[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS Questions

Posted on 2006-04-10
15
Medium Priority
?
208 Views
Last Modified: 2010-04-13
I have some general DNS questions for windows 2000

I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each server the DNS settings just points to themselves.  I have heard conflicting reasons for doing this, is this correct?  

Also, in order to resolve queries to the internet, do I have to configure forwarders on both DNS servers or just one?  Is there a preferred way to forward out to the Internet for security, such as a single forwarding server placed elsewhere on the network? If so could you recommend a placement.  

Should both DC's/DNS server be configured to hold the GC?

Thanks.  Just asking general questions for clarity.
0
Comment
Question by:vivo123
  • 8
  • 7
15 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 16417663

> I have two DCs running Windows 2000 (AD & DNS).  For DNS settings on each
> server the DNS settings just points to themselves.  I have heard conflicting
> reasons for doing this, is this correct?  

As long as AD Replication is working they can use an AD DNS Server. It just needs to have an up to date copy of the Forward Lookup Zone for your Domain.

> Also, in order to resolve queries to the internet, do I have to configure forwarders
> on both DNS servers or just one?

You don't *have* to configure Forwarders at all. If you prefer to configure Forwarders then it should be on both machines. If you don't want to then resolution will work using the Root Hints file (which is the default behaviour for DNS - that is, when Forwarders aren't configured).

I wouldn't recommend having a single Server to handle DNS Forwarding, it unnecessarily introduces a single point of failure into the network.

HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16417705
> an AD DNS Server

Sorry.. typo's...

any AD Server

Which makes a lot more sense...

Chris
0
 

Author Comment

by:vivo123
ID: 16417787
Thanks Chris... Is there any benefit by not creating forwarders and just using the root hints?

0
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 16417872

Pro's for Forwarders:

- Bigger Cache to work from (that is, resolution can be faster if the server you forward to is used enough)
- Requires less bandwidth, although unless you're dealing with a Modem connection you're unlikely to notice DNS overhead
- Allows you to set it so your DNS Server can only ever talk to a one or two other servers (Network security - as far as I'm concerned that's no real risk anyway)

Pro's for Root Hints:

- No reliance on anyone elses Server - except the servers for the domain you want to know about. Simplifies the configuration as you don't have to care if their servers are up or not.
- Full Control of the cache if you ever need to get rid of an entry that's out to date. (Entries are stored in memory on your DNS Server until the Time to Live (TTL) expires, default TTL is 2 days)

Personally I always favour Root Hints, adding Forwarders is generally unnecessary and I like being in control.

Chris
0
 

Author Comment

by:vivo123
ID: 16418484
Thanks again Chris.  What about GC placement?  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16418555

That depends how many domain controllers you have really. You might find it easier to just make them all Global Catalogs. We have 7 DCs and because of how they're distributed around the country each is a Global Catalog.

The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs.

Chris
0
 

Author Comment

by:vivo123
ID: 16418650
Can you explain more on "The Infrastructure Master Role should not be run on a Global Catalog, and if it is then all DCs should be Global Catalogs"
0
 

Author Comment

by:vivo123
ID: 16418662
Thanks for your assistance.  I will increase the points for the added questions
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16418712

The FSMO Roles are documented in this MS Article:

http://support.microsoft.com/kb/197132

There's a little section at the bottom about the Infrastructure Master, basically the Infrastructure Master is responsible for updating Security Identifiers (amoung other things). If its a Global Catalog it stops doing this for Objects (such as Users, Computers, Groups, etc) it doesn't know about because of the data contained in the Global Catalog. It doesn't come in as a problem if everything else is a Global Catalog as well.

Chris
0
 

Author Comment

by:vivo123
ID: 16418925
Ok.  final question..  Does running AD integrated zones with the use of either root hints or ISP forwarders cause any security issues or concerns for the local network? does it expose anything when requests are made to the Internet?
Note: Clients computers will not be using a proxy server, but the local AD DNS servers for there requests.

thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16419306

> Does running AD integrated zones with the use of either root hints or ISP forwarders
> cause any security issues or concerns for the local network? does it expose
> anything when requests are made to the Internet?

Not really, it gives you greater control of naming services operating on your network and since DNS at the very least is required for AD to function you don't get all that much choice.

The only thing the internet sees are requests to DNS servers for names and the usual web-based traffic. Even without the proxy server you'll all still be pretending to be on whatever IP address your router has (whether for a DNS request or a webpage request). Little information can be gained about your internal network from the outside without you either letting something in or your network getting infected by a virus or trojan.

Chris
0
 

Author Comment

by:vivo123
ID: 16420082
Thanks for the responses.  I have some further DNS questions, can I ask here or would you like me to open another question?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16421657

Here is fine if you like.

Chris
0
 

Author Comment

by:vivo123
ID: 16428297
I have not work within a network with more than 2 DC/DNS servers before all within the same location. In an effort to get a better understanding of how one would implement multiple DC/DNS servers in other remote offices, could you provide me a brief example of a multi DC/DNS design based on your experience.  You mentioned that you currently have 7 DC's in different locations.  Items such as: Do you use AD integrated if they are all within the domain or do you setup different zones for the multiple locations and utilze zone transfers?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 16428461


We have:

Root Domain - e.g. mycompany.local
There are 3 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all three of the boxes. Each DC is a Global Catalog.

Fist Child Domain - e.g. uk.mycompany.local
There are 7 DCs in that Domain, DNS for the Domain is AD Integrated and runs on all 7 machines. Only 2 of the machines are used by clients and servers for DNS queries (the rest are all there just in case we need them). All DCs are Global Catalogs

Second Child Domain - e.g. us.mycompany.local
There are 12 DCs in that domain, DNS is also AD Integrated and all 12 are Global Catalogs.

There are a few more child domains, but the same applies to each.

Zone Transfers aren't all that reliable and gets in the way of Dynamic Updates so we don't use them for the AD Domains - besides, AD is replicating and the zone files are small so why not leave them in with that.

Furthermore for Dynamic Updates to work it needs to be able to contact a Writable version of the Zone (Domain). That means either an AD Integrated Zone or the Primary Zone. With the Primary / Secondary system you can only have one Writable zone - the primary, that means all the Secondary Zones (via Zone Transfers) are Read Only. With AD Integrated they're all effectively Primary as you're accessing one version within AD, so they're all Writable.

Hope that all makes sense.

Chris
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Loops Section Overview

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question