Advice for configuring Extneral DNS servers used for internal Active Directory single Domain Forest

I am rebuilding an internal Active Directory network that I originally setup about 20 years ago, upgrading over time from NT servers to Windows 2000 servers to 2003 servers and finally to 2012 R2 servers a few years ago.  Virtual Machine technology has helped make it possible to create individual servers for things like Domain Controllers, Web Servers and SQL Servers and at times I have run things like Exchange Servers, TFS and SharePoint Servers.

My original design made the mistake of using an externally registered domain as the internal Active Directory Forest and Domain name.

In particular, my old internal network setup is still running while I am in the process of migrating to my new internal network setup, so my old setup has Split-Brain DNS servers that are Domain Controllers for OLDDOMAIN.COM (the name was changed to protect the innocent), a Domain that I own and registered many years ago and use as a single Domain Forest where the internal domain name matches the public Internet Domain Name.  The Domain Controllers/DNS Servers are and  These DNS servers are Authoritative for several Internet Domain names that I own and resolve to one of the static IP addresses on my Internet Gateway router that is running an IIS web server.  So, pages are served to Internet users for things like SOME-DOMAIN-I-OWN.COM or OTHER-DOMAIN-I-OWN.NET using (with a NIC setup for this static Internet IP and another NIC which communicates on the internal network with and the DCs OLDNS1 and OLDNS2).

I figured this would be an opportunity to do it better this time around.

So, the internal Active Directory Domain will be a sub-domain of another external domain name I have registered.

I have made some progress on my new internal network, so I am looking more specifically for answers on the configuration details for External DNS servers.

I have successfully setup a single Domain Forest using the approach of CORP.MYDOMAIN.COM where MYDOMAIN.COM is registered to me.  My internal DCs have a single NIC connected to my internal network (named and  

I have also setup single servers and (once all the pieces are finally working, I will add redundancy for these servers).  MYIIS3 communicates with the DCs and SQL servers using appropriate Domain based Service Accounts.  MYIIS3 also has a second NIC that I have tested using one of my static IP connections to my Internet Gateway and is able to serve pages over the Internet.

The address MYIIS3 was able to serve over the Internet used a Domain name managed by my OLDNS1 and OLDNS2 DNS/DCs.

Going forward, I want to make OLDNS1 and OLDNS2 my External DNS servers and although they are able to get the job done the way they are currently setup and configured, I want to Demote them as DCs and stop using OLDDOMAIN.COM as an internal single Domain Forest.

Therefore, here are questions I am hoping someone can offer Best Practice advise about:

Before Demoting these DCs, I know that by going into the DNS GUI and in the Change Zone Type dialog, when the Checkbox for Store the zone in Active Directory is changed from Checked to Unchecked, that will create .DNS files saving my current DNS configuration so that it can be used once each DC is Demoted and is only an External DNS server
  • Once I demote OLDNS1 and OLDNS2, can they be joined to CORP.MYDOMAIN.COM or would it be better to leave them in a WorkGroup?
  • Should my external DNS servers (OLDNS1 and OLDNS2) be configured with just a single NIC each that is only connected to the Internet?
    • These 2 servers would each use one of my 5 static Internet IP addresses leaving 3 more IPs for other servers I could publish, one of which would be a web server
    • For example, all of the Internet Registered Domain Names these External DNS servers would be Authoritative to manage, they would resolve to the above mentioned 3 static IP addresses
    • Are there any special considerations for how these External DNS servers should configure the parent Domain of my internal single Domain Forest (MYDOMAIN.COM in the details above)?
    • Do I need to setup DNS Delegation for the parent Domain and my single Domain Forest?
  • Should my internal DCs (MYDNS3 and MYDNS4) use any particular type of Forwarding?
    • For example, names that my internal DCs/DNS servers cannot resolve could forward to the DNS servers my Internet Gateway Router configures during DHCP assignments
    • For devices on my internal single Domain Forest, should they only be setup for DNS to point to my internal DCs and continue to allow their Default Gateway setting that points to my Internet Gateway Router and enables internal connectivity out to the Internet?

If this structure/approach is way off track, now would be the time for me to get it right, so I am open to alternate ideas on how I can set things up and if pointed in the right direction for details that I can research, I am good with that.

Thanks for any details to help answer these questions and offer best practice advise.

