Link to home
Start Free TrialLog in
Avatar of CTS123
CTS123

asked on

Network DNS Recommendations...?

I've done research on this topic and have come across 2 different ways of doing it.  Has anyone here had a experiance they can share with me?


Company is going towards Windows 2003 AD Setup (Previously Novell).  They have 300+ users in the building.

Who will handle dns? Now heres the scenarios...

The old machine handling DNS was a Unix Machine.  They would like to get rid of this.

After some research, I initially thought that the AD Server having DNS installed with external lookups (Through ISP) would be sufficient.  But I also have read that this may not be a good idea if there are that many users.

I have read to have a seperate server with its only purpose being DNS.  

Has anyone been in this situation before?  If the AD is handling all the DNS will it cause problems or slow down?
Is it wiser to have a dedicated machine for DNS that is registered to retrieve public dns tables or is the AD server with external lookups good enough for this enviornment.

Thanks for your time.
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of CTS123
CTS123

ASKER

Disregard that comment about the tables. It doesnt make sense to do that. Its basically to register the server with Internic as a public DNS Server.


Thank you for your response.
i agree with chris about the AD server being able to handle DNS as well... the DNS load with 300 computer will not be that much at all.  I would also highly recomend setting up and active directory integrated DNS zone rather than a standard zone.  This will make AD much happier since as the name suggests it is integrated and then your dns tables and AD will "talk" to each other and both will be on the same page.   What you are asking about the DNS server that is registred with the public is NOT what  you want at all... this is the difference between public and private DNS servers.... what you want is a PRIVATE DNS server to host your PRIVATE network..... a public dns server is something different alltogether, you dont want outside users to be able to get to your clients do you? if you install a public dns server that is exacly what will happen,,, all of your client machines addresses will be public (not good).
Also, you have to decide if you want DNS to be integrated into AD or not.  If you are still using WINS, this is a good choice because you can have a WINS lookup zone in DNS with AD.  It's also more secure.  For 300 users, you should not have a problem.

I assume that you plan to have more than one DC (strongly recommended).  In that case, your DNS records are replicated to the other DCs.  Additionally, in 2003, you can create an application partition for DNS to control which DC's have a copy of DNS.

I am also unsure about public dns tables, unless you are referring to records for public resources.

Ahh I'm with you CTS123, you're right, you wouldn't need to do that unless your server was answering public queries about a domain it owned. Glad that helped anyway :)
Avatar of CTS123

ASKER

I was thinking that ONE DC is enough for all 300 users.  I do believe it is a QUAD Processor with like 4-6gigs of ram, Raid Controll, etc.... The Main DC will not be holding any data or contain anything related to the company. Another server will be handling that.  This company has a large budget.....
I would still strongly recommend a second DC, even if it's a PC with the server software installed on it.  Even though you will not have data on the DC, if you loose the DC, the authentication needed to get to the data will not be there.
300 users isn't that many at all,,, you'll be fine. Remember that AD is nothing more than a database,,,, a database that stores info for 300 users is nothing.
Avatar of CTS123

ASKER

Oh, I go that covered. They will have a backup AD server that basically is constantly in snyc with the primary one.
keep in mind that there is no such thing as a BDC in 2000/2003 domains.... your users/computers will still be hitting your "backup AD server" for requests unless you have something in place to stop this (such as it is in a different site as far as AD is concerned)
Avatar of CTS123

ASKER

I'm sorry this is getting a bit off topic but I really apperciate the help.


So, I can't run a backup ad server that syncs.  I should just setup a secondary DC and if the primary goes down to just have the users log into the secondary?   This would be easier to do BUT now this is going to sway way off topic... lol

Exchange server is also setup talking to the primary DC...wont this affect the exchange if the primary goes down?

