Managing DNS Service in Windows 2000 Server
As discussed, Microsoft made a poor implementation of the DNS service in their Microsoft Windows 2000 Server, having been crippled from the start not to update itself properly with external DNS.
An abstract point of note is given hereby to assist IT department to tackle this issue professionally. Conclusion points that end users' inability to access certain web sites are mainly due to absence of proper proxy settings in their web browser and limitation of Windows 2000 DNS service.
First, why do you only have one domain controller? There is no reason not to have a second DC. Server hardware is cheap these days and being able to authenticate users while the first DC is rebooting during your scheduled patch maintenance is a valuable benefit. Also, having two DC's eliminates the need for the following fixes, assuming the DC's are configured correctly.
The biggest issue for Active Directory with a lone DC is that dynamic registration of DNS records will consistently fail. DC's use the Netlogon service to register themselves in AD, when the Netlogon service starts the DC will try to register with a DDNS server. Unfortunately the Netlogon service starts before the DNS Server service does. Trying to correct this problem by adjusting dependencies in the Services applet will only cause more problems.
Overcome this limitation by configure Group Policy to run this script at startup on the domain controller. The script waits a minute after boot, then restarts the Netlogon service in order to properly register itself in DNS. You can adjust the timing as needed by simply editing the script. However, the script will not work unless the domain controller is configured with itself as the only DNS server in the NIC properties. Resolving outside hosts is done through the forwarders configured in the DNS Server service properties.
Obviously, all clients that connect to the domain must use the domain controller as their only DNS server for dynamic name registration and Active Directory lookups work properly. Never assign a domain client outside DNS servers because this will only cause problems if the domain controller is unavailable.
Updated by Lawrence