I am rebuilding an internal Active Directory network that I originally setup about 20 years ago, upgrading over time from NT servers to Windows 2000 servers to 2003 servers and finally to 2012 R2 servers a few years ago. Virtual Machine technology has helped make it possible to create individual servers for things like Domain Controllers, Web Servers and SQL Servers and at times I have run things like Exchange Servers, TFS and SharePoint Servers.
My original design made the mistake of using an externally registered domain as the internal Active Directory Forest and Domain name.
In particular, my old internal network setup is still running while I am in the process of migrating to my new internal network setup, so my old setup has Split-Brain DNS servers that are Domain Controllers for OLDDOMAIN.COM (the name was changed to protect the innocent), a Domain that I own and registered many years ago and use as a single Domain Forest where the internal domain name matches the public Internet Domain Name. The Domain Controllers/DNS Servers are OLDNS1.olddomain.com and OLDNS2.olddomain.com. These DNS servers are Authoritative for several Internet Domain names that I own and resolve to one of the static IP addresses on my Internet Gateway router that is running an IIS web server. So, pages are served to Internet users for things like SOME-DOMAIN-I-OWN.COM or OTHER-DOMAIN-I-OWN.NET using OLDIIS2.olddomain.com (with a NIC setup for this static Internet IP and another NIC which communicates on the internal network with OLDSQL2.olddomain.com and the DCs OLDNS1 and OLDNS2).
I figured this would be an opportunity to do it better this time around.
So, the internal Active Directory Domain will be a sub-domain of another external domain name I have registered.
I have made some progress on my new internal network, so I am looking more specifically for answers on the configuration details for External DNS servers.
I have successfully setup a single Domain Forest using the approach of CORP.MYDOMAIN.COM where MYDOMAIN.COM is registered to me. My internal DCs have a single NIC connected to my internal network (named MYDNS3.corp.mydomain.com and MYDNS4.corp.mydomain.com).
I have also setup single servers MYIIS3.corp.mydomain.com and MYSQL3.corp.mydomain.com (once all the pieces are finally working, I will add redundancy for these servers). MYIIS3 communicates with the DCs and SQL servers using appropriate Domain based Service Accounts. MYIIS3 also has a second NIC that I have tested using one of my static IP connections to my Internet Gateway and is able to serve pages over the Internet.
The address MYIIS3 was able to serve over the Internet used a Domain name managed by my OLDNS1 and OLDNS2 DNS/DCs.
Going forward, I want to make OLDNS1 and OLDNS2 my External DNS servers and although they are able to get the job done the way they are currently setup and configured, I want to Demote them as DCs and stop using OLDDOMAIN.COM as an internal single Domain Forest.
Therefore, here are questions I am hoping someone can offer Best Practice advise about:
Before Demoting these DCs, I know that by going into the DNS GUI and in the Change Zone Type dialog, when the Checkbox for Store the zone in Active Directory is changed from Checked to Unchecked, that will create .DNS files saving my current DNS configuration so that it can be used once each DC is Demoted and is only an External DNS server
- Once I demote OLDNS1 and OLDNS2, can they be joined to CORP.MYDOMAIN.COM or would it be better to leave them in a WorkGroup?
- Should my external DNS servers (OLDNS1 and OLDNS2) be configured with just a single NIC each that is only connected to the Internet?
- These 2 servers would each use one of my 5 static Internet IP addresses leaving 3 more IPs for other servers I could publish, one of which would be a web server
- For example, all of the Internet Registered Domain Names these External DNS servers would be Authoritative to manage, they would resolve to the above mentioned 3 static IP addresses
- Are there any special considerations for how these External DNS servers should configure the parent Domain of my internal single Domain Forest (MYDOMAIN.COM in the details above)?
- Do I need to setup DNS Delegation for the parent Domain and my single Domain Forest?
- Should my internal DCs (MYDNS3 and MYDNS4) use any particular type of Forwarding?
- For example, names that my internal DCs/DNS servers cannot resolve could forward to the DNS servers my Internet Gateway Router configures during DHCP assignments
- For devices on my internal single Domain Forest, should they only be setup for DNS to point to my internal DCs and continue to allow their Default Gateway setting that points to my Internet Gateway Router and enables internal connectivity out to the Internet?
If this structure/approach is way off track, now would be the time for me to get it right, so I am open to alternate ideas on how I can set things up and if pointed in the right direction for details that I can research, I am good with that.
Thanks for any details to help answer these questions and offer best practice advise.