Re: Flag for public AD integrated zones

"merc" <merc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B42CABBD-9033-4B26-B6AD-3968E741658E@xxxxxxxxxxxxxxxx
> "Herb Martin" wrote:
> > "merc" <merc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:B0755AD2-9719-40C7-B273-501E49B19F7E@xxxxxxxxxxxxxxxx
> >> It would be nice to be able to set a flag on an AD integrated zone that
would
> >> prevent ALL automatic additions/changes to the DNS records. This is
includes
> >> the automatic changes to the "Primary server" field of the SOA record.
> >
> > Why would this be useful?
>
> When hosting DNS records for the Internet you don't want the zones to be
> "Dynamically updated" to reflect your private network. AD integrated
zones
> make managing zones so much easier than a primary/secondary setup, and
> replication is handled automatically. With NAT, you just map the port to
the
> Internet.

Why would you (i.e., most people) ever want their public DNS to
be dynamic?

Most people have only a few public records and they remain static
for years.

> >> Turning off dynamic updates takes care of some of this, but not all.
Moving
> >> zones into AD has made managing zones so much easier, but it seems that
MS
> >> didn't really look at using AD integrated zones for public DNS records,
which
> >> is a shame.
> >
> > ? AD-DNS isn't really suitable nor intended for public DNS -- although
> > one COULD manage to do it safely if Secure Updates only are used.
>
> The whole point of the post is to turn OFF dynamic updates completely.
Why
> would you want any of your DNS zones on the Internet to be updated with
> private network information?


Then just do that. Don't place dynamic zones on the Internet.

Dont place DCs for that matter on the Internet (except for a
few special cases where the "Internet AD Domain" is part of
a major application AND you know precisely what you are
doing.


> I didn't know about these features of AD zones (application partions)
until
> just recently.

I meant that I didn't know about the voting thing.

> It looks like MS designed it to allow different DNS sets for
> each division within a company. If you just consider the Internet another
> division (application partion), then you can do this. AD zones
automatically
> replicate, thus you don't have to setup primary/secondary servers.

Of course, and partition will NOT replicate to a DC that doesn't
"have" that partition defined.

So you really shouldn't be having a problem unless you have
confused the explanation OR there is a bug.


.

Relevant Pages

  • Re: DNS Zone Forward on AIX
    ... > external DNS server. ... > request via the internal server. ... > I understand there is a way of creating DNS zones, ... is a slave for your internal zones and forwards all Internet queries to ...
    (comp.unix.aix)
  • Re: Active directory migration and DNS
    ... DNS domain name is mycompany.com. ... > ISA also passes SMTP traffic to our Exchange server and HTTP traffic ... > internet are our Exchange server and web server. ... You can also support as many zones as you want on DNS. ...
    (microsoft.public.windows.server.dns)
  • Re: When Dynamic updates is off, A records are still added/create
    ... >> So you have DCs available on the Internet? ... >> Are you in need of dynamic updates on the external DNS? ... All other zones work properly. ... they each have there own partition and set of enlisted servers. ...
    (microsoft.public.windows.server.dns)
  • Re: Secondary Zones All Stopped Working - Win2003
    ... The secondary server is an internal use only private DNS. ... The two DNS servers need to have separate zones, ... > for the public (Internet facing) zone, ...
    (microsoft.public.windows.server.dns)
  • Re: Annoying ActiveX messages
    ... You need to go into the control panel that has Internet Explorer Settings ... and check the configuration of the different zones. ...
    (microsoft.public.windowsxp.general)
Loading