Windows Server 2008 Thread, DNS in Technical; Hi everyone
Just want to check something which is on our server but to be honest i am not fully ...
23rd February 2010, 02:59 PM #1
Just want to check something which is on our server but to be honest i am not fully sure if it should even be there. On my DNS server under forward lookup zone i have two zones one is my Domain and the other is _msdcs.domain.com i am not even sure were this came from the _msdcs one? Can anyone tell me should it even be there or should it not just be my Domain under the forward lookup zone.
I have attached a print screen which what i have hopefully someone can tell me if i even need this.
Last edited by Aaron; 23rd February 2010 at 06:54 PM.
23rd February 2010, 03:18 PM #2
It's put there by active directory and it's needed for machines to log on, find domain controllers, global catalogs etc.
It's also why you must never, ever give out your external (ISP) DNS to a workstation - if the workstation uses that rather than the internal DNS it won't be able to find the servers and all sorts of things go wrong :-)
Thanks to srochford from:
Aaron (23rd February 2010)
23rd February 2010, 03:20 PM #3
do you realise how wrong it is to use a valid second-level domain that you don't own as an internal name?
23rd February 2010, 03:25 PM #4
Just what I was thinking!
Originally Posted by powdarrmonkey
Quite surprised it hasn't caused any issues - even massive log on times as everything will surely be trying to qualify over the net?
23rd February 2010, 03:29 PM #5
No, you're thinking the problem backwards. Any resolution of school.com inside will only ever return local records, not the ones published by the legitimate registrant of the domain.
Originally Posted by SC-UK
It reminds me of the problem faced by an organisation I shall not name who just picked a range of public IPs for their internal scope, instead of requesting a proper range from IANA or using a private range. Then they leased a handful of dedicated servers in a datacentre, and by complete chance they were allocated the same range as they had picked for internal machines. Result: had to totally redesign their internal range because they couldn't route to their shiny new (and very expensive) dedicated rack.
Last edited by powdarrmonkey; 23rd February 2010 at 03:40 PM.
23rd February 2010, 05:19 PM #6
i dont understand guys explain it to me again have i this all wrong? our logon times are very quick down to around less than 10seconds with local profiles and the only issue would be startup times.
But have i done something wrong in setting the DNS up the way i have it?
23rd February 2010, 05:20 PM #7
All the workstations at the moment from what i can see are getting their DNS settings from the main DNS server which is fine i logged onto a group of workstations and run the ipconfig /all to make sure they were getting the DNS off the main server and also DHCP off the server and everything has come back correct
23rd February 2010, 05:25 PM #8
I didnt think there was an issue with the Domain name as this was the name originally set up with the old severs years ago i have just taken the settings from them (these go back YEARS) and added them to ours settings like Domain name and DNS server addresses? i didnt think there was an issue using this as this is how it was set up for us originally?
23rd February 2010, 07:39 PM #9
Forget the slow logon times, it was a red herring. The problem is that your DNS domain is school.com which, unless your name is "Office Depot, Inc." is not registered to you on the global Internet, nor do you control it. Within your network, that's only really a problem if you want to visit School Supplies: Teachers & Classroom Supplies at Office Depot (or any other related address), since it'll resolve (or not) to an internal address, which will probably tell you to go away.
However, it's a significant vulnerability because according to the rest of the world, you don't control it. One example: imagine a laptop taken outside and connected to the internet at home:
1. Internet Exploder tries to do automatic proxy detection and requests wpad.school.com (WPAD)
2. a rogue administrator at Office Depot, Inc notices your DNS requests and decides to make it resolve to a server, so your browser requests /wpad.dat from it
3. rogue configures the browser with /wpad.dat to use his proxy server, and IE happily fetches it and acts on the contents
4. now all your traffic belongs to him, including passwords, credit card details, etc. User doesn't notice because, let's face it, they don't
Seems innocuous enough until you look at it like that.
Thanks to powdarrmonkey from:
Aaron (24th February 2010)
4th March 2010, 08:11 PM #10
I am going to take you advice and change the Domain over the summer thank you for getting back to me about this
By brahma in forum Windows
Last Post: 18th July 2008, 09:29 AM
By burgemaster in forum Windows
Last Post: 27th June 2008, 11:05 AM
By kevin_lane in forum Wireless Networks
Last Post: 31st January 2008, 11:49 AM
By TechMonkey in forum Windows
Last Post: 19th April 2007, 02:13 PM
Last Post: 21st April 2006, 03:26 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)