AD question about "first DNS server on network"

I'm installing Windows 2000 Server on a new box that's going to become
the AD server for a small network.

When you install DNS, you are asked "Is this the first DNS server on
this network?". Well, it's going to be the ONLY DNS server on THIS
network when I swap this one in, in place of the other one that I'm
going to swap out. So I said yes.

Since I answered the question honestly, there's a DNS zone called ".".

I assume now, that answering the question honestly was a mistake. KB
article 229840 says what to do if you can't set up forwarders. "A DNS
server behaves as a root server if there is a zone named "." on the
server. The "." zone indicates that the server is a top-level root
server. Because a root server is at the top of the DNS hierarchy, it
cannot be configured to forward and does not require root hints."

We need forwarding so local users can get to Web sites with this server
set as the DNS server.

I didn't tell DNS setup that this was going to be a TOP-LEVEL ROOT
SERVER, only that it was the *first* (only) DNS server on THIS network.
That's what the question asked, and that's the question I answered.
Apparently I now need to delete the "." zone according to the KB
article.

Is the question wrong? Should I have lied to the DNS setup program?

Thanks for any advice.

David Walker

IMHO...

> Is the question wrong?

Yes.

> Should I have lied to the DNS setup program?

Yes.

Just delete the root LOL

-Frank

"Frankster" <(E-Mail Removed)> wrote in
news:67mdnT98t6QVp7reRVn-(E-Mail Removed):

> NNTP-Posting-Date: Tue, 13 Sep 2005 15:46:00 -0500
> From: "Frankster" <(E-Mail Removed)>
> Newsgroups: microsoft.public.windows.server.networking
> References: <(E-Mail Removed)>
> Subject: Re: AD question about "first DNS server on network"
> Date: Tue, 13 Sep 2005 14:45:54 -0600
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> X-RFC2646: Format=Flowed; Original
> Message-ID: <67mdnT98t6QVp7reRVn-(E-Mail Removed)>
> Lines: 15
> X-Trace:
> sv3-
4mYHPjTe5Fp4Hr+r6UJI7SZnzkXi7tlwj17SgVtEbuFsoAKzzu B/gzrD3I9GygoLhjF
> L4aai2MGjVII!
o+yDP00MBqfa0EXTk5qbb7hOY8tcN3PsuNK9n1b7LoNhpe0scR Tuj+Hxdz
> LO X-Complaints-To: (E-Mail Removed)
> X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
> X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
> X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
> complaint properly X-Postfilter: 1.3.32
> Path:
> TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!
border2.nnt
> p.dca.giganews.com!border1.nntp.dca.giganews.com!n ntp.giganews.com!
loca
> l01.nntp.dca.giganews.com!news.giganews.com.POSTED !not-for-mail Xref:
> TK2MSFTNGP08.phx.gbl microsoft.public.windows.server.networking:30433
>
> IMHO...
>
>> Is the question wrong?
>
> Yes.
>
>> Should I have lied to the DNS setup program?
>
> Yes.
>
> Just delete the root LOL
>
> -Frank
>

OK, I'll remember that! Thanks.

David

"Frankster" <(E-Mail Removed)> wrote in
news:67mdnT98t6QVp7reRVn-(E-Mail Removed):

> From: "Phillip Windell" <@.>
> References: <(E-Mail Removed)>
> Subject: Re: Active Directory for small network?
> Date: Tue, 13 Sep 2005 16:34:07 -0500
>
> Just open a command prompt on the Server and run "DCPromo.exe"
>
> There is no SQL stuff, no DNS stuff, ...the utility does it all for
> you as long as you at least know what you want to call the domain. Use
> a name that won't appear on the internet,...like "mycompany.loc"
> instead of "mycompany.com". DCPromo will even install DNS if it is
> not already on the machine,...and then automatically configure it
> after it is installed. Just go with the Defaults on everything.
>

OK, I'll do that. One page of directions (at
http://www.serverwatch.com/tutorials...le.php/1474461) says:

"The first and most important step in installing Windows 2000 Active
Directory is properly planning your DNS implementation. AD cannot exist
without DNS, so this is well worth paying attention to. Unfortunately,
in their quest for simplicity, Microsoft decided that DNS would be
installed automatically as part of the Active Directory installation
process if you didn't explicitly configure it in advance. As such, my
suggestion is that you always configure DNS manually prior to even
considering Active Directory."

I was following that advice. Maybe it's wrong!

Your advice on picking out the domain name is an important step -- I
have seen MS advice that says something like "if you have a public
domain name, use that" but it doesn't go on to say "otherwise, blah blah
blah". I'm left thinking "and if I don't?".

You have to name both your domain and the forward lookup zone. Is that
an issue if I just use dcpromo?

Also, I think you have to be connected to the internet while running
dcpromo, is that right?

Thanks.

David

"DWalker" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> process if you didn't explicitly configure it in advance. As such, my
> suggestion is that you always configure DNS manually prior to even
> considering Active Directory."
>
> I was following that advice. Maybe it's wrong!

No. I always install DNS on the machine first,...but you don't *have
to*,...I was trying to keep it simple. I install DNS first but I leave it
*unconfigured* and let DCPromo configure it as it sees fit. Once the Domain
is up and running and everything works, then I might,..maybe,..go into DNS
Admin and do other things if I feel I need to.

