DNS Recommendations w/ Active Directory & (2) DNS Servers
gmarquez
group. Hope this one gives better response.
================================================================================
Currently I've been seeing issues with our 2 domain controllers
running Win2K3 Active Directory. We're not a big enterprise but run
many services for both internal and external employees/customers.
After looking at all of the DNS servers/settings I've discovered many
things setup incorrectly and I'd like to correct or re-setup
correctly.
I also found many posts online suggesting Active-Directory Integrated
DNS, and others stating better to use Second Server with Secondary
(read-only) DNS settings, while another post specifies that Stub Zones
are actually a better preferred way of doing this w/ less network
traffic, etc. Well which one is better for my environment?
We have about 100 employees but host many websites to our external
customers. I also maintain a 2 VPN solutions to our customers and for
remote employees. I've setup connections to our customer's WANs and
for connecting to these remote devices we rely heavily on DNS for
connecting daily even after hours.
My question is for the DNS so actively relied upon in my enviroment
and the need for backup 2nd DNS server in the event our Primary Domain
Controller (DNS1) were to go down, which is the best method to setup
this all up?
DC1 - DNS1 as:
Primary w/ Active-Directory Integrated?
Replication, to all DNS servers in the AD domain?
Only Secure dynamic Updates?
Name Servers to include both Domain Controllers/DNS servers?
- DC1/DNS1's FQDN and IP
- DC2/DNS2's FQDN and IP
With Zone Transfers to Allow Zone Transfers to:
- To any Server
- Only to servers listed onthe Name Servers Tab? <-- this one I'd
think.
- Only to the following Servers.
DC2 - DNS2 as:
Secondary? (then Active-Directory Integrated no longer) Stub Zone w/
Active-Directory?
Replication, to all DNS servers in the AD domain?
Only Secure dynamic Updates?
Name Servers to include both Domain Controllers/DNS servers?
- DC1/DNS1's FQDN and IP
- DC2/DNS2's FQDN and IP
With Zone Transfers to Allow Zone Transfers to:
- To any Server
- Only to servers listed onthe Name Servers Tab? <-- this one I'd
think.
- Only to the following Servers.
---------------------------------------------------------------------------
I just tried going through this example and when I went to add the
Second DNS zone on DNS2 it said it already existed. Okay I realize
that when I setup the Zone in DC/DNS1 and applied to transfer securely
to the Name Server (DC2/DNS2) it was created. Although when I view
Properties on DNS2 it reads as Primary AD-Integrated. Is this what I
want? I also tried to look for Best-Practices or Recommendation for
accomplishing this with 2 DC/DNS servers but didn't find anything or
just didn't look right.
Please Advise, if possible.
-Regards.
Gmarquez
Herb Martin
"gmarquez" <gmar...@indyme.com> wrote in message
news:1175729344.9...@e65g2000hsc.googlegroups.com...
> *Note: This is re-post, I also posted to "Active Directory 2003"
> group. Hope this one gives better response.
(Next time) Reasonable Cross-posting of a single message is actually
encouraged -- you then may get help from people monitoring the thread
in various newsgroups.
> ================================================================================
> Currently I've been seeing issues with our 2 domain controllers
> running Win2K3 Active Directory. We're not a big enterprise but run
> many services for both internal and external employees/customers.
> After looking at all of the DNS servers/settings I've discovered many
> things setup incorrectly and I'd like to correct or re-setup
> correctly.
>
> I also found many posts online suggesting Active-Directory Integrated
> DNS, and others stating better to use Second Server with Secondary
> (read-only) DNS settings, while another post specifies that Stub Zones
> are actually a better preferred way of doing this w/ less network
> traffic, etc. Well which one is better for my environment?
For a single Domain (which you seem to have) the best choice is for
your (few) DCs to all use AD Integrated.
For using Secondaries this recommendation is likely being confused for
MULTIPLE domains and thus multiple DNS zones. Same for Stubs
but they are mostly relevant to HUGE zones/domains where you wish
to avoid most replication.
Make each of your DCs an AD Integrated DNS Server and also they
should all be GCs in a single domain forest.
> We have about 100 employees but host many websites to our external
> customers. I also maintain a 2 VPN solutions to our customers and for
> remote employees. I've setup connections to our customer's WANs and
> for connecting to these remote devices we rely heavily on DNS for
> connecting daily even after hours.
If you are supplying external or public DNS resolution for your zones this
should NOT be done on the same set of DNS servers you use for your
internal AD and internal resource resolution.