(Sorry this is really getting off topic)
Both DCs will handle authentication and log on requests and it will have no negative effects on Exchange.  If you loose a DC, the surviving DC will handle authentication and logons.  Of course, there is more to it that that depending how long the other DC is down.
as i said initially,,, in 2000/2003 there is no such thing as a PDC or BDC,, these are NT4 terms.  In 2000/2003 all DCs are equal so if you have 2 DCs and both DCs are in the same site they will both handle requests.   when you ask "So, I can't run a backup ad server that syncs" the anser is yes and no as there is no such thing as a back AD server.  You SHOULD setup another AD server somewhere for redudancy and fault tolerance,,make sure they both have a copy of the Global Catalog (the actual AD database)
Avatar of CTS123

ASKER

This makes things difficult ... the client does NOT want the user changing any informatin as far as what DC to connect to.. it's there wishes. Maybe we will go with a Legato Server replication setup.
i never said that the client had to change any information...... you need to set up 2 different "sites" as far as AD is concerned and place your "backup DC" in a different site over  a slow link so AD will not let your users authenticate to the "backup DC"  This is done in active directory sites and services.... keep in mind this is just the logical setup,, it has nothing to do with the physical setup.
i left off the part about replication .... the 2 DCs will still replicate at whichever times you specify (the default is 15 min) , but this setup will stop clients from authenticating to the "backup dc" since they will "think" it is in a remote location over a slow link.
You may need to read up more on 2003 domain controllers.  The users do not decide what DC to connect to.  AD handles all that for you.  If you are going to be managing Microsoft clients (2000, XP), it's better to stick to Active Directory.  Adding another DC should not complicate things much at all.  

If you don't make the second DC a Global Catalog then it won't perform client authentication. That's all the GC does.

It will however keep a nice handy backup of your domain data like User Accounts, Computer Accounts, Exchange Information (not databases), Group Policies, Logon Scripts, DNS Settings, etc etc etc. Then in the event of the main domain controller failing all you have to do is perform a few steps on the backup and everything is running again.

Even a generally inactive domain controller stores all of that.
Avatar of CTS123

ASKER

Ok one more issue I promise and then well end this topic because its WAYY OF COURSE.

The main DC is my DNS Server. The "backup" will have the DNS info that is granted but now the IP Address is different and the Clients have that IP as their Primary DNS entry and the secondary is the ISP's.  

DNS ENTRIES ON CLIENT
1. Main DC
2. ISP#1 DNS
3. ISP#2 DNS

Should it really be
1. Main DC
2. "Backup" DC
3. ISP#1
4. ISP#2

Last one guys..

ISP DNS Addresses shouldn't really be included on the clients.

Your own internal DNS Servers will (be default) perform Root Lookups for Public Domain Names, or you can add the ISPs DNS Servers are forwarders there.

Chances are that's what's happening anyway since the first server it asks can provide an answer to the questions.

But you are correct that it would be more sensible to include a Secondary DNS.
Chis,,, i believe you are incorrect in your statement about what the GC does...a DC doesn't have to be a GC to handle authentication.  The GC is a COMPLETE copy of the AD database for the entire domain/forest,, other DCs hold portions of the GC but not the whole thing.  Either one can authenticate for the local domain.

oops.. typo... " ... ISPs DNS Servers as forwarders there."

That's better ;)

Ahh fair enough Mike, I'll have to read up some more on that one :)
Avatar of CTS123

ASKER

Thank you everyone for your help. You've been great.
HOLD ON,, on the clients the list of DNS servers should only be your LOCAL DNS servers IE

MAIN DC
BACKUP DC

take the public dns servers out of there as it will cause you nothing but problems..

think about it,,, if they requests maindc.domain.com it will NOT be able to answer since a public DNS server knows nothing about your private DNS setup.
hehe your statement is a little out as well Mike ;)

Every DC contains three full writable directory partitions:

Domain Directory - Basically what's visible in AD Users and Computers
Schema Directory - Class and Attribute definitions for all existing and possible AD objects
Configuration Directory - The configuration of the directory, including things like what's visible in AD Sites  and Services.

In effect, an entire copy of the Local domain.

In addition to those, the GC also stores partial records (read only) of all other domain directories in the forest - mainly because it's much much faster than searching the database as a whole.

You were right about the logon part though, the GC hands out group membership, which is why it's essential to the logon process (and why I was thinking of it as a logon server ;))

Ho hum, largely unrelated, but I thought quite interesting :)
A little additional comment.  If you only have two DCs and one domain, both do not have to be GCs for users to log on to both.  The DC that is not a GC will contact the DC that is a GC mainly to get universal group information, so it is essential as Chris said.  If you only have one domain, universal groups are useless, but Microsoft still makes you query a GC.  If the GC goes down, there is not a big problem because both basically have all the information.  A GC contains information for other domains as well, as Chris also said.  Also, you can restore a DC if it not a GC.