Tech Off Thread

7 posts

Windows Server 2003 Dns Standard Practice

Back to Forum: Tech Off
  • Cyonix

    Hey Guys,

    I've been told that standard practice for setting up a Windows Server 2003 Domain Controllers dns is to have an external dns server as a secondary dns server. I had complained that it should be removed as the domain controller wouldn't be able to locate the other servers on the network if Windows falls back to this external dns server.

    I would have thought standard practice would be to add this external dns server as a forwarder in the local dns server.

    Is this standard practice?

    How does the dns client work? does it always use the primary dns server or is it more of a round robin type system?

  • staceyw

    depends on what your doing.  If you hosting your own dns zone, then you should have two dns servers on site.

  • AndyC

    Your shouldn't point AD clients at an external DNS Server, even as a secondary, it can cause problems with internal name resolution. For security reasons it is best to only allow your DNS servers to directly query external DNS in the firewall layer.

  • Cyonix

    It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers.

    My complaint to the network manager was that the external dns server could cause replication issues if the domain controller for some reason falls back to this external dns server.

    The more senior tech says that this is standard practice. To me this sounds very odd as Active Directory relies on dns to know who to talk to, so if the domain controller falls back to this external dns server the network is going to stop working.

    note, the external dns server is the ISP's dns server.

  • staceyw

    Cyonix said:
    It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers.

    My complaint to the network manager was that the external dns server could cause replication issues if the domain controller for some reason falls back to this external dns server.

    The more senior tech says that this is standard practice. To me this sounds very odd as Active Directory relies on dns to know who to talk to, so if the domain controller falls back to this external dns server the network is going to stop working.

    note, the external dns server is the ISP's dns server.
    "It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers."

    In this case you want all clients and servers to only have primary/secondary dns server point to your domain DNS servers.  Your dns zones then have "Forwarder(s)" setup to resolve external zones.  I would remove the external dns server addresses from your server NIC config and all clients.  Your dns server(s) then resolve all addresses for clients and servers (and external addresses by dns forwarding and caching).

    Clients --- |
                       | <---->Internal DNS <---->Forwards unknown<------>ISPDNS 
    Servers --- |

  • Cyonix

    Great, thanks for the help guys

  • AndyC

    Cyonix said:
    It's a small to medium network with about 150 - 250 users. It has 2 domain controllers, both with dns. One of these domain controllers has an external dns server added to its NIC secondary dns servers as well as the two internal dns servers.

    My complaint to the network manager was that the external dns server could cause replication issues if the domain controller for some reason falls back to this external dns server.

    The more senior tech says that this is standard practice. To me this sounds very odd as Active Directory relies on dns to know who to talk to, so if the domain controller falls back to this external dns server the network is going to stop working.

    note, the external dns server is the ISP's dns server.
    If the actual Domain Controller falls back to it's secondary DNS, then Active Directory is down (assuming you're using AD-integrated zones, and there is no really good reason not to), so in that case it really isn't an issue (or, rather, you have a more pressing issue to fix!) It's really only on non-DCs that it can be a problem, they shouldn't ever go looking externally.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.