[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS Best Practice for two domains

Posted on 2015-02-17
8
Medium Priority
?
244 Views
Last Modified: 2015-02-25
I have two active directory domains, DMZ.com and Domain.com. There is an outgoing trust from dmz.com to domain.com.

Both domains originally had two domain controllers (2003). I'm migrating to 2008 and have added two domain controllers (2008) to both domains. My question is on the configuration of Zone Transfers.

Each of the Domain Controllers in Domain.com is configured as a Name Server for all Forward Lookup Zones in Domain.com. Zone Transfers are allowed to each of the domain controllers in DMZ.com for the zones in Domain.com.

And vice versa: Each of the DCs in DMZ.com is configured as an NS for all zones in DMZ.com. Zone Transfers allowed to each DC in Domain.com for the Forward Lookup zones in DMZ.com

Questions:
1 - Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02 (and for the other DCs too, let's keep it simple)
2 - Vice versa: Should Zone Transfers be allowed for DMZ.com zones on DC01 to DC02
3 - Reverse Lookup Zones - How should this be configured between the two domains?

Discuss!
0
Comment
Question by:KThrace
  • 4
  • 2
7 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614749
My simple answer would be that I would never consider having a domain in my DMZ.  What purpose does it serve? Can you give a very good reason to have a domain the DMZ?
0
 

Author Comment

by:KThrace
ID: 40614761
Yeah, I'm an IT Consultant and this was inherited - to remove it now would be an insane undertaking. :D

Although, to be honest, I'm not sure why it's a bad idea...
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1000 total points
ID: 40614780
I would also agree with Neilsr regarding the Domain in the DMZ (there is a security risk having this setup). However based on your question...
Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02
You can setup Conditional Forwarders or Secondary Zones for this. This would be required if you require name resolution for your internal domain.

Will.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614784
If you need name resolution for your internal domain then you are now going to need to punch holes FROM the DMZ into you internal networks. The assumption is that if your resolving from internal servers than traffic is going to go into those addresses.  Your DMZ is getting weaker and weaker with every step.
0
 

Author Comment

by:KThrace
ID: 40614828
Ok, security risk, got it. Best practice would be no domain in the DMZ. But if services in the DMZ require AD then a RODC with conditional forwarding to the internal domain would be better than DCs with Zone Transfers.

I should say that these are separate forests with a one way trust. Regardless, let's be hypothetical for a moment and say that security is not a concern, it isn't a DMZ just two separate forests with Zone Transfers from DC01 to DCDMZ01 and DCDMZ02 for a zone in the internal domain. Is it necessary to configure a zone transfer of this zone from DCDMZ01 to DCDMZ02 and vice versa?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614833
No you dont need any zone transfers just the ability to forward requests so a conditional forwarder is all you need.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 1000 total points
ID: 40614851
Far better would be to have NO Lookups between the two domains and just add static records into a zone on each domain for the other.  You should not expose more than you need to and if the DMZ just needs to know about a few machines then add a zone and add statics into it for those few machines and addesses.

At all times MINIMIZE your exposure.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question