| Author |
Message |
Joe Flowers
Guest
|
 Posted:
Fri Nov 11, 2005 1:50 am Post subject:
DNS AD design - what is wrong with this please? |
|
|
I am most concerned with the health of our Active Directory and not
running into any surprises down the road from a wierd design.
Please tell me what is wrong with this DNS/Active Directory design please.
The root of our Windows 2003 Active Directory is Base DN:
DC=cam,DC=ncsu,DC=edu.
I would like to run the Windows 2003 DNS service on our Domain
Controllers with these Domain Controller servers' TCP/IP stack DNS
client settings pointing to each other only. I also want the DNS service
on these Domain Controllers set to forward "All other DNS domains"
requests to the University DNS servers ("Forwarders") except for
"ad.cam.ncsu.edu" which is our root DNS forward zone on our Domain
Controllers.
The University DNS servers are "public" DNS servers that hold all of the
"correct" DNS entries.
We are not allowed (arg!) to transfer the cam.ncsu.edu DNS space to our
AD DNS servers.
However, I very much want to run DNS services for our Active Directory
on our Windows 2003 domain controllers with "Register this connection's
addresses in DNS" so that we have all of the correct DNS entries for a
healthy Active Directory network. (The University DNS servers do not
allow dynamic DNS updates and this will not change in the future.)
To get around this problem, were were thinking about doing the
following. Please tell me how/why this is not a good idea or why it will
not work.
In the University DNS system, our AD DC servers are registered as
ad1.cam.ncsu.edu 152.1.254.4
ad2.cam.ncsu.edu 152.1.254.5
ad3.cam.ncsu.edu 152.1.254.6
All other clients and servers on our network have DNS entries in the
University DNS system in the form of X.cam.ncsu.edu.
In our AD DNS system setup, we wanted to register these *same* servers to
ad1.ad.cam.ncsu.edu 152.1.254.4
ad2.ad.cam.ncsu.edu 152.1.254.5
ad3.ad.cam.ncsu.edu 152.1.254.6
The "ad.cam.ncsu.edu" DNS space does NOT exist on the University DNS
system. I guess we could register ad.cam.ncsu.edu as a host
(152.1.254.7) in the University DNS system but not actually use it on
any machine. This would make sure "ad.cam.ncsu.edu" never turns into a
DNS space that we will need to route to.
What is wrong with this setup? Will it work correctly and in the
forseeable future too?
Should we change and make "ad.cam.ncsu.edu" our Windows 2003 Active
Directory Base DN (DC=ad.DC=cam,DC=ncsu,DC=edu) or is leaving our
Windows 2003 Active Directory Base DN to DC=cam,DC=ncsu,DC=edu good,
keeping in mind that all other clients and servers on our network have
DNS entries in the University DNS system in the form of X.cam.ncsu.edu?
Thank you!
Joe |
|
| Back to top |
|
 |
Mark
Guest
|
| Posted:
Fri Nov 11, 2005 1:50 am Post subject:
RE: DNS AD design - what is wrong with this please? |
|
|
Hi Joe,
Any machines that are members of your AD and\or need to authenticate against
it would need to point to your AD DNS servers (to locate DCs in correct sites
and other services). We have our enviroment in Split-brain dns with our
internal AD DNS servers forwarding to the public servers. All
servers\Clients\printers can use dynamic dns against the internal servers.
The public servers only contain records that the world needs to see (www, mx,
ns ... etc) and don't need ddns. Our internal then forwards to the external
and the external then point to root for resolution. Would this work for you?
http://searchwinsystems.techtarget.com/tip/1,289483,sid68_gci1035838,00.html
Thanks,
Mark
"Joe Flowers" wrote:
| Quote: | I am most concerned with the health of our Active Directory and not
running into any surprises down the road from a wierd design.
Please tell me what is wrong with this DNS/Active Directory design please.
The root of our Windows 2003 Active Directory is Base DN:
DC=cam,DC=ncsu,DC=edu.
I would like to run the Windows 2003 DNS service on our Domain
Controllers with these Domain Controller servers' TCP/IP stack DNS
client settings pointing to each other only. I also want the DNS service
on these Domain Controllers set to forward "All other DNS domains"
requests to the University DNS servers ("Forwarders") except for
"ad.cam.ncsu.edu" which is our root DNS forward zone on our Domain
Controllers.
