another active directory question

[Mister Natural]

This question is for those running a "split brain" dns where you have an isp hosting your domain.
Do you have additional dns servers and forwarders setup, or are you using the windows server by itself as the primary dns server? I know this depends on the size of your network. I'm talking a -100 user network. Seems ridiculous to have to setup 3 or 4 additional boxes to secure this. Of course we are behind a firewall.

 

[YeOldeStonecat]

On the few that I've taken over (because I always do the .local when building servers, but I've "adopted" a few networks where the prior tech did the .com on the fqdn..."oops" )...I've still gotten away with only using the DC's DNS...because all I've had to separate was the mail and web records.

 

[MorfiusX]

I typically run DNS on my Domain Controllers so I can use AD integrated zones to reduce replication traffic. This really is dependant on the size of the infrastructure. But with a couple hundred nodes, it's probably not a problem.

When setting up forwarding, I configure a couple systems at the main site to forward to the ISP's DNS. I then configure remote sites forward to the main site. This way you can benifit from the main servers caching queries and reduce WAN traffic. But, this is typical of a larger deployment than you have mentioned.

 

[SJConsultant]

This question is for those running a "split brain" dns where you have an isp hosting your domain.

The only reason to have a split DNS is if you are hosting your own domain.

Otherwise simply run two internal DNS servers for redundancy with forwarders to the ISP DNS.

 

[shade91]

Otherwise simply run two internal DNS servers for redundancy with forwarders to the ISP DNS.

No need for forwarders on internal DNS servers.

 

[twwabw]

No need for forwarders on internal DNS servers.

Want to elaborate on that one a little? Without forwarders, how will you resolve external IP's?

 

[da sponge]

Run DNS on your DCs and have them forward to your ISP as SJConsultant suggests.

 

[MorfiusX]

Want to elaborate on that one a little? Without forwarders, how will you resolve external IP's?

Windows DNS comes with root hints for root DNS servers on the internet. Forwarders aren't required, but I recommend them.

 

[SJConsultant]

Windows DNS comes with root hints for root DNS servers on the internet. Forwarders aren't required, but I recommend them.

It's all according to how the network, DCs, and DNS is implemented.

From Microsoft's FAQ

Question: If I remove the ISP's DNS server settings from the domain controller, how does it resolve names such as Microsoft.com on the Internet?

Answer: As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.

Question: What is the "." zone in my forward lookup zone?

Answer: This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
229840 (http://support.microsoft.com/kb/229840/) DNS server's root hints and forwarder pages are unavailable

Question: Do I need to configure forwarders in DNS?

Answer: No. By default, Windows 2000 and Windows Server 2003 DNS use the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In most cases, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection.

So it really depends on the environment as to if a business uses root hints or DNS forwarders to resolve internet requests.

 

[versello]

I reccomend using external forwarders for outside queries. It's not necessary, but it spares a small amount of bandwidth and processing load on your own DNS server.