This is a big part (along with security) of the reason why your EXTERNAL
PUBLIC DNS should be left at (or returned to) your REGISTRAR in most
cases.
> My question is for the DNS so actively relied upon in my enviroment
> and the need for backup 2nd DNS server in the event our Primary Domain
> Controller (DNS1) were to go down, which is the best method to setup
> this all up?
>
> DC1 - DNS1 as:
> Primary w/ Active-Directory Integrated?
AD Int.
> Replication, to all DNS servers in the AD domain?
Yes.
> Only Secure dynamic Updates?
Yes.
> Name Servers to include both Domain Controllers/DNS servers?
> - DC1/DNS1's FQDN and IP
> - DC2/DNS2's FQDN and IP
If these represent the NIC->IP properties for DNS Server then the
order above is likely best for DNS-DCs separated by a WAN but
you may prefer "other as Preferred, and self as Alternate" if they are
on the Same LAN.
> With Zone Transfers to Allow Zone Transfers to:
Unnecessary if you have no Secondaries -- these settings only affect
actual Secondaries.
> - To any Server
> - Only to servers listed onthe Name Servers Tab? <-- this one I'd
> think.
> - Only to the following Servers.
None at all.
> DC2 - DNS2 as:
> Secondary? (then Active-Directory Integrated no longer) Stub Zone w/
> Active-Directory?
AD Int
> Replication, to all DNS servers in the AD domain?
> Only Secure dynamic Updates?
Yes, this will be the same as the other DC.
> Name Servers to include both Domain Controllers/DNS servers?
> - DC1/DNS1's FQDN and IP
> - DC2/DNS2's FQDN and IP
If these represent the NIC->IP properties for DNS Server then the
order above is likely best for DNS-DCs NOT separated by a WAN but
you may prefer "self as Preferred, and other as Alternate" if they are
on the Same LAN.
These choices are about Performance/Efficiency (self-first) vs. eliminating
a trivial Startup error (Other-first)
> With Zone Transfers to Allow Zone Transfers to:
None, not needed unless you have Secondaries.
> - To any Server
> - Only to servers listed onthe Name Servers Tab? <-- this one I'd
> think.
> - Only to the following Servers.
>
> ---------------------------------------------------------------------------
>
> I just tried going through this example and when I went to add the
> Second DNS zone on DNS2 it said it already existed.
AD Integrated does that on the OTHER DCs.
gmarquez
> "gmarquez" <gmarq...@indyme.com> wrote in message
>
> news:1175729344.9...@e65g2000hsc.googlegroups.com...
>
> > *Note: This is re-post, I also posted to "Active Directory 2003"
> > group. Hope this one gives better response.
>
> (Next time) Reasonable Cross-posting of a single message is actually
> encouraged -- you then may get help from people monitoring the thread
> in various newsgroups.
>
>
> - Show quoted text -
FIrst of all thanks for the valuable feedback to my questions!
> If you are supplying external or public DNS resolution for your zones this
> should NOT be done on the same set of DNS servers you use for your
> internal AD and internal resource resolution.
>
> This is a big part (along with security) of the reason why your EXTERNAL
> PUBLIC DNS should be left at (or returned to) your REGISTRAR in most
> cases.
Also for PUBLIC DNS I do use an external ISP to resolve the names for
anything we host internally for Internet access. Then I create a NAT
entry on my router to allow whatever the publicly hosted server is
hosting (HTTP, FTP, etc.). Once public users come in say on port 80
through the router, I had to also enable a Zone for the domain.com
Zone to point to the Internal Host name.
-------> -------> -------> ------->
-------> -------> -------> ------->
-------> -------> ------->
<Public IP (going to: publicWebsite.domain.com)>-----<ISP DNS>-----
<ROUTER NAT (port 80)>-----<Internal DNS Resolution (domain.com ->
HostNameServer.domain.local)>-----< THEN EVERYTHING BACK IN REVERSE TO
THE CLIENT PC (INTERNET) >
This was the only way I could get this to work all the way through. I
didn't think I needed to have the Zone for the domain.com since I was
using the ISP DNS and a NAT entry on the router to point directly to
the HostName of the Server hosting the service. Perhaps I do need this
but maybe you're just saying to keep the Zone seperate from our
internal domain.local DCs/DNS servers.
> > With Zone Transfers to Allow Zone Transfers to:
>
> Unnecessary if you have no Secondaries -- these settings only affect
> actual Secondaries.
>
> > - To any Server
> > - Only to servers listed onthe Name Servers Tab? <-- this one I'd
> > think.
> > - Only to the following Servers.
>
> None at all.
If I understand you correctly it sounds like you're recommending I
setup each DC with AD-Intergrated DNS. Does this mean having to have
each one manually configured and modified for any changes?
I can move away from considering the Secondary and Stub Zone for my
2nd (DC2/DNS2) server however with any Zone Transfer, I'd guess each
one would require to be setup individually and also modified for any
changes.
See another issue that initiated some of this research/resolution is
certain users and hosts were pointing to either DC1/DNS1 while others
DC2/DNS2 and thought one was the primary DNS server. When we had
issues with DC2/DNS2 server at one time, people couldn't even connect
to the remote stores without DNS. Thus I realized this wasn't setup
correctly.
Then I began looking into best-practices/recommendation for
accomplishing what I wanted to NOT impact our users or servers when
connecting to anything with DNS resolutions.
Thanks again!
Herb Martin
> FIrst of all thanks for the valuable feedback to my questions!
No problem.
<<Also for PUBLIC DNS I do use an external ISP to resolve the names for
anything we host internally for Internet access. >>
Good, but using the REGISTRAR is usually even better than the ISP.
<<Then I create a NAT
entry on my router to allow whatever the publicly hosted server is
hosting (HTTP, FTP, etc.). Once public users come in say on port 80
through the router, I had to also enable a Zone for the domain.com
Zone to point to the Internal Host name.
THEN EVERYTHING BACK IN REVERSE TO
THE CLIENT PC (INTERNET) >
>>
If I understand correctly you have two versions of your zone,
e.g., domain.com (it's called "Shadow DNS" by the way):
1) external at the ISP with external address(es) (of the NAT)
2) Internal with internal address(es) of the internal servers
Sure that works. Makes sense if I have understood your complex
paragraph about this.
<<This was the only way I could get this to work all the way through. I
didn't think I needed to have the Zone for the domain.com since I was
using the ISP DNS and a NAT entry on the router to point directly to
the HostName of the Server hosting the service. Perhaps I do need this
but maybe you're just saying to keep the Zone seperate from our
internal domain.local DCs/DNS servers.>>
Yes, because you want the internal machine to "go direct" to the
INTERNAL (Private) IP without depending on the NAT -- most
NATs won't even do translation to-from an pair of (both) INTERNAL
machines. The translation only works when one is External and
the Other is INTERNAL (although NATs CAN vary on this.)
> > With Zone Transfers to Allow Zone Transfers to:
>
> Unnecessary if you have no Secondaries -- these settings only affect
> actual Secondaries.
>
> > - To any Server
> > - Only to servers listed onthe Name Servers Tab? <-- this one I'd
> > think.
> > - Only to the following Servers.
>
> None at all.
<<If I understand you correctly it sounds like you're recommending I
setup each DC with AD-Intergrated DNS. Does this mean having to have
each one manually configured and modified for any changes?>>
No, it means you have to maintain these changes ONCE for ALL of the
INTERNAL AD Integrated set of DCs (and any regular secondaries
attached to them).
AD Integrated is MULTI-MASTERED so changes on one will replicate
to the entire set.
<<I can move away from considering the Secondary and Stub Zone for my
2nd (DC2/DNS2) server however with any Zone Transfer, I'd guess each
one would require to be setup individually and also modified for any
changes.>>
No, just setup initially -- changes from the Primary (Or AD Integrated)
Master will propagate to Secondaries and be available to Stubs of that
zone.
<<See another issue that initiated some of this research/resolution is
certain users and hosts were pointing to either DC1/DNS1 while others
DC2/DNS2 and thought one was the primary DNS server.>>
Not an issue -- clients have NO real concept of Primary/Secondary for
DNS resolution.
Clients use ONE of the DNS servers as PREFERRED and others as
Alternate(s) -- but these ideas are unrelated to Primary/Secondary.
Only thing a client cares about Primary (or really the Master) is when
doing dynamic registrations but any AD Integrated DNS server can
accept those for the zone.
<< When we had
issues with DC2/DNS2 server at one time, people couldn't even connect
to the remote stores without DNS. Thus I realized this wasn't setup
correctly.>>
Both DNS (or more) DNS servers should be configured on every client
so that if one goes down the other will be used. Preferred, Alteranate,
etc.
<<Then I began looking into best-practices/recommendation for
accomplishing what I wanted to NOT impact our users or servers when
connecting to anything with DNS resolutions.>>
??? The above doesn't seem to be a question or really have any
specific point that I can answer.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)