Split-Brain DNS / with Web Site and AD
cmcknews...@discussions.microsoft.com
2003 AD/DC, 2- Win 2003 confiigured as a Web server. I have DNS on the DC
but it's not integrated, should I integrate it? I'm setting up DNS on the
Web server (which is a member server, not attached to the domain). My main
concern is security, do I setup a split-brain DNS and forward my local users
to the web throught the DNS on the Web server? And setup my web zones on the
web server for the actual sites. Or do I setup all the zones on both
servers? I want people to be able to view the sites but not be able to
infiltrate my domain controller. I've been reading Minasi's "Windows Server
2003" and I must admit I'm a little confused. Any help is greatly
appreciated.
Thank you
--
C McKnew
Herb Martin
in message news:017F08B7-6C87-4EB0...@microsoft.com...
> I'm setting up a small Web site on my home network. I have 2 servers, 1-
> 2003 AD/DC, 2- Win 2003 confiigured as a Web server. I have DNS on the DC
> but it's not integrated, should I integrate it?
Probably but that is optional, and most of the
advantages of Integrated DNS don't matter
until you have more than one DC-DNS server.
(Secure dynamic registrations are the main thing
you are giving up by not using it.)
> I'm setting up DNS on the
> Web server (which is a member server, not attached to the domain). My
main
> concern is security, do I setup a split-brain DNS
Not for INTERNAL DNS.
Split or Shadow DNS is for providing ONE set of
DNS Servers for the Internet and ANOTHER set
for the SAME zone NAME that you use internally.
It's purpose is to provide different views of the "same"
zone to external users from that shown to internal
users. [Note that really, shadow DNS is TWO zones
that happen to have the same name.]
For all but those companies with the largest Internet
presence the PUBLIC/external version of the zone
should be left at (or returned to) the REGISTRAR.
Most Registrars provide DNS servers for FREE--
i.e., you already paid for it when you registered.
> and forward my local users
> to the web throught the DNS on the Web server?
Forwarding has little or nothing to do with providing
resolution for those visiting your PUBLIC resources
servers. (e.g., Web server on the Internet.)
(General) Forwarding is about your INTERNAL DNS
servers being able to resolve external names (the Internet)
without having to go do that themselves (or by doing
it more efficiently.)
> And setup my web zones on the
> web server for the actual sites. Or do I setup all the zones on both
> servers?
All INTERNAL servers must be able to resolve ALL
internal names -- whether you put all zones on every
server, use delegation (only for child zones), or use
something like conditional forwarding.
It has little or nothing to do with your "external"
resources resolution for VISITORS.
> I want people to be able to view the sites but not be able to
> infiltrate my domain controller. I've been reading Minasi's "Windows
Server
> 2003" and I must admit I'm a little confused. Any help is greatly
> appreciated.
Do it this way:
Internal DNS servers will have ONLY internal
zones, and will include (manually) a record for
any of your servers in those zones even if they are
available to others on the Internet.
(Forward to your ISP or to your own firewall/DMZ
DNS server to resolve Internet zone names.)
Put the EXTERNAL version of your zone BACK
at the registrar -- ONLY list the very few machines
that you wish to be publically accessible.
(Think of this when designing as a separate zone
that just happens to have the same name. It will
NOT include records for private, internal machines.)
General recommendations for internal DNS to support AD:
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
...or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]