Solved

External DNS  - Integration with AD DNS!

Posted on 2007-04-05
8
375 Views
Last Modified: 2010-04-20
I have two domain controller (fault tolerance), both running DNS services, and the clients use these two dns addresses. I read in MS articles that I cannot add External ISP DNS to the Domain controller dns (fwd. servers) since it will make the AD services v. slow and not reliable. Is this true? If yes, where should I point to the external ISP DNS address? I have to define the External DNS so the clients can obtain the IP address for external websites.


0
Comment
Question by:nammari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 13

Expert Comment

by:strongline
ID: 18859441
what can't be used is external DNS in your dns client, aka your TCp/IP settings on all member workstation/member server/DC. All boxes should point to your internal DNS, and you either add forwarder on your DNS server or just let default root hints take over when your dns clients need to resolve an external address.
0
 
LVL 13

Expert Comment

by:strongline
ID: 18859461
detailed actions need to be taken:

- on client, taking off all external DNS in TCP/IP properties
- on DNS server, make sure you don't have a top domain zone (.)
- (optional) right click on your DNS server name, properties, forwarders. If you don't define forwarders, root hints work as well.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18859510
Not sure which docs you're reading, but the configuration that strongline recommends is extremely common, works in production all the time.  Point your internal clients to your internal DNS, and configure your internal DNS servers to forward to ISP's DNS to resolve Internet and other non-internal queries.  If you configure root hints instead of forwarders, all DNS queries (both internal and external) will be resolved by your DNS servers, rather than simply "handing them off" to external DNS for Internet queries.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:nammari
ID: 18860112
That means I have to add to my two DNS server the external DNS server as Forwarders! right?
In the root hint I have stange entries:
a.root-server.net
b.root-server.net
..
..
m.root-server.net

What are these? shoud I take them out?

Please advice
Rami
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18860125
They are the classic "7 sisters", so named because there used to be 7 of them.  They are the root authoritative domains for the entire Internet.  You should reference them, as you are, for resources external to your DNS.  You may want to feed them data from your DNS if you want to expose internal resources to the Internet.  Take care doing so.
0
 

Author Comment

by:nammari
ID: 18860144
Thanks RGRodgers.
Please let me know how I can do that. my other question is:
Do I need to add to my two DNS server the external DNS server as Forwarders?
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 250 total points
ID: 18860577
>>Do I need to add to my two DNS server the external DNS server as Forwarders?
no you don't NEED TO, but it will actually speed external DNS lookups up since the 'root hints' servers are often busy.  But yes you CAN add your ISPs DNS servers to your DC/DNS servers as forwarders (done in the DNS console, NOT on the properties of the NIC)

I would read the whole article listed, but the section below is relevant to your situation.
http://support.microsoft.com/kb/291382

Question: If I remove the ISP's DNS server settings from the domain controller, how does it resolve names such as Microsoft.com on the Internet?

Answer: As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.


0
 

Author Comment

by:nammari
ID: 18862593
Thank you...
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question