the static DNS I had no problem. How can I resolve this, or is there a better way to limit internet access? Thanks in advance.

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DNS on 2K Domain

by ewgny In reply to DNS on 2K Domain

You should have your dhcp server give out the ip of your internal DNS server. Then you should set up your DNS server to forward any request that it is not authoritative for (internet queries).
Your clientneed to use your internal DNS for your domain to function properly with active directory.
Authenticate, receive group policy etc. Using your ISP's DNS for a clients primary DNS server is a big no no! You should consider using a proxy or ISA server or firewall rules to restrict Internet accessinstead. All of your problems that you are currently having is from using your ISP's DNS instead of your internal DNS

Collapse -

DNS on 2K Domain

by ewgny In reply to DNS on 2K Domain

Since you can't deny a gateway to your clients, here is what you do.
Set everything up properly like I explained above. Then in Active directory users and computers set up an OU called NO Internet. Create a group policy for that OU that will give abogus IP addres for a proxy server. You don't need a proxy server to do this. You are just telling the client that they are to use a proxy that doesn't exist. This is found under User connection - Internet explorer Maintnence - Connection. You must also configure the group policy to prevent the user from changing the proxy settings. Now the user cannot access the internet regardless of the computer they log on to. If need to restrict access by a particular computer and not user, you can configure a loopback policy. Using group policy you will not have to purchase any additional equipment. If you need more detail please post. - Good Luck

Collapse -

DNS on 2K Domain

by jlbpotter In reply to DNS on 2K Domain

Poster rated this answer

Collapse -

DNS on 2K Domain

by Rabbit_Runner In reply to DNS on 2K Domain

Okay, to fix your main question, will cause a different problem for you. Let me try to walk you through a complete answer. The answer in #1 is correct. All workstations on your network MUST use the Domain Controller with DNS as the Primary DNS server. Then on your Win2K server, set your DNS to forward any query's which is does not know to the DNS servers of ATT. These types of query's would be for internet access. Therefore, to fix your first problem, will mean opening up internet access to all of your users. From your question, you do not want all users to access the internet.

Soooooo,

In your DHCP, create two SCOPES, one for normal network usage and the other will add internet usage. I will call these scopes NETWORK and INTERNET.

In your NETWORK scope, set it up so that you have adequate IP addresses for the users who are not allowed to access the internet. Then, in the Scope options, DO NOT give a gateway/router address. Without this address, the workstations will not be able to access the internet.

In your INTERNET scope, configure all the options to include your gateway/router, DNS server (the Win2K server), and your other network options. The key is to include the gateway/router IP address. From your question, I am assuming that you only have a handful of users you want to access the internet. So, create a reservation list for ONLY those users. You will get the MAC address of each computer, and set up the IP address for these systems to use. Alsothis scope will only have active the number of users you want to have internet access. All other IP addresses (in this scope) will need to be excluded so that no computer can get the ip address and gain access to the internet.

I have been a bit lengthy, but I hope you will understand the process to accomplish what you desire. Best of luck

Collapse -

DNS on 2K Domain

by jlbpotter In reply to DNS on 2K Domain

Bugs, this sounds very good but I have one other piece of info to add. I have a WAN and the folks on my W2K domain need to access an NT4 domain through a VPN connection, therefore I need the default gateway for all of them to be able to access my other domain. Thanks

Collapse -

DNS on 2K Domain

by Beldin32 In reply to DNS on 2K Domain

Setup all machines to use local DNS from the DHCP Server. In the local DNS setup any non-local queries to be forwarded on to the Internet. Using Group Policy, limit the access to the Internet to specified users or groups. Thus to allow a user Internet access, doesnt matter what machine, just add or subtract them to allowed Internet groups. That way you dont have the DC problems but have complete control over who accesses the web.

Collapse -

DNS on 2K Domain

by jlbpotter In reply to DNS on 2K Domain

Poster rated this answer

Collapse -

DNS on 2K Domain

by shmaltz In reply to DNS on 2K Domain

First take out WINS. Second conefigure all computeres to use DNS, and your local ones. Next configure you DNS Servers to resolve Inernet address as well as local address.
For you problem with blocking Internet access follow this link (remove spaces):
http://www.techrepublic.com/forumqa/thread_detail.jhtml?thread_id=118329
If you need any help email me.

Collapse -

DNS on 2K Domain

by jlbpotter In reply to DNS on 2K Domain

Poster rated this answer

Collapse -

DNS on 2K Domain

by jlbpotter In reply to DNS on 2K Domain

I've been looking at the option of forwarding my DNS queries. My only problem is that when I go into DNS properties and go to the Forwarders tab is states that "Forwarders are not available because this is a root server". Am I doing this wrong? Thanks for all the help. As you can tell I am new to DNS and W2K server.

Back to Windows Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums