DNS Questions

I have some general DNS questions for windows 2000

I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each server the DNS settings just points to themselves.  I have heard conflicting reasons for doing this, is this correct?  

Also, in order to resolve queries to the internet, do I have to configure forwarders on both DNS servers or just one?  Is there a preferred way to forward out to the Internet for security, such as a single forwarding server placed elsewhere on the network? If so could you recommend a placement.  

Should both DC's/DNS server be configured to hold the GC?

Thanks.  Just asking general questions for clarity.
vivo123Asked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:

> I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each
> server the DNS settings just points to themselves.  I have heard conflicting
> reasons for doing this, is this correct?  

As long as AD Replication is working they can use an AD DNS Server. It just needs to have an up to date copy of the Forward Lookup Zone for your Domain.

> Also, in order to resolve queries to the internet, do I have to configure forwarders
> on both DNS servers or just one?

You don't *have* to configure Forwarders at all. If you prefer to configure Forwarders then it should be on both machines. If you don't want to then resolution will work using the Root Hints file (which is the default behaviour for DNS - that is, when Forwarders aren't configured).

I wouldn't recommend having a single Server to handle DNS Forwarding, it unnecessarily introduces a single point of failure into the network.

HTH

Chris
0
 
Chris DentPowerShell DeveloperCommented:
> an AD DNS Server

Sorry.. typo's...

any AD Server

Which makes a lot more sense...

Chris
0
 
vivo123Author Commented:
Thanks Chris... Is there any benefit by not creating forwarders and just using the root hints?

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Chris DentPowerShell DeveloperCommented:

Pro's for Forwarders:

- Bigger Cache to work from (that is, resolution can be faster if the server you forward to is used enough)
- Requires less bandwidth, although unless you're dealing with a Modem connection you're unlikely to notice DNS overhead
- Allows you to set it so your DNS Server can only ever talk to a one or two other servers (Network security - as far as I'm concerned that's no real risk anyway)

Pro's for Root Hints:

- No reliance on anyone elses Server - except the servers for the domain you want to know about. Simplifies the configuration as you don't have to care if their servers are up or not.
- Full Control of the cache if you ever need to get rid of an entry that's out to date. (Entries are stored in memory on your DNS Server until the Time to Live (TTL) expires, default TTL is 2 days)

Personally I always favour Root Hints, adding Forwarders is generally unnecessary and I like being in control.

Chris
0
 
vivo123Author Commented:
Thanks again Chris.  What about GC placement?  
0
 
Chris DentPowerShell DeveloperCommented:

That depends how many domain controllers you have really. You might find it easier to just make them all Global Catalogs. We have 7 DCs and because of how they're distributed around the country each is a Global Catalog.

The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs.

Chris
0
 
vivo123Author Commented:
Can you explain more on "The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs"
0
 
vivo123Author Commented:
Thanks for your assistance.  I will increase the points for the added questions
0
 
Chris DentPowerShell DeveloperCommented:

The FSMO Roles are documented in this MS Article:

http://support.microsoft.com/kb/197132

There's a little section at the bottom about the Infrastructure Master, basically the Infrastructure Master is responsible for updating Security Identifiers (amoung other things). If its a Global Catalog it stops doing this for Objects (such as Users, Computers, Groups, etc) it doesn't know about because of the data contained in the Global Catalog. It doesn't come in as a problem if everything else is a Global Catalog as well.

Chris
0
 
vivo123Author Commented:
Ok.  final question..  Does running AD integrated zones with the use of either root hints or ISP forwarders cause any security issues or concerns for the local network? does it expose anything when requests are made to the Internet?
Note: Clients computers will not be using a proxy server, but the local AD DNS servers for there requests.

thanks
0
 
Chris DentPowerShell DeveloperCommented:

> Does running AD integrated zones with the use of either root hints or ISP forwarders
> cause any security issues or concerns for the local network? does it expose
> anything when requests are made to the Internet?

Not really, it gives you greater control of naming services operating on your network and since DNS at the very least is required for AD to function you don't get all that much choice.

The only thing the internet sees are requests to DNS servers for names and the usual web-based traffic. Even without the proxy server you'll all still be pretending to be on whatever IP address your router has (whether for a DNS request or a webpage request). Little information can be gained about your internal network from the outside without you either letting something in or your network getting infected by a virus or trojan.

Chris
0
 
vivo123Author Commented:
Thanks for the responses.  I have some further DNS questions, can I ask here or would you like me to open another question?
0
 
Chris DentPowerShell DeveloperCommented:

Here is fine if you like.

Chris
0
 
vivo123Author Commented:
I have not work within a network with more than 2 DC/DNS servers before all within the same location. In an effort to get a better understanding of how one would implement multiple DC/DNS servers in other remote offices, could you provide me a brief example of a multi DC/DNS design based on your experience.  You mentioned that you currently have 7 DC's in different locations.  Items such as: Do you use AD integrated if they are all within the domain or do you setup different zones for the multiple locations and utilze zone transfers?
0
 
Chris DentPowerShell DeveloperCommented:


We have:

Root Domain - e.g. mycompany.local
There are 3 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all three of the boxes. Each DC is a Global Catalog.

Fist Child Domain - e.g. uk.mycompany.local
There are 7 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all 7 machines. Only 2 of the machines are used by clients and servers for DNS queries (the rest are all there just in case we need them). All DCs are Global Catalogs

Second Child Domain - e.g. us.mycompany.local
There are 12 DCs in that domain, DNS is also AD Integrated and all 12 are Global Catalogs.

There are a few more child domains, but the same applies to each.

Zone Transfers aren't all that reliable and gets in the way of Dynamic Updates so we don't use them for the AD Domains - besides, AD is replicating and the zone files are small so why not leave them in with that.

Furthermore for Dynamic Updates to work it needs to be able to contact a Writable version of the Zone (Domain). That means either an AD Integrated Zone or the Primary Zone. With the Primary / Secondary system you can only have one Writable zone - the primary, that means all the Secondary Zones (via Zone Transfers) are Read Only. With AD Integrated they're all effectively Primary as you're accessing one version within AD, so they're all Writable.

Hope that all makes sense.

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.