Advice for configuring Extneral DNS servers used for internal Active Directory single Domain Forest
I am rebuilding an internal Active Directory network that I originally setup about 20 years ago, upgrading over time from NT servers to Windows 2000 servers to 2003 servers and finally to 2012 R2 servers a few years ago. Virtual Machine technology has helped make it possible to create individual servers for things like Domain Controllers, Web Servers and SQL Servers and at times I have run things like Exchange Servers, TFS and SharePoint Servers.
My original design made the mistake of using an externally registered domain as the internal Active Directory Forest and Domain name.
In particular, my old internal network setup is still running while I am in the process of migrating to my new internal network setup, so my old setup has Split-Brain DNS servers that are Domain Controllers for OLDDOMAIN.COM (the name was changed to protect the innocent), a Domain that I own and registered many years ago and use as a single Domain Forest where the internal domain name matches the public Internet Domain Name. The Domain Controllers/DNS Servers are OLDNS1.olddomain.com and OLDNS2.olddomain.com. These DNS servers are Authoritative for several Internet Domain names that I own and resolve to one of the static IP addresses on my Internet Gateway router that is running an IIS web server. So, pages are served to Internet users for things like SOME-DOMAIN-I-OWN.COM or OTHER-DOMAIN-I-OWN.NET using OLDIIS2.olddomain.com (with a NIC setup for this static Internet IP and another NIC which communicates on the internal network with OLDSQL2.olddomain.com and the DCs OLDNS1 and OLDNS2).
I figured this would be an opportunity to do it better this time around.
So, the internal Active Directory Domain will be a sub-domain of another external domain name I have registered.
I have made some progress on my new internal network, so I am looking more specifically for answers on the configuration details for External DNS servers.
I have successfully setup a single Domain Forest using the approach of CORP.MYDOMAIN.COM where MYDOMAIN.COM is registered to me. My internal DCs have a single NIC connected to my internal network (named MYDNS3.corp.mydomain.com and MYDNS4.corp.mydomain.com).
I have also setup single servers MYIIS3.corp.mydomain.com and MYSQL3.corp.mydomain.com (once all the pieces are finally working, I will add redundancy for these servers). MYIIS3 communicates with the DCs and SQL servers using appropriate Domain based Service Accounts. MYIIS3 also has a second NIC that I have tested using one of my static IP connections to my Internet Gateway and is able to serve pages over the Internet.
The address MYIIS3 was able to serve over the Internet used a Domain name managed by my OLDNS1 and OLDNS2 DNS/DCs.
Going forward, I want to make OLDNS1 and OLDNS2 my External DNS servers and although they are able to get the job done the way they are currently setup and configured, I want to Demote them as DCs and stop using OLDDOMAIN.COM as an internal single Domain Forest.
Therefore, here are questions I am hoping someone can offer Best Practice advise about:
Before Demoting these DCs, I know that by going into the DNS GUI and in the Change Zone Type dialog, when the Checkbox for Store the zone in Active Directory is changed from Checked to Unchecked, that will create .DNS files saving my current DNS configuration so that it can be used once each DC is Demoted and is only an External DNS server
If this structure/approach is way off track, now would be the time for me to get it right, so I am open to alternate ideas on how I can set things up and if pointed in the right direction for details that I can research, I am good with that.
Thanks for any details to help answer these questions and offer best practice advise.
Regards, Dean
My original design made the mistake of using an externally registered domain as the internal Active Directory Forest and Domain name.
In particular, my old internal network setup is still running while I am in the process of migrating to my new internal network setup, so my old setup has Split-Brain DNS servers that are Domain Controllers for OLDDOMAIN.COM (the name was changed to protect the innocent), a Domain that I own and registered many years ago and use as a single Domain Forest where the internal domain name matches the public Internet Domain Name. The Domain Controllers/DNS Servers are OLDNS1.olddomain.com and OLDNS2.olddomain.com. These DNS servers are Authoritative for several Internet Domain names that I own and resolve to one of the static IP addresses on my Internet Gateway router that is running an IIS web server. So, pages are served to Internet users for things like SOME-DOMAIN-I-OWN.COM or OTHER-DOMAIN-I-OWN.NET using OLDIIS2.olddomain.com (with a NIC setup for this static Internet IP and another NIC which communicates on the internal network with OLDSQL2.olddomain.com and the DCs OLDNS1 and OLDNS2).
I figured this would be an opportunity to do it better this time around.
So, the internal Active Directory Domain will be a sub-domain of another external domain name I have registered.
I have made some progress on my new internal network, so I am looking more specifically for answers on the configuration details for External DNS servers.
I have successfully setup a single Domain Forest using the approach of CORP.MYDOMAIN.COM where MYDOMAIN.COM is registered to me. My internal DCs have a single NIC connected to my internal network (named MYDNS3.corp.mydomain.com and MYDNS4.corp.mydomain.com).
I have also setup single servers MYIIS3.corp.mydomain.com and MYSQL3.corp.mydomain.com (once all the pieces are finally working, I will add redundancy for these servers). MYIIS3 communicates with the DCs and SQL servers using appropriate Domain based Service Accounts. MYIIS3 also has a second NIC that I have tested using one of my static IP connections to my Internet Gateway and is able to serve pages over the Internet.
The address MYIIS3 was able to serve over the Internet used a Domain name managed by my OLDNS1 and OLDNS2 DNS/DCs.
Going forward, I want to make OLDNS1 and OLDNS2 my External DNS servers and although they are able to get the job done the way they are currently setup and configured, I want to Demote them as DCs and stop using OLDDOMAIN.COM as an internal single Domain Forest.
Therefore, here are questions I am hoping someone can offer Best Practice advise about:
Before Demoting these DCs, I know that by going into the DNS GUI and in the Change Zone Type dialog, when the Checkbox for Store the zone in Active Directory is changed from Checked to Unchecked, that will create .DNS files saving my current DNS configuration so that it can be used once each DC is Demoted and is only an External DNS server
- Once I demote OLDNS1 and OLDNS2, can they be joined to CORP.MYDOMAIN.COM or would it be better to leave them in a WorkGroup?
- Should my external DNS servers (OLDNS1 and OLDNS2) be configured with just a single NIC each that is only connected to the Internet?
- These 2 servers would each use one of my 5 static Internet IP addresses leaving 3 more IPs for other servers I could publish, one of which would be a web server
- For example, all of the Internet Registered Domain Names these External DNS servers would be Authoritative to manage, they would resolve to the above mentioned 3 static IP addresses
- Are there any special considerations for how these External DNS servers should configure the parent Domain of my internal single Domain Forest (MYDOMAIN.COM in the details above)?
- Do I need to setup DNS Delegation for the parent Domain and my single Domain Forest?
- Should my internal DCs (MYDNS3 and MYDNS4) use any particular type of Forwarding?
- For example, names that my internal DCs/DNS servers cannot resolve could forward to the DNS servers my Internet Gateway Router configures during DHCP assignments
- For devices on my internal single Domain Forest, should they only be setup for DNS to point to my internal DCs and continue to allow their Default Gateway setting that points to my Internet Gateway Router and enables internal connectivity out to the Internet?
If this structure/approach is way off track, now would be the time for me to get it right, so I am open to alternate ideas on how I can set things up and if pointed in the right direction for details that I can research, I am good with that.
Thanks for any details to help answer these questions and offer best practice advise.
Regards, Dean
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The comments by Mahesh and Jeff have been very helpful, in combination with some lab work I have been doing in the meantime.
As a result, I will be updating/adjusting my original setup using a single Domain Forest. The main change will involve creating separate DNS servers for external Internet facing DNS servers versus the internal AD DC/DNS servers.
That looks like the best path forward for me at this time.
Down the road, I will be looking at the DNS Policies added to Windows Server 2016, but my configuration doesn't rely much on the new Split-Brain features. For example, my internal clients use internal DC/DNS based resolution for server to server communication and my internal clients are able to use the External DNS addresses to view webs I have published on the Internet and don't need to access 'special' versions of these web sites (like the Microsoft documentation on the www.career.contoso.com setup when they describe a Split-Brain scenario).
It looks like the new Windows Server 2016 DNS policies would let me consolidate the External DNS servers into my internal DC/DNS servers, but since the current support is entirely based on setting everything up via PowerShell commands, I am hoping that improved support is eventually put into the DNS GUI.
As a result, I will be updating/adjusting my original setup using a single Domain Forest. The main change will involve creating separate DNS servers for external Internet facing DNS servers versus the internal AD DC/DNS servers.
That looks like the best path forward for me at this time.
Down the road, I will be looking at the DNS Policies added to Windows Server 2016, but my configuration doesn't rely much on the new Split-Brain features. For example, my internal clients use internal DC/DNS based resolution for server to server communication and my internal clients are able to use the External DNS addresses to view webs I have published on the Internet and don't need to access 'special' versions of these web sites (like the Microsoft documentation on the www.career.contoso.com setup when they describe a Split-Brain scenario).
It looks like the new Windows Server 2016 DNS policies would let me consolidate the External DNS servers into my internal DC/DNS servers, but since the current support is entirely based on setting everything up via PowerShell commands, I am hoping that improved support is eventually put into the DNS GUI.
ASKER
Both Mahesh and Jeff made good arguments on exporting my old DCs and once demoted using import when setup as non-domain based External DNS servers (although it was very helpful to have the examples provided by Jeff).
My lab work where I tested CORP.MYDOMAIN.COM versus MYDOMAIN.COM did not seem to offer much value for my simple circumstances and the domain I am using for my single Domain Forest does not offer any important web content (which is why my configuration does not have any complex Split-Brain requirements).
My lab work where I tested CORP.MYDOMAIN.COM versus MYDOMAIN.COM did not seem to offer much value for my simple circumstances and the domain I am using for my single Domain Forest does not offer any important web content (which is why my configuration does not have any complex Split-Brain requirements).
ASKER
My existing DNS Servers on which I would uncheck AD integration are going to be demoted and the single Domain Forest will be retired as well as the corresponding private Active Directory decommissioned. So, unchecking AD integration would allow me to use these demoted DNS servers as the External DNS and they would be pretty much ready to go once demoted.
Thanks for the advice to use a single NIC in the External DNS servers and keeping them in a Workgroup separate from my AD Domain, as well as the DCs having forwarders point to the External DNS servers (and not the ISP DNS servers).
Best regards, Dean