none
Public DNS and Private DNS

    Question

  • All,

    I have two DCs,

    DC1: IP: 192.168.1.10, sub mask: 255.255.255.0, GW: 192.168.1.2, Pref DNS: 127.0.0.1, Alternate DNS: 192.168.1.20

    DC2: IP: 192.168.1.20, sub mask: 255.255.255.0, GW: 192.168.1.2, Pref DNS: 192.168.1.10, Alternate DNS: 192.168.1.20

    I use a Mikrotik Router with 8 Eth ports.

    I configured one of the ports as follow; IP: 192.168.1.2, DNS1: 192.168.1.10, DNS2: 192.168.1.20 then I configured the router as DHCP server to lease 192.168.1.0/255 and reserving 0-50 for my static IPs. I connected a cable to the port and linked it to my cisco switch where all my servers and PCs are connected.

    Now I want to be able to distribute internet service to my private IPs. I was given a modem with IP: 10.217.49.98, GW: 255.255.255.0, and DNS1: 8.8.8.8, DNS2: 8.8.8.4 which I am to insert into one of the Eth ports

    How do I ensure that my servers and PC get Internet service. I am having trouble integrating the ISP to my already configured network.


    o.k

    Sunday, January 20, 2013 7:55 AM

Answers

  • I agree with Bill. And I must stress to disable DHCP on the Mikrotek and use WIndows DHCP, because Windows DHCP works hand in hand with Microsoft DNS and supports secured Dynamic Updates using Kerberos that the firewall doesn't support, as well as other options WIndows DHCP supports that it doesn't.

    And depending on the ISP's modem, you can configure it to arp traffic from the modem to your Microtek so the Microtek controls all access. For example, to do that on a Comcast mode, if you are in the US (I don't know how other country ISPs work), you simply disable DHCP on it, configure the Mikrotek with the static WAN IP Comcast gave you, and you're done. For a Verizon modem, you have to change it to Bridged mode (forget the exact setting). Contact your ISP for specifics.

    I also suggest to change the internal IP range from the default retail box router IP range from 192.168.1.0/4 to something else such as 192.168.55.0/24. Reason is if you ever offer VPN access, if someone is connected at home with the same IP range, they won't be able to access resources due to the duplicate range.

    Here's a good diagram you can use as a guideline of what you want to achieve.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 21, 2013 4:31 AM
  • Hi olawale,


    Besides the above excellent suggestions, I would like to mention that, as a best practice, it is recommended point to another DNS server as primary and include the loopback address.


    Related reference:

    DNS client and server best practices for AD

    DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Wednesday, January 23, 2013 7:01 AM
  •   Forget about trying to modify the router. Do it in the DNS server(s) on your DC(s).

      You clients need to use the local DNS servers ONLY so that AD works properly. Do not add any other DNS addresses to the clients.

      In the local DNS, set it to forward to a public DNS service (like 4.4.4.2 or 8.8.8.8). The local DNS will then be able to resolve foreign URLs for itself and for its clients.

      If you want to use the router for DHCP you will need to modify it to hand out its own IP for gateway address but the DC(s) address(es) for DNS. If you cannot get this to work, turn off the DHCP function of the router and run DHCP in one of your servers. 


    Bill

    Monday, January 21, 2013 1:26 AM
  • I'm not sure what you mean by "... distribute Internet Service."

    DHCP just gives out IP addresses and other settings, whether using a router's DHCP or Windows, but Windows DHCP has more options and works with Secured DNS updates, whether computers are joined to a domain or not.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, January 27, 2013 4:14 PM
  • Hi olawale,


    As Ace mentioned, we can use Microsoft DHCP options to distribute such as, default gateway, DNS Servers, DNS domain name, WINS servers.


    More information:

    DHCP Tools and Options


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Monday, January 28, 2013 2:41 AM

All replies

  •   Forget about trying to modify the router. Do it in the DNS server(s) on your DC(s).

      You clients need to use the local DNS servers ONLY so that AD works properly. Do not add any other DNS addresses to the clients.

      In the local DNS, set it to forward to a public DNS service (like 4.4.4.2 or 8.8.8.8). The local DNS will then be able to resolve foreign URLs for itself and for its clients.

      If you want to use the router for DHCP you will need to modify it to hand out its own IP for gateway address but the DC(s) address(es) for DNS. If you cannot get this to work, turn off the DHCP function of the router and run DHCP in one of your servers. 


    Bill

    Monday, January 21, 2013 1:26 AM
  • I agree with Bill. And I must stress to disable DHCP on the Mikrotek and use WIndows DHCP, because Windows DHCP works hand in hand with Microsoft DNS and supports secured Dynamic Updates using Kerberos that the firewall doesn't support, as well as other options WIndows DHCP supports that it doesn't.

    And depending on the ISP's modem, you can configure it to arp traffic from the modem to your Microtek so the Microtek controls all access. For example, to do that on a Comcast mode, if you are in the US (I don't know how other country ISPs work), you simply disable DHCP on it, configure the Mikrotek with the static WAN IP Comcast gave you, and you're done. For a Verizon modem, you have to change it to Bridged mode (forget the exact setting). Contact your ISP for specifics.

    I also suggest to change the internal IP range from the default retail box router IP range from 192.168.1.0/4 to something else such as 192.168.55.0/24. Reason is if you ever offer VPN access, if someone is connected at home with the same IP range, they won't be able to access resources due to the duplicate range.

    Here's a good diagram you can use as a guideline of what you want to achieve.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 21, 2013 4:31 AM
  • Hi olawale,


    Besides the above excellent suggestions, I would like to mention that, as a best practice, it is recommended point to another DNS server as primary and include the loopback address.


    Related reference:

    DNS client and server best practices for AD

    DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Wednesday, January 23, 2013 7:01 AM
  • Hi Ace,

    I could have turned off the Mikrotik router's DHCP but my challenge is that not all my client PCs will be joined to the domain. So I need to distribute Internet Service to them while using just one Router.


    o.k

    Sunday, January 27, 2013 1:31 PM
  • I'm not sure what you mean by "... distribute Internet Service."

    DHCP just gives out IP addresses and other settings, whether using a router's DHCP or Windows, but Windows DHCP has more options and works with Secured DNS updates, whether computers are joined to a domain or not.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, January 27, 2013 4:14 PM
  • Hi olawale,


    As Ace mentioned, we can use Microsoft DHCP options to distribute such as, default gateway, DNS Servers, DNS domain name, WINS servers.


    More information:

    DHCP Tools and Options


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Monday, January 28, 2013 2:41 AM