Re: Best Practice - Implementation of 2nd AD-DNS Server

From: Herb Martin (news_at_LearnQuick.com)
Date: 06/14/04 

Date: Mon, 14 Jun 2004 14:34:58 -0500

> External Domain (example): contoso.com
> Internal Domain (example): hq.corp.contoso.com
>
>
> Scenario
> ========
> External Firewall
> SRV3: Stand-alone Win2K3 DNS server (Primary Zone, not AD
> integrated)
>
> Internal Firewall
> SRV1: AD-Enabled Win2K3 DNS server (Primary Zone, AD
> integrated)
> SRV2: AD-Enabled Win2K3 DNS server (Primary Zone, AD
> integrated)
>
>
> Assumptions
> ===========
> Firewalls are properly configured
> Full system lock-down not yet in place
>
>
> Questions
> =========
> 1) Is it good practice to have the Internal Win2K3 DNS
> servers (SRV1 & SRV2) submit queries to SRV3 which in turn
> will submit queries to ISP DNS servers? (ISP DNS IP
> Addresses added to SRV3 forwarders)

I do it that way. (Also note, my firewall as a domain member
machine has ITSELF configured to use INTERNAL DNS only.)

The only negative is if you get "too many forwarding steps", but
the advantages include:

    1) Internal servers, especially DCs, don't visit the WHOLE Internet
    2) Firewalls don't even need to let them "out" at all
    3) It can be more efficient as the forwarder(s) become more likely
        to have addresses for The Internet in cache

> 2) On the Internal Win2K3 DNS servers; is it good practice
> to set the TCP/IP properties as follows:
>
> SRV1 TCP/IP Properties:
> Preferred DNS = SRV1
> Altenate DNS = SRV2
>
> SRV2 TCP/IP Properties:
> Preferred DNS = SRV2
> Altenate DNS = SRV1

Yes. Generally this is correct. If you ever lose "connectivity"
between them you may need to putz around with this until you
get them both to replicate first DNS, and then AD.

> 3) Should the Root Hints be completely removed (CACHE.DNS)
> from the Internal DNS Servers (SRV1 & SRV2)?

It's not that important, if on the "Forwarding" tab you tell it not
to use recursion. Since everything then gets forwarded to the
ISP or Firewall. (Do NOT use the similar sounding setting in
the advanced tab as it turns off BOTH forwarding and actual
recursion.)

> 4) Is it important that the DNS Cache be synchronized
> between DNS servers (if such a method exists)?

No, but I am not even 100% sure what you mean here.
(I can say "no" because there is nothing even remotely similar
soundind that is a requirement.)

> Any insight would be greatly appreciated; I've gone
> through the MCSE docs as well as the Win2K RESKIT looking
> for information/recommendations.

You seem to have it covered.

Ultimately, it is very simple -- internal machines resolve from
internal DNS which forwards to external DNS for Internet resolution.

> I have also tried keywording the MS KB and Google but I
> clearly am not using the correct series of keywords.

Just for fun or future use these are pretty useful at Google:

    [ site:microsoft.com DNS 2003 forwarding | forwarder ]

(Substitute whatever you wish for "Fowarding" etc.)

Or using the "microsoft:" collection:

    [ microsoft: DNS 2003 forwarding | forwarder ]

(That's a colon after microsoft: )

Here's another useful idea:

    [ site:microsoft.com DNS 2003 forwarder filetype:ppt ]

    [ site:microsoft.com DNS 2003 forwarder filetype:doc ]

The book, "Google Hacks" from O'Reilly is definitely worth the price.

Enjoy.

Relevant Pages

  • Re: Setting another machine as a firewall
    ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
    (freebsd-questions)
  • Re: Using Forwarders
    ... with DNS servers at different levels. ... it doesn't work well to use Forwarding ... >> actual recursion of the Internet namespace from the root down. ...
    (microsoft.public.windows.server.dns)
  • Re: using an internal dns name for which we dont own the external registration
    ... And our network under this zone is all internal. ... forwarding is irrelevant because it is not required to resolve ... DNS can resolve external names without a forwarder. ... I mean if this network was ALL internal and with no internet ...
    (microsoft.public.windows.server.dns)
  • Re: cant access public website from within web server domain, need to force NAT
    ... It is normal behavor tied to how TCP/IP combined with Ethernet (mac ... external NIC of the Firewall at the same time,...therefore the Source MAC ... What you want is the have a record in your own DNS Server for these sites' ... those machine from the Internet. ...
    (microsoft.public.win2000.networking)
  • Firewall2 not forwarding
    ... connect to the internet directly. ... When I hook up the LAN via 4port hub the connection ... Seems IP Forwarding is not ... I've checked my Firewall settings several times but still no ...
    (alt.os.linux.suse)
Quantcast