DNS Questions

I have some general DNS questions for windows 2000

I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each server the DNS settings just points to themselves.  I have heard conflicting reasons for doing this, is this correct?  

Also, in order to resolve queries to the internet, do I have to configure forwarders on both DNS servers or just one?  Is there a preferred way to forward out to the Internet for security, such as a single forwarding server placed elsewhere on the network? If so could you recommend a placement.  

Should both DC's/DNS server be configured to hold the GC?

Thanks.  Just asking general questions for clarity.
vivo123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

> I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each
> server the DNS settings just points to themselves.  I have heard conflicting
> reasons for doing this, is this correct?  

As long as AD Replication is working they can use an AD DNS Server. It just needs to have an up to date copy of the Forward Lookup Zone for your Domain.

> Also, in order to resolve queries to the internet, do I have to configure forwarders
> on both DNS servers or just one?

You don't *have* to configure Forwarders at all. If you prefer to configure Forwarders then it should be on both machines. If you don't want to then resolution will work using the Root Hints file (which is the default behaviour for DNS - that is, when Forwarders aren't configured).

I wouldn't recommend having a single Server to handle DNS Forwarding, it unnecessarily introduces a single point of failure into the network.

HTH

Chris

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:
> an AD DNS Server

Sorry.. typo's...

any AD Server

Which makes a lot more sense...

Chris
vivo123Author Commented:
Thanks Chris... Is there any benefit by not creating forwarders and just using the root hints?

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Chris DentPowerShell DeveloperCommented:

Pro's for Forwarders:

- Bigger Cache to work from (that is, resolution can be faster if the server you forward to is used enough)
- Requires less bandwidth, although unless you're dealing with a Modem connection you're unlikely to notice DNS overhead
- Allows you to set it so your DNS Server can only ever talk to a one or two other servers (Network security - as far as I'm concerned that's no real risk anyway)

Pro's for Root Hints:

- No reliance on anyone elses Server - except the servers for the domain you want to know about. Simplifies the configuration as you don't have to care if their servers are up or not.
- Full Control of the cache if you ever need to get rid of an entry that's out to date. (Entries are stored in memory on your DNS Server until the Time to Live (TTL) expires, default TTL is 2 days)

Personally I always favour Root Hints, adding Forwarders is generally unnecessary and I like being in control.

Chris
vivo123Author Commented:
Thanks again Chris.  What about GC placement?  
Chris DentPowerShell DeveloperCommented:

That depends how many domain controllers you have really. You might find it easier to just make them all Global Catalogs. We have 7 DCs and because of how they're distributed around the country each is a Global Catalog.

The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs.

Chris
vivo123Author Commented:
Can you explain more on "The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs"
vivo123Author Commented:
Thanks for your assistance.  I will increase the points for the added questions
Chris DentPowerShell DeveloperCommented:

The FSMO Roles are documented in this MS Article:

http://support.microsoft.com/kb/197132

There's a little section at the bottom about the Infrastructure Master, basically the Infrastructure Master is responsible for updating Security Identifiers (amoung other things). If its a Global Catalog it stops doing this for Objects (such as Users, Computers, Groups, etc) it doesn't know about because of the data contained in the Global Catalog. It doesn't come in as a problem if everything else is a Global Catalog as well.

Chris
vivo123Author Commented:
Ok.  final question..  Does running AD integrated zones with the use of either root hints or ISP forwarders cause any security issues or concerns for the local network? does it expose anything when requests are made to the Internet?
Note: Clients computers will not be using a proxy server, but the local AD DNS servers for there requests.

thanks
Chris DentPowerShell DeveloperCommented:

> Does running AD integrated zones with the use of either root hints or ISP forwarders
> cause any security issues or concerns for the local network? does it expose
> anything when requests are made to the Internet?

Not really, it gives you greater control of naming services operating on your network and since DNS at the very least is required for AD to function you don't get all that much choice.

The only thing the internet sees are requests to DNS servers for names and the usual web-based traffic. Even without the proxy server you'll all still be pretending to be on whatever IP address your router has (whether for a DNS request or a webpage request). Little information can be gained about your internal network from the outside without you either letting something in or your network getting infected by a virus or trojan.

Chris
vivo123Author Commented:
Thanks for the responses.  I have some further DNS questions, can I ask here or would you like me to open another question?
Chris DentPowerShell DeveloperCommented:

Here is fine if you like.

Chris
vivo123Author Commented:
I have not work within a network with more than 2 DC/DNS servers before all within the same location. In an effort to get a better understanding of how one would implement multiple DC/DNS servers in other remote offices, could you provide me a brief example of a multi DC/DNS design based on your experience.  You mentioned that you currently have 7 DC's in different locations.  Items such as: Do you use AD integrated if they are all within the domain or do you setup different zones for the multiple locations and utilze zone transfers?
Chris DentPowerShell DeveloperCommented:


We have:

Root Domain - e.g. mycompany.local
There are 3 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all three of the boxes. Each DC is a Global Catalog.

Fist Child Domain - e.g. uk.mycompany.local
There are 7 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all 7 machines. Only 2 of the machines are used by clients and servers for DNS queries (the rest are all there just in case we need them). All DCs are Global Catalogs

Second Child Domain - e.g. us.mycompany.local
There are 12 DCs in that domain, DNS is also AD Integrated and all 12 are Global Catalogs.

There are a few more child domains, but the same applies to each.

Zone Transfers aren't all that reliable and gets in the way of Dynamic Updates so we don't use them for the AD Domains - besides, AD is replicating and the zone files are small so why not leave them in with that.

Furthermore for Dynamic Updates to work it needs to be able to contact a Writable version of the Zone (Domain). That means either an AD Integrated Zone or the Primary Zone. With the Primary / Secondary system you can only have one Writable zone - the primary, that means all the Secondary Zones (via Zone Transfers) are Read Only. With AD Integrated they're all effectively Primary as you're accessing one version within AD, so they're all Writable.

Hope that all makes sense.

Chris
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.