Solved

Windows Server 2003 DNS configuration over multiple sites

Posted on 2013-05-27
3
337 Views
Last Modified: 2013-05-30
Hi Experts!

I have a windows server 2003 DNS configuration question:

I have two servers (both server 2003, both DC's, both running DNS), each server is located in a seperate office, on seperate ip networks.  Each office/server has about 30 clients connected.  Both DC's are in the same domain.  The two offices/networks are connected via VPN.

I've been starting to notice that we have very high volume of traffic going over the VPN, and am trying to lock that down, since very few users ever need to go through the VPN and not to often.  The first thing that I started to look at, is the DNS configuration at each office, and I am not sure that it is correct.

Here is the current config:
Office A
-Forward lookup zone: entire domain (Office A network, Office B network)
-Forwarders: office A ISP DNS
-Reverse lookup zones: office A ip network, office B ip network

Office B
-Forward lookup zone: entire domain (Office A network, Office B network)
-Forwarders: office B ISP DNS
-Reverse lookup zones: office A ip network, office B ip network

Basically identical, with the exception of the Forwarders.

So I am wondering, is this correct?  Or should each DNS server be authoritive for the network that it is directly connected to, and have the other office DNS server as a secondary or stub? (for both forward and reverse lookup zones)

Thanks for the help Experts!
0
Comment
Question by:renfrey
3 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 300 total points
ID: 39199830
How many domains do you have?
If its a single domain then stubs and secondary's are not appropriate as any AD Integrated server is authoritive for the domain regardless of the IP settings, and the only forwarders needed should be to external DNS servers.

Clients need to be configured with the IP of a DNS server in their own site as the preferred DNS server.
0
 

Author Comment

by:renfrey
ID: 39202544
The two offices & DC's are part of the same domain.
0
 
LVL 5

Expert Comment

by:d_nedelchev
ID: 39205010
In addition to KCTS' advice to set the DNS server in each site as the preferred DNS server for clients in that location you can also check if your global catalog configuration is adequate for your organization’s needs.

If you have an Exchange server or other AD integrated application, that makes heavy use of the global catalog, and you don’t have the proper GC placement, the excess of GC queries over a WAN link can cause network congestion between sites. That is to say, that you should place a GC in any site that has such application in order to keep the queries from going cross-sites.

Typically in a single domain environment it is a common practice to set all domain controllers as GCs, because there are no network traffic penalties due to global catalog replication.

On the other hand if you have more then one domain in your forest, you should consider the GC placement more carefully.

Another thing that might be causing the problem is improperly set or missing subnet objects. Make sure that you have properly set subnet objects for each site. If they are misconfigured or incorrectly associated with your sites, some clients may refer for services to DCs that are not in their site, and if the subnet objects are missing altogether, then any client will refer to any DC for services and you would have no means of localizing the traffic, hence - your sites will be of no use.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question