Good questions, all. Answers inline.. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "TomK" <TKasmir@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, April 20, 2002 4:32 PM Subject: [isalist] Jim Harrison's DNS FOR ISA SERVER questions http://www.ISAserver.org I'm reading Jim Harrison's DNS FOR ISA SERVER piece from the site's Learning Zone and I have two questions. 1. The Separate Internal & External DNS graphic depicts a client with DNS1=192.168.0.3 & DNS2=123.123.123.124. This makes "use of separate internal and external DNS resolvers". My questions is - In a W2K environment could this prove troublesome if an internal AD lookup fails and is subsequently attempted on the outside? Not that the outside lookup could ever succeed, but that future queries might rely on the DNS2 address first? -- That depends on the (non) response from the primary DNS server. If the pri DNS responds with "not found", then the DNS search stops If the pri DNS completely fails to respond, then the client will go seeking answers elsewhere. -- If you're truly concerned about AD-DNS lookup failures, you may want to consider a second AD/DNS server. 2. In the next graphic, INDEPENDENT INTERNAL DNS, what mechanism "forces" INT DNS01 to use ISA for external lookups? Is Forwarding at work here or is it the server's Gateway address or is it a Secure Nat Client? And along those lines once the ISA Server tries to resolve an external name is it Forwarding as well (because it's Preferred DNS Servers are on the Internal network)? -- That's an exercise for the student (seriously). The internal DNS can be either a secureNAT client or it can simply use ISA as the forwarder If you wish to use forwarding at the internal server, you have two options: 1. make it a secureNAT client and put the IP of an Internet-based DNS server in the "Use Forwarders" dialog 2. install DNS on the ISA and use the ISA internal IP as the DNS forwarder If you want the internal DNS to make its own DNS lookups (called recursive), then you have to make it a secureNAT client --either way, you'll have to allow the proper protocols... Thank you -- Tom Kasmir ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')