I believe that you are correct... the scond DNS server will only be used if the first one does not respond. If the first one responds at all (Even, "No such domain...") then the stack takes that response as authoritative. Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Robert Coffman - Info From Data Corporation [mailto:bcoffman@xxxxxxxxxxxxxxxx] Sent: Friday, August 22, 2003 1:11 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! I think two DNS servers is your best bet, although it is a case of security through obscurity. I don't believe the suggestion to use a secondary DNS server will work. Correct me if I'm wrong, but if a lookup fails on the primary server, it won't then go to the secondary server to see if it works there. It only uses the secondary in the event that the primary server is unresponsive. Re-reading this, i'm not certain that this is what was being suggested, so ignore this if I'm mistaken! - Bob Coffman -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] Sent: Friday, August 22, 2003 12:51 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! The suggestion about two DNS servers is a good one - I think that might work. The suggestion about setting the primary DNS to internal and the secondary to external is not recommended by Microsoft. I don't have the documentation to prove it handy, but I have seen it and have been told the same thing by their support services. Microsoft wants all machines to look at an internal DNS server which forwards out (or uses root hints). Thanks for all the suggestions. -----Original Message----- From: SEspeseth@xxxxxxxx [mailto:SEspeseth@xxxxxxxx] Sent: Thursday, August 21, 2003 1:25 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! The other possibility as someone already said was to add the isp/external dns as a secondary dns only to people that need internet access. Set your other users to the internal dns, and turn off forwarding for the internal dns server. Or put the users on different subnets. Get creative with the sunbet masking: example inet router ip=10.0.0.1/25 users with inet access have ip 10.0.0.1-127/24 users without inet access have ip 10.0.0.129-254/24. The users computers all will talk because they are on the same subnet, but the router will not respond nicely to the users in the 10.0.0.128+ group because it thinks they ar not local. http://thethin.net/win2000list.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm