Windows Server 2003 Dns Standard Practice

Posted By: Cyonix | Apr 28th @ 7:10 AM
page 1 of 1
Comments: 6 | Views: 463
#Apr 28th @ 7:10 AM
Cyonix
Cyonix
Me
Hey Guys,

I've been told that standard practice for setting up a Windows Server 2003 Domain Controllers dns is to have an external dns server as a secondary dns server. I had complained that it should be removed as the domain controller wouldn't be able to locate the other servers on the network if Windows falls back to this external dns server.

I would have thought standard practice would be to add this external dns server as a forwarder in the local dns server.

Is this standard practice?

How does the dns client work? does it always use the primary dns server or is it more of a round robin type system?
#Apr 28th @ 12:18 PM
staceyw
staceyw
Before C# there was darkness...
depends on what your doing.  If you hosting your own dns zone, then you should have two dns servers on site.
#Apr 28th @ 12:22 PM
AndyC
AndyC
Your shouldn't point AD clients at an external DNS Server, even as a secondary, it can cause problems with internal name resolution. For security reasons it is best to only allow your DNS servers to directly query external DNS in the firewall layer.
#Apr 28th @ 5:29 PM
Cyonix
Cyonix
Me
It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers.

My complaint to the network manager was that the external dns server could cause replication issues if the domain controller for some reason falls back to this external dns server.

The more senior tech says that this is standard practice. To me this sounds very odd as Active Directory relies on dns to know who to talk to, so if the domain controller falls back to this external dns server the network is going to stop working.

note, the external dns server is the ISP's dns server.
#Apr 28th @ 8:28 PM
staceyw
staceyw
Before C# there was darkness...
"It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers."

In this case you want all clients and servers to only have primary/secondary dns server point to your domain DNS servers.  Your dns zones then have "Forwarder(s)" setup to resolve external zones.  I would remove the external dns server addresses from your server NIC config and all clients.  Your dns server(s) then resolve all addresses for clients and servers (and external addresses by dns forwarding and caching).

Clients --- |
                   | <---->Internal DNS <---->Forwards unknown<------>ISPDNS 
Servers --- |
#Apr 29th @ 1:01 AM
Cyonix
Cyonix
Me
Great, thanks for the help guys
#Apr 29th @ 3:39 AM
AndyC
AndyC
If the actual Domain Controller falls back to it's secondary DNS, then Active Directory is down (assuming you're using AD-integrated zones, and there is no really good reason not to), so in that case it really isn't an issue (or, rather, you have a more pressing issue to fix!) It's really only on non-DCs that it can be a problem, they shouldn't ever go looking externally.
page 1 of 1
Comments: 6 | Views: 463
Microsoft Communities