DNS Best Practice for two domains

I have two active directory domains, DMZ.com and Domain.com. There is an outgoing trust from dmz.com to domain.com.

Both domains originally had two domain controllers (2003). I'm migrating to 2008 and have added two domain controllers (2008) to both domains. My question is on the configuration of Zone Transfers.

Each of the Domain Controllers in Domain.com is configured as a Name Server for all Forward Lookup Zones in Domain.com. Zone Transfers are allowed to each of the domain controllers in DMZ.com for the zones in Domain.com.

And vice versa: Each of the DCs in DMZ.com is configured as an NS for all zones in DMZ.com. Zone Transfers allowed to each DC in Domain.com for the Forward Lookup zones in DMZ.com

Questions:
1 - Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02 (and for the other DCs too, let's keep it simple)
2 - Vice versa: Should Zone Transfers be allowed for DMZ.com zones on DC01 to DC02
3 - Reverse Lookup Zones - How should this be configured between the two domains?

Discuss!
KThraceAsked:
Who is Participating?
 
Neil RussellConnect With a Mentor Technical Development LeadCommented:
Far better would be to have NO Lookups between the two domains and just add static records into a zone on each domain for the other.  You should not expose more than you need to and if the DMZ just needs to know about a few machines then add a zone and add statics into it for those few machines and addesses.

At all times MINIMIZE your exposure.
0
 
Neil RussellTechnical Development LeadCommented:
My simple answer would be that I would never consider having a domain in my DMZ.  What purpose does it serve? Can you give a very good reason to have a domain the DMZ?
0
 
KThraceAuthor Commented:
Yeah, I'm an IT Consultant and this was inherited - to remove it now would be an insane undertaking. :D

Although, to be honest, I'm not sure why it's a bad idea...
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
I would also agree with Neilsr regarding the Domain in the DMZ (there is a security risk having this setup). However based on your question...
Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02
You can setup Conditional Forwarders or Secondary Zones for this. This would be required if you require name resolution for your internal domain.

Will.
0
 
Neil RussellTechnical Development LeadCommented:
If you need name resolution for your internal domain then you are now going to need to punch holes FROM the DMZ into you internal networks. The assumption is that if your resolving from internal servers than traffic is going to go into those addresses.  Your DMZ is getting weaker and weaker with every step.
0
 
KThraceAuthor Commented:
Ok, security risk, got it. Best practice would be no domain in the DMZ. But if services in the DMZ require AD then a RODC with conditional forwarding to the internal domain would be better than DCs with Zone Transfers.

I should say that these are separate forests with a one way trust. Regardless, let's be hypothetical for a moment and say that security is not a concern, it isn't a DMZ just two separate forests with Zone Transfers from DC01 to DCDMZ01 and DCDMZ02 for a zone in the internal domain. Is it necessary to configure a zone transfer of this zone from DCDMZ01 to DCDMZ02 and vice versa?
0
 
Neil RussellTechnical Development LeadCommented:
No you dont need any zone transfers just the ability to forward requests so a conditional forwarder is all you need.
0
All Courses

From novice to tech pro — start learning today.