cconfiguring dns servers for isa server 2004onfiguring dns servers for isa server 2004
TRANSCRIPT
-
7/29/2019 CConfiguring DNS Servers for ISA Server 2004onfiguring DNS Servers for ISA Server 2004
1/4
TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 >Technical Library > Planning, Deployment, and Integration
Configuring DNS Servers for ISA Server 2004Published: January 3, 2005
On This Page
ISA Server and DNS
One of the most common issues facing administrators who deploy ISA Server is how to configure ISA Server
to resolve Domain Name System (DNS) requests. If DNS is configured incorrectly, the ISA Server computer
fails to resolve either internal names or external names. Name resolution problems that present
themselves can be intermittent in nature and difficult to track down and can range from email not being
transmitted to users being unable to access the Internet through the Web proxy.
Note: The DNS setting referred to in this document is under the advanced properties for TCP/IP for each
individual network interface on the ISA Server computer.
This document describes various ISA Server scenarios, details how to set up ISA Server for DNS for each
scenario, and explains why each configuration is needed. It covers the simplest configuration, a single-
homed ISA Server computer in a non-domain scenario, and also describes a complex scenario, that of a
multi-homed ISA Server computer that is a domain member.
There are two rules to remember when setting up DNS on ISA Server. These rules apply to any Windows-
based DNS configuration:
No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesnt
matter which one). There is no need to set up DNS on all network adapters.
Always point DNS to either internal servers or external servers, never to both.
Top of page
Multi-homed ISA Server computers
Multi-homed ISA Server computers have DNS settings for both externaland internalnetwork
adapters. Depending on the situation, ISA will fail if this is not configured correctly.
There are several ways to correctly configure DNS depending on the requirement of the internal network.
Non-Domain ISA Server computers
ISA Server computers that are not domain members should be set up just like a single-homed computer. If
you have an internal DNS zone that you need to resolve you should point DNS to the internal DNS
server. The internal DNS server then forwards name resolution requests to your ISPs DNS servers or uses
root hints to resolve external names.
Domain Member ISA Server computer with full internal resolution
This is the most common setup. Multi-homed ISA Server computers that are members of the domain must
point a network card only to internal DNS servers because it has to participate in the domain. The internal
DNS servers need to forward to an ISP or use the root servers. This allows internal clients to resolve both
internal names and Internet names.
ISA Server and DNS
Multi-homed ISA Server computers
Single network adapter scenarios
Common Questions
Page 1 of 4Configuring DNS Servers for ISA Server 2004
22. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/configuring_dns.mspx?pf=true
-
7/29/2019 CConfiguring DNS Servers for ISA Server 2004onfiguring DNS Servers for ISA Server 2004
2/4
Isolating Internal DNS Servers
Another common scenario is where the Internal DNS servers do not forward to the Internet at all. This
prevents both the Internal DNS servers and clients who use them from resolving names on the Internet.
The ISA Server computer should not point to the internal DNS servers for name resolution, but still has to
resolve both internal and external DNS names. Set up another DNS server on the ISA Server computer
itself, or designate a DNS server internally dedicated to resolving both internal and external DNS names.
On this new DNS server, set up a secondary to your internal DNS namespace and then configure the DNS
server to forward to the Root servers or the ISPs DNS servers for name resolution.
This solution effectively isolates the intranet namespace and eliminates cache pollution / poisoning issues on
the internal DNS servers.
Figure 1 : Full DNS resolution configuration
See full-sized image
Page 2 of 4Configuring DNS Servers for ISA Server 2004
22. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/configuring_dns.mspx?pf=true
-
7/29/2019 CConfiguring DNS Servers for ISA Server 2004onfiguring DNS Servers for ISA Server 2004
3/4
Top of page
Single network adapter scenarios
In this section, ISA is set up with one network adapter and can only function as a proxy server (firewall
service cannot run with only one network adapter).
Non-domain member / No internal DNS exists
A stand-alone ISA Server computer not in a member of a domain, and there is no internal DNS server. Point
to the ISP for DNS.
Non-domain member / internal DNS exists
A stand-alone ISA Server computer that is not a member of a domain, where an internal DNS server exists,
should point to the internal DNS server to resolve internal names, and should NOT point to the external ISP
as a secondary server. The internal DNS server should use forwarders to point to the external ISPs DNS
servers or should use the root servers (employing root hints) so that the ISA Server computer can resolve
external names. If the ISA Server computer does not need to resolve internal DNS names at all it can
safely point to the ISPs DNS servers.
Domain member / NT 4.0
Figure 2: Multi-homed ISA with Internal DNS server Isolation
See full-sized image
Page 3 of 4Configuring DNS Servers for ISA Server 2004
22. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/configuring_dns.mspx?pf=true
-
7/29/2019 CConfiguring DNS Servers for ISA Server 2004onfiguring DNS Servers for ISA Server 2004
4/4
An ISA Server computer that is a domain member in NT 4.0 can safely point to an ISP for DNS since NT 4.0
does not use DNS for name resolution (it uses WINS). If you have an internal DNS server and you need to
resolve internal names as well as external, the ISA Server computer should point to the internal DNS server
as long as the internal DNS server forwards to an external ISP or root servers.
Top of page
Common QuestionsQ: Why cant I point to the Windows 2000 DNS first, and then to the ISP DNS?
A: A common misconception is that you achieve fault tolerance by pointing to the Windows 2000 domain
first, and then the ISPs DNS server. The problem is that if the first DNS server fails, ISA Server will use
the second DNS server and never go back to the original DNS server unless the second DNS server fails.
DNS will work until you bring down the internal DNS server for maintenance, then a few hours later no one
can get access to the Internet because you cant validate the user against the domain. Restarting the ISA
Server computer will solve this problem.
Q: Why not point the external ISA NIC to the ISP for DNS?
A: The problem here is that ISA doesnt know what is internal or external when trying to resolve names.
This means ISA can end up trying to resolve internal names to the external ISP. Once it receives name not
found, the ISA Server computer wont look for the internal name again and you will fail to participate in the
domain.
Top of page
Manage Your Profile
2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page 4 of 4Configuring DNS Servers for ISA Server 2004
22 1 2007http://www microsoft com/technet/isa/2004/plan/configuring dns mspx?pf=true