Windows

Point value changed by question poster.

Hi I think what you are trying to do is overkill
we setup alot of networks with w2ksbs2000 and just 2000 serveron the sbs network the server is the DC ISA DNS DHCP andExchange servers we set all clients to use the internal dns server with out any problems.If i misunderstood why you are trying to do this please get back

1. Your external DNS server is the Start of Authority (SOA or Root) for the "mydomain.com" zone and would normally have it's forwarders set to the .com server but there are times when you would instead point them to your ISP. Make sure you have the ports open on your external firewall to allow DNS traffic(if you have one). IN SHORT YOU ARE CORRECT

2. Generally no. There should be no reason that an external person needs to access something in your intranet and if they do it should be through a DMZ based resource such as WEB, VPN, MAIL, etc. on the DMZ resources you can specify the exact communication between it and the intranet. You generally block this on both the server and on the firewall by port and IP (socket) restrictions

3. First, why do you have two nics? Your Internal DNS should only be on the internal segment. It will cummunicate with the external DNS through the firewall. Second, your external DNS should have all the DMZ records. Let the Internal forward all requests to the external DMZ. This simplifies administration. Also, make sure you have no internal records on your external DMZ.

4. WOW. You should install the OWA module on your external DNS machine (in your case only) and have it communicate throught the firewall (open the required ports)to the internal exchange server. Never directly expose your mail server to the DMZ. As for ISA, I assume it is your firewall. If so You have really given yourself some heartache here. Two nics, one internal, one external, internall BIND two ips to it, external only one. On the internal NIC IP 1 should be for DNS and Mail. IP 2 should be for the inside port of the ISA. Specify that the second ip is the gateway on all the clients and servers. When you setup ISA you will have to make sure you specify this all correctly.

GOOD LUCK. You should really load ISA on a separate machine

1) Delete the "." entry in your forward lookup DNS zone. It makes the DNS server believe it is a root server itself. After you delete it, wait a little while or restart dns, you'll notice that forwarders are available and you're normal root servers are in effect. Then, you'll be able to use your DNS servers to resolve public domain names.

2) Yes, don't want external clients being able to resolve internal addresses.

3) Create a standard primary zone on the external server and have itperform zone transfers to a standard secondary zone on your internal server. That way, internal clients will be able to resolve external names without having to maintain the external namespace twice.

4) Won't give an answer cause I'm not familiar with ISA.

Hope this helps,

Bus

This question was closed by the author