> Your advice on picking out the domain name is an important step -- I
> have seen MS advice that says something like "if you have a public
> domain name, use that" but it doesn't go on to say "otherwise, blah blah
> blah". I'm left thinking "and if I don't?".

There are a lot of problems with using your Publicly Registered Domain Name
as also your Internal Active Directory Domain Name. They are Not the same
thing and do Not exist for the same reason. If you are an expert in
configuring special situations with DNS and can do it with your eyes closed
then I'm sure you could avoid the pitfalls of using the same name in both
places. You can also find articles all day long that contradict each other
and have one telling you to use different names and other telling you to use
the same name. But *I'm* telling you to make them different names because I
feel I am at least somewhat responsible to the greif people might have if
they follow my post,...and using different names as I suggested the my last
post is the simplest to deal with for the average Admin.

> You have to name both your domain and the forward lookup zone. Is that
> an issue if I just use dcpromo?

No. you can Promote the machine to a DC, create the Domain, install Active
Directory and never once go into the DNS Administrator and never once touch
a single Zone of any kind. DCPromo will setup what it needs in DNS and it
will run just fine.

> Also, I think you have to be connected to the internet while running
> dcpromo, is that right?

The Internet is irrelevant and has absolutely nothing to do with it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Thanks, please see below.

"Phillip Windell" <@.> wrote in
news:eR2j#(E-Mail Removed):

> "DWalker" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>
>> Your advice on picking out the domain name is an important step -- I
>> have seen MS advice that says something like "if you have a public
>> domain name, use that" but it doesn't go on to say "otherwise, blah
>> blah blah". I'm left thinking "and if I don't?".
>
> There are a lot of problems with using your Publicly Registered Domain
> Name as also your Internal Active Directory Domain Name. They are Not
> the same thing and do Not exist for the same reason. If you are an
> expert in configuring special situations with DNS and can do it with
> your eyes closed then I'm sure you could avoid the pitfalls of using
> the same name in both places. You can also find articles all day long
> that contradict each other and have one telling you to use different
> names and other telling you to use the same name. But *I'm* telling
> you to make them different names because I feel I am at least somewhat
> responsible to the greif people might have if they follow my
> post,...and using different names as I suggested the my last post is
> the simplest to deal with for the average Admin.
>

What I meant was, "and if I don't *have* a public domain name, what
should I do?". The advice says if you have a public name, use it, and
you're saying that if you have a public name, you don't have to use it,
and I'm saying there's a whole 'nother possibility -- there is no advice
for what to put if you don't have a public name, which I'm sure covers a
lot of small businesses. (Actually, we have a Web site, but it's hosted
elsewhere.) I'm thinking that "company.local" should be used here, but
I don't remember where I gleaned that: it certainly wasn't from the
Microsoft KB articles or technet articles that tell you step-by-step how
to set up AD. I can't believe that this common scenario of not *having*
a public name is not even mentioned in the how-tos.

>
>> Also, I think you have to be connected to the internet while running
>> dcpromo, is that right?
>
> The Internet is irrelevant and has absolutely nothing to do with it.
>

But you have to have the LAN connected to a hub or set up a loopback
adapter, or DCPromo won't do anything. That much I figued out.

Thanks for your help.

David

DWalker wrote:
>
> But you have to have the LAN connected to a hub or set up a loopback
> adapter, or DCPromo won't do anything. That much I figued out.
>
> Thanks for your help.
>
> David

You are setting up a domain controller for your network. It is not
unreasonable to require that the machine be connected to a network. Apart
from anything else, it needs to check that a domain with the same name
doesn't already exist on your network.

If it is anything other than the first/only DC, a network connection
will be essential to find the existing forest/domain to join.

"DWalker" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What I meant was, "and if I don't *have* a public domain name, what
> should I do?".

If you don't have one, then make something up, it doesn't matter. Just don't
come up with something that might possibly be on the Internet,..that's why I
always suggest ".loc" on the end instead of ".com" since ".loc" is not a
valid Top-Level domain on the Internet.

> elsewhere.) I'm thinking that "company.local" should be used here, but
> I don't remember where I gleaned that: it certainly wasn't from the

The SBS Installation trys to "push" you into using "Local",..but the problem
is that non-Windows Operating systems (like Macs) will not accept a
Top-Level Domain of more that three characters. So you should follow the
industry established pattern of 2 or 3 charaters.

> But you have to have the LAN connected to a hub or set up a loopback
> adapter, or DCPromo won't do anything. That much I figued out.

That maybe true,..I never ran into a situation like that before.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

"Phillip Windell" <@.> wrote in
news:e2r#(E-Mail Removed):

>
> The SBS Installation trys to "push" you into using "Local",..but the
> problem is that non-Windows Operating systems (like Macs) will not
> accept a Top-Level Domain of more that three characters. So you should
> follow the industry established pattern of 2 or 3 charaters.

I have never seen the SBS installation, although I remember reading about
using ".local" somewhere. I didn't know that about Macs and the TLDs; are
Macs behind the times or is Windows being non-industry-standard, I wonder?
We have never had a Mac plugged in to our network, but we might someday.

Thanks for the info.

David

"DWalker" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> using ".local" somewhere. I didn't know that about Macs and the TLDs; are
> Macs behind the times or is Windows being non-industry-standard,

Windows Domains are just more "free" to do what they want in a pure Windows
AD environment. Windows is "standard" because it obviously does accept 2 or
3 letter TLDs, but it is more flexable and can accept longer names,...but I
just don't recommend doing it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------