Regards, Dean
Dean HendersonSoftware Developer / Tech LeadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why u want to uncheck ad integration, it will remove zone from all DC's which are also domain controllers
Just export the current zone with dnscmd which can be later imported on new dns servers
After export you may demote dcs

As Microsoft states, hence you are breaking split brain model
But in reality i don't see much issues with that apart from resolving resolving to domain controllers internally
There are clients of mine who are using split brain scenario's.....Ok that's not topic here

As far as I can suggest, keep public dns servers in workgroup with single network card and should be reachable through internally from ad servers as conditional forwarder
I really don't see any need for setting up dns delegation on these public dns servers pointing to internal ad dns servers as it won't publish on internet
Now coming to the point of internet name resolution for internal clients, this should be taken care by your internal dcs and dcs should have forwarders set pointing to internet dns servers (not your public dns servers)
Ur public dns should be there for external world to resolve your domains
Dean HendersonSoftware Developer / Tech LeadAuthor Commented:
Thanks Mahesh,

Why u want to uncheck ad integration

My existing DNS Servers on which I would uncheck AD integration are going to be demoted and the single Domain Forest will be retired as well as the corresponding private Active Directory decommissioned.  So, unchecking AD integration would allow me to use these demoted DNS servers as the External DNS and they would be pretty much ready to go once demoted.

Thanks for the advice to use a single NIC in the External DNS servers and keeping them in a Workgroup separate from my AD Domain, as well as the DCs having forwarders point to the External DNS servers (and not the ISP DNS servers).

Best regards, Dean
When you decommission dc, it will delete zone as well, u simply need to export dns zone before you demote dc and later on import it on new. Dcs
Nobody uncheck dns ad integration check mark while keeping dc role, as soon as you do that, your name resolution will collapse and further dc demotion is not graceful
Go with standard way

Your internal dc / dns should point to public dns such as Google dns as dns forwarder
The purpose is to use your external dns servers exclusively to host your public domains only
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jeff GloverSr. Systems AdministratorCommented:
I'll throw my two cents in here since I inherited a setup with issues and have been coping ever since. First, Your current DNS servers. If I understand right, they are DCs also? Not good to have DCs exposed but you are correcting that. If you change your old DNS/DC servers from AD integrated zones  to a Standard Secondary (if you still have one set to AD integrated, it will be the primary). Then you could simply copy the zone file. However, you can export a copy of an AD integrated zone file using dnscmd.  dnscmd <server> /zoneexport <zone name> <filename>

You can import the zone file using a similar command dnscmd <server> /zoneadd <zonename> /primary /file <filename> The file should be in the windows\system32\dns folder.

For the rest, I don't like "empty" root domains where your domain is a child. Complicates things later. I recommend using your external DNS servers locked down, not as members of any domain. serving your public sites and domain. Make your internal domain DCs AD integrated DNS servers and use Split Brain DNS. In my experience, forwarders are a pain and if your are setup right, not needed. root hints will work as long as you do not have a root (.) zone in your internal DNS. You do not have to do any fancy delegations or anything else. Just make sure you setup Split brain DNS correctly.

As far as your original design being a mistake, not really. I think having your external DNS servers as DCs was but the old logic of having internal domains with DNS suffixes of .local or .private has proven to be a mistake since they changed the rules with Certificates.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dean HendersonSoftware Developer / Tech LeadAuthor Commented:
The comments by Mahesh and Jeff have been very helpful, in combination with some lab work I have been doing in the meantime.

As a result, I will be updating/adjusting my original setup using a single Domain Forest. The main change will involve creating separate DNS servers for external Internet facing DNS servers versus the internal AD DC/DNS servers.

That looks like the best path forward for me at this time.

Down the road, I will be looking at the DNS Policies added to Windows Server 2016, but my configuration doesn't rely much on the new Split-Brain features. For example, my internal clients use internal DC/DNS based resolution for server to server communication and my internal clients are able to use the External DNS addresses to view webs I have published on the Internet and don't need to access 'special' versions of these web sites (like the Microsoft documentation on the setup when they describe a Split-Brain scenario).

It looks like the new Windows Server 2016 DNS policies would let me consolidate the External DNS servers into my internal DC/DNS servers, but since the current support is entirely based on setting everything up via PowerShell commands, I am hoping that improved support is eventually put into the DNS GUI.
Dean HendersonSoftware Developer / Tech LeadAuthor Commented:
Both Mahesh and Jeff made good arguments on exporting my old DCs and once demoted using import when setup as non-domain based External DNS servers (although it was very helpful to have the examples provided by Jeff).

My lab work where I tested CORP.MYDOMAIN.COM versus MYDOMAIN.COM did not seem to offer much value for my simple circumstances and the domain I am using for my single Domain Forest does not offer any important web content (which is why my configuration does not have any complex Split-Brain requirements).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.