Re: DNS Recommendations w/ Active Directory & (2) DNS Servers
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 4 Apr 2007 19:53:00 -0500
"gmarquez" <gmarquez@xxxxxxxxxx> wrote in message
news:1175729344.910914.306150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
*Note: This is re-post, I also posted to "Active Directory 2003"
group. Hope this one gives better response.
(Next time) Reasonable Cross-posting of a single message is actually
encouraged -- you then may get help from people monitoring the thread
in various newsgroups.
================================================================================
Currently I've been seeing issues with our 2 domain controllers
running Win2K3 Active Directory. We're not a big enterprise but run
many services for both internal and external employees/customers.
After looking at all of the DNS servers/settings I've discovered many
things setup incorrectly and I'd like to correct or re-setup
correctly.
I also found many posts online suggesting Active-Directory Integrated
DNS, and others stating better to use Second Server with Secondary
(read-only) DNS settings, while another post specifies that Stub Zones
are actually a better preferred way of doing this w/ less network
traffic, etc. Well which one is better for my environment?
For a single Domain (which you seem to have) the best choice is for
your (few) DCs to all use AD Integrated.
For using Secondaries this recommendation is likely being confused for
MULTIPLE domains and thus multiple DNS zones. Same for Stubs
but they are mostly relevant to HUGE zones/domains where you wish
to avoid most replication.
Make each of your DCs an AD Integrated DNS Server and also they
should all be GCs in a single domain forest.
We have about 100 employees but host many websites to our external
customers. I also maintain a 2 VPN solutions to our customers and for
remote employees. I've setup connections to our customer's WANs and
for connecting to these remote devices we rely heavily on DNS for
connecting daily even after hours.
If you are supplying external or public DNS resolution for your zones this
should NOT be done on the same set of DNS servers you use for your
internal AD and internal resource resolution.
This is a big part (along with security) of the reason why your EXTERNAL
PUBLIC DNS should be left at (or returned to) your REGISTRAR in most
cases.
My question is for the DNS so actively relied upon in my enviroment
and the need for backup 2nd DNS server in the event our Primary Domain
Controller (DNS1) were to go down, which is the best method to setup
this all up?
DC1 - DNS1 as:
Primary w/ Active-Directory Integrated?
AD Int.
Replication, to all DNS servers in the AD domain?
Yes.
Only Secure dynamic Updates?
Yes.
Name Servers to include both Domain Controllers/DNS servers?
- DC1/DNS1's FQDN and IP
- DC2/DNS2's FQDN and IP
If these represent the NIC->IP properties for DNS Server then the
order above is likely best for DNS-DCs separated by a WAN but
you may prefer "other as Preferred, and self as Alternate" if they are
on the Same LAN.
With Zone Transfers to Allow Zone Transfers to:
Unnecessary if you have no Secondaries -- these settings only affect
actual Secondaries.
- To any Server
- Only to servers listed onthe Name Servers Tab? <-- this one I'd
think.
- Only to the following Servers.
None at all.
DC2 - DNS2 as:
Secondary? (then Active-Directory Integrated no longer) Stub Zone w/
Active-Directory?
AD Int
Replication, to all DNS servers in the AD domain?
Only Secure dynamic Updates?
Yes, this will be the same as the other DC.
Name Servers to include both Domain Controllers/DNS servers?
- DC1/DNS1's FQDN and IP
- DC2/DNS2's FQDN and IP
If these represent the NIC->IP properties for DNS Server then the
order above is likely best for DNS-DCs NOT separated by a WAN but
you may prefer "self as Preferred, and other as Alternate" if they are
on the Same LAN.
These choices are about Performance/Efficiency (self-first) vs. eliminating
a trivial Startup error (Other-first)
With Zone Transfers to Allow Zone Transfers to:
None, not needed unless you have Secondaries.
- To any Server
- Only to servers listed onthe Name Servers Tab? <-- this one I'd
think.
- Only to the following Servers.
---------------------------------------------------------------------------
I just tried going through this example and when I went to add the
Second DNS zone on DNS2 it said it already existed.
AD Integrated does that on the OTHER DCs.
Okay I realize
that when I setup the Zone in DC/DNS1 and applied to transfer securely
to the Name Server (DC2/DNS2) it was created. Although when I view
Properties on DNS2 it reads as Primary AD-Integrated. Is this what I
want? I also tried to look for Best-Practices or Recommendation for
accomplishing this with 2 DC/DNS servers but didn't find anything or
just didn't look right.
Please Advise, if possible.
-Regards.
Gmarquez
.
- Follow-Ups:
- References:
- DNS Recommendations w/ Active Directory & (2) DNS Servers
- From: gmarquez
- DNS Recommendations w/ Active Directory & (2) DNS Servers
- Prev by Date: DNS Recommendations w/ Active Directory & (2) DNS Servers
- Next by Date: Re: google.com get redirected to google.co.uk
- Previous by thread: DNS Recommendations w/ Active Directory & (2) DNS Servers
- Next by thread: Re: DNS Recommendations w/ Active Directory & (2) DNS Servers
- Index(es):
Relevant Pages
|
