?
Solved

DNS Best Practice for two domains

Posted on 2015-02-17
8
Medium Priority
?
242 Views
Last Modified: 2015-02-25
I have two active directory domains, DMZ.com and Domain.com. There is an outgoing trust from dmz.com to domain.com.

Both domains originally had two domain controllers (2003). I'm migrating to 2008 and have added two domain controllers (2008) to both domains. My question is on the configuration of Zone Transfers.

Each of the Domain Controllers in Domain.com is configured as a Name Server for all Forward Lookup Zones in Domain.com. Zone Transfers are allowed to each of the domain controllers in DMZ.com for the zones in Domain.com.

And vice versa: Each of the DCs in DMZ.com is configured as an NS for all zones in DMZ.com. Zone Transfers allowed to each DC in Domain.com for the Forward Lookup zones in DMZ.com

Questions:
1 - Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02 (and for the other DCs too, let's keep it simple)
2 - Vice versa: Should Zone Transfers be allowed for DMZ.com zones on DC01 to DC02
3 - Reverse Lookup Zones - How should this be configured between the two domains?

Discuss!
0
Comment
Question by:KThrace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614749
My simple answer would be that I would never consider having a domain in my DMZ.  What purpose does it serve? Can you give a very good reason to have a domain the DMZ?
0
 

Author Comment

by:KThrace
ID: 40614761
Yeah, I'm an IT Consultant and this was inherited - to remove it now would be an insane undertaking. :D

Although, to be honest, I'm not sure why it's a bad idea...
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1000 total points
ID: 40614780
I would also agree with Neilsr regarding the Domain in the DMZ (there is a security risk having this setup). However based on your question...
Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02
You can setup Conditional Forwarders or Secondary Zones for this. This would be required if you require name resolution for your internal domain.

Will.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614784
If you need name resolution for your internal domain then you are now going to need to punch holes FROM the DMZ into you internal networks. The assumption is that if your resolving from internal servers than traffic is going to go into those addresses.  Your DMZ is getting weaker and weaker with every step.
0
 

Author Comment

by:KThrace
ID: 40614828
Ok, security risk, got it. Best practice would be no domain in the DMZ. But if services in the DMZ require AD then a RODC with conditional forwarding to the internal domain would be better than DCs with Zone Transfers.

I should say that these are separate forests with a one way trust. Regardless, let's be hypothetical for a moment and say that security is not a concern, it isn't a DMZ just two separate forests with Zone Transfers from DC01 to DCDMZ01 and DCDMZ02 for a zone in the internal domain. Is it necessary to configure a zone transfer of this zone from DCDMZ01 to DCDMZ02 and vice versa?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40614833
No you dont need any zone transfers just the ability to forward requests so a conditional forwarder is all you need.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 1000 total points
ID: 40614851
Far better would be to have NO Lookups between the two domains and just add static records into a zone on each domain for the other.  You should not expose more than you need to and if the DMZ just needs to know about a few machines then add a zone and add statics into it for those few machines and addesses.

At all times MINIMIZE your exposure.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question