My main site, and all my remote sites have their own internet
access. In DHCP for all sites and in the NIC configurations of all
the servers I have my internal DNS server configured as the primary DNS server
I've never liked the idea of putting an vulnerable internal/intranet
server such as an AD box onto Internet. People do it, but it has to
be done with extreme attention to firewall rules.
and then I have the respective ISP's dns servers as the alternate.
Uou have that backwards. the ISP DNS should be the primary for the
remote sites, and your AD/DNS as secondary. When then primary DNS
is down, resolvers will usually take many seconds to timeout before
trying the secondary DNS, making all DNS work very slow, even appears
that DNS is completely down. Having all the sites use their ISP DNS
gives you great redundancy vs having all the site come to your single DNS.
Here are my questions:
What triggers a machine, either server or workstation to give up
trying to use the primary dns server and hit the alternate? Did this
behaviour change from win2k to XP?
when a DNS query to the primary times out, the resolver will try the
secondary DNS. But the applications making the queries may timeout
quicker than the resolver.
The timing-out primary will be tried for every new DNS query. The
resolver doesn't remember than the primary is down and go to the
secondary first.
On my win2k server, even though it could contact the primary DNS
server, it couldn't get an answer so it went to the alternate.
correct. no answer = timeout, so resolver tries the secondary.
My workstations just gave up.
Only apparently. Actually, they were taking a long time to timeout
and appeared not to try the secondary. And, the applications could
have been giving up before the resolver gave up.
Is there a way to change this behaviour?
I understand that I can set up local internal DNS servers at each
site with a dynamic DNS zone for my internal domain and then forward
to the ISP's DNS server for external but I was really trying to avoid that.
the more infrastructure redundancy you have, the better. Setting up
will be more work, but the maintenance is almost nil, and the
benefits would be you would have avoided this problem.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
