Solved

DNS Best Practice for two domains

Posted on 2015-02-17
8
231 Views
Last Modified: 2015-02-25
I have two active directory domains, DMZ.com and Domain.com. There is an outgoing trust from dmz.com to domain.com.

Both domains originally had two domain controllers (2003). I'm migrating to 2008 and have added two domain controllers (2008) to both domains. My question is on the configuration of Zone Transfers.

Each of the Domain Controllers in Domain.com is configured as a Name Server for all Forward Lookup Zones in Domain.com. Zone Transfers are allowed to each of the domain controllers in DMZ.com for the zones in Domain.com.

And vice versa: Each of the DCs in DMZ.com is configured as an NS for all zones in DMZ.com. Zone Transfers allowed to each DC in Domain.com for the Forward Lookup zones in DMZ.com

Questions:
1 - Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02 (and for the other DCs too, let's keep it simple)
2 - Vice versa: Should Zone Transfers be allowed for DMZ.com zones on DC01 to DC02
3 - Reverse Lookup Zones - How should this be configured between the two domains?

Discuss!
0
Comment
Question by:KThrace
  • 4
  • 2
8 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614749
My simple answer would be that I would never consider having a domain in my DMZ.  What purpose does it serve? Can you give a very good reason to have a domain the DMZ?
0
 

Author Comment

by:KThrace
ID: 40614761
Yeah, I'm an IT Consultant and this was inherited - to remove it now would be an insane undertaking. :D

Although, to be honest, I'm not sure why it's a bad idea...
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40614780
I would also agree with Neilsr regarding the Domain in the DMZ (there is a security risk having this setup). However based on your question...
Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02
You can setup Conditional Forwarders or Secondary Zones for this. This would be required if you require name resolution for your internal domain.

Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614784
If you need name resolution for your internal domain then you are now going to need to punch holes FROM the DMZ into you internal networks. The assumption is that if your resolving from internal servers than traffic is going to go into those addresses.  Your DMZ is getting weaker and weaker with every step.
0
 

Author Comment

by:KThrace
ID: 40614828
Ok, security risk, got it. Best practice would be no domain in the DMZ. But if services in the DMZ require AD then a RODC with conditional forwarding to the internal domain would be better than DCs with Zone Transfers.

I should say that these are separate forests with a one way trust. Regardless, let's be hypothetical for a moment and say that security is not a concern, it isn't a DMZ just two separate forests with Zone Transfers from DC01 to DCDMZ01 and DCDMZ02 for a zone in the internal domain. Is it necessary to configure a zone transfer of this zone from DCDMZ01 to DCDMZ02 and vice versa?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614833
No you dont need any zone transfers just the ability to forward requests so a conditional forwarder is all you need.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40614851
Far better would be to have NO Lookups between the two domains and just add static records into a zone on each domain for the other.  You should not expose more than you need to and if the DMZ just needs to know about a few machines then add a zone and add statics into it for those few machines and addesses.

At all times MINIMIZE your exposure.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
AD FSMO Issues 14 66
Powershell script update 2 33
Import a txt file into 2012 DNS server 2 27
ACTIVE DIRECTORY 17 21
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now