partnershipdev
asked on
DNS Delegation
Hello,
Can anyone tell me if it is possible to delegate a primary domain name on windows dns. I know it is possible to delegate a sub-domain, however this still means I have to make sure all the internal and external dns records match.
If this is not possible, can anyone tell me whether it is possible to add SOME of the subdomains to our internal dns, and if someone requests a sub-domain that is not in the list "go and look for it elsewhere". I thought this would be possible somehow by adding the external nameservers but this doesnt seem to work either.
My end goal is to use Windows Integrated Authentication on certain subdomains but not others. The problem with Integrated is that it doesnt work across a proxy server which is why we added our primary domain name to our internal dns servers in the first place, however the more subdomains we have, the more hassle it is to maintain the internal and external dns lists.
Any ideas anyone?
Thnaks in advance
partnershipdev
Can anyone tell me if it is possible to delegate a primary domain name on windows dns. I know it is possible to delegate a sub-domain, however this still means I have to make sure all the internal and external dns records match.
If this is not possible, can anyone tell me whether it is possible to add SOME of the subdomains to our internal dns, and if someone requests a sub-domain that is not in the list "go and look for it elsewhere". I thought this would be possible somehow by adding the external nameservers but this doesnt seem to work either.
My end goal is to use Windows Integrated Authentication on certain subdomains but not others. The problem with Integrated is that it doesnt work across a proxy server which is why we added our primary domain name to our internal dns servers in the first place, however the more subdomains we have, the more hassle it is to maintain the internal and external dns lists.
Any ideas anyone?
Thnaks in advance
partnershipdev
Sure it's possible. You can master your own info and have an ISP act as your secondary. Just make sure whomever you purchased your domain name from points your domain to your servers
ASKER
Hi,
Thanks for the quick respnse, however it is the opposite to what i want to do, i.e. the opposite way round. If our DNS internally fails it means our staff cant get access to a few websites which is not the end of the world, however it also means the rest of the world cant get to our websites which is not so great. We use NO-IP to host our external dns which has redundant name servers all over the world, again something we dont.
Any ideas on the opposite solution?
Cheers
partnershipdev
Thanks for the quick respnse, however it is the opposite to what i want to do, i.e. the opposite way round. If our DNS internally fails it means our staff cant get access to a few websites which is not the end of the world, however it also means the rest of the world cant get to our websites which is not so great. We use NO-IP to host our external dns which has redundant name servers all over the world, again something we dont.
Any ideas on the opposite solution?
Cheers
partnershipdev
You can still use NO-IP as I suggested. Your internal DNS would be primary, NO-IP would be secondary... If your internal DNS crashes, the rest of the world would still be able to get to your websites. As far as the world is concerned, all they care about is the listing of a few DNS servers to find you. They don't care which is primary or secondary. You hold the primary locally, so updates are fed to the ISP, and list two of the ISP serves as your DNS from your domain records.
Unless I am incorrect (hey, it happens, lol) You are trying to centralize your adminitrative efforts with DNS. Split level DNS is the way to go.
Unless I am incorrect (hey, it happens, lol) You are trying to centralize your adminitrative efforts with DNS. Split level DNS is the way to go.
ASKER
Ok - see your point, and in which case i presume i would need to add our own nameserver at the beginning of the list? Therefore the nameservers for ourdomain would be something like:
ns1.ournameserver.com
ns1.no-ip.com
..
..
..
ns5.no-ip.com
Again, i hate to put a spanner in the works, but i dont think our network administrators would be happy at all about opening up a route through our firewalls to our dns servers which are also our domain controllers. I dont know enough about the subject to list any potential risks, but im sure there are plenty. If its possible to split the dns so that the primary list is our internal and then the ISP is the secondary, is it not possible to do the reverse?
Thanks again
partnershipdev
ns1.ournameserver.com
ns1.no-ip.com
..
..
..
ns5.no-ip.com
Again, i hate to put a spanner in the works, but i dont think our network administrators would be happy at all about opening up a route through our firewalls to our dns servers which are also our domain controllers. I dont know enough about the subject to list any potential risks, but im sure there are plenty. If its possible to split the dns so that the primary list is our internal and then the ISP is the secondary, is it not possible to do the reverse?
Thanks again
partnershipdev
>> i presume i would need to add our own nameserver at the beginning of the list?
From the domains perspective you wouldn't even list your DNS server. Just the ISP's DNS servers.
From your perspective you only need to send DNS outbound to the ISP for updates, so the network admins shouldn't have too much of a problem with the request. The ISP know that they receive updates from your server only.
From the domains perspective you wouldn't even list your DNS server. Just the ISP's DNS servers.
From your perspective you only need to send DNS outbound to the ISP for updates, so the network admins shouldn't have too much of a problem with the request. The ISP know that they receive updates from your server only.
ASKER
Ok. No-IP also provide us with monitoring for our domains - i'd have to look into how this would work. Come to think of it, im not actually sure No-ip support what you are talking about, i can point the nameservers of a domain name to their nameservers, i can dynamically/manually update hosts, but i dont think they will accept what is effectively a complete copy of our dns records for any domain name.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.