The University DNS servers are "public" DNS servers that hold all of the
"correct" DNS entries.
We are not allowed (arg!) to transfer the cam.ncsu.edu DNS space to our
AD DNS servers.
However, I very much want to run DNS services for our Active Directory
on our Windows 2003 domain controllers with "Register this connection's
addresses in DNS" so that we have all of the correct DNS entries for a
healthy Active Directory network. (The University DNS servers do not
allow dynamic DNS updates and this will not change in the future.)
To get around this problem, were were thinking about doing the
following. Please tell me how/why this is not a good idea or why it will
not work.
In the University DNS system, our AD DC servers are registered as
ad1.cam.ncsu.edu 152.1.254.4
ad2.cam.ncsu.edu 152.1.254.5
ad3.cam.ncsu.edu 152.1.254.6
All other clients and servers on our network have DNS entries in the
University DNS system in the form of X.cam.ncsu.edu.
In our AD DNS system setup, we wanted to register these *same* servers to
ad1.ad.cam.ncsu.edu 152.1.254.4
ad2.ad.cam.ncsu.edu 152.1.254.5
ad3.ad.cam.ncsu.edu 152.1.254.6
The "ad.cam.ncsu.edu" DNS space does NOT exist on the University DNS
system. I guess we could register ad.cam.ncsu.edu as a host
(152.1.254.7) in the University DNS system but not actually use it on
any machine. This would make sure "ad.cam.ncsu.edu" never turns into a
DNS space that we will need to route to.
What is wrong with this setup? Will it work correctly and in the
forseeable future too?
Should we change and make "ad.cam.ncsu.edu" our Windows 2003 Active
Directory Base DN (DC=ad.DC=cam,DC=ncsu,DC=edu) or is leaving our
Windows 2003 Active Directory Base DN to DC=cam,DC=ncsu,DC=edu good,
keeping in mind that all other clients and servers on our network have
DNS entries in the University DNS system in the form of X.cam.ncsu.edu?
Thank you!
Joe
|
|
|
| Back to top |
|
|
Mark
Guest
|
| Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Re: DNS AD design - what is wrong with this please? |
|
|
Hi Joe,
Sorry, maybe I didn't use the best wording to explain myself. Our internal
DNS servers host AD integrated zones that are authoritive for our internal
namespace. All clients\servers point to these internal servers for resolution
and to find DCs\sites etc. Our domain controllers' dns clients point to
themselves for resolution. Then our DCs dns service forwards any queries it
cannot resolve to our public servers. Our public servers then do the legwork.
So in this config we don't rely on our external servers for a healthy AD
since all internal clients point to and update the internal servers. Make
sense ?
Let me know,
Thanks,
Mark |
|
| Back to top |
|
|
Joe Flowers
Guest
|
| Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Re: DNS AD design - what is wrong with this please? |
|
|
Mark wrote:
| Quote: | Hi Joe,
Any machines that are members of your AD and\or need to authenticate against
it would need to point to your AD DNS servers (to locate DCs in correct sites
and other services). We have our enviroment in Split-brain dns with our
internal AD DNS servers forwarding to the public servers. All
servers\Clients\printers can use dynamic dns against the internal servers.
The public servers only contain records that the world needs to see (www, mx,
ns ... etc) and don't need ddns. Our internal then forwards to the external
and the external then point to root for resolution. Would this work for you?
http://searchwinsystems.techtarget.com/tip/1,289483,sid68_gci1035838,00.html
Thanks,
Mark
|
Thanks for the reply Mark!
I'm not clear on your sentence: "Our internal then forwards to the
external and the external then point to root for resolution."
Does this mean that your internal DNS servers forward client DNS service
requests to your public DNS server? No zone transfers, right?
What does "the external then point to root for resolution" mean?
Our problem is that we cannot count on the public DNS servers to
register all of the correct DNS entries for a healthy AD.
Also, isn't there GUIDs specific and unique to each AD Domain Controller
that is required to be in DNS for a healthy AD? And, if we had a
Domain Controller crash, wouldn't we have to have the new GUID of the
replacement DC server registered correctly in DNS BEFORE we can get AD
to work correctly again on that particular DC? If so, then this is
another reason why we need to run our own DNS servers - we cannot get
the public DNS servers changed in any sort of reasonable time frame.
Thanks Mark!
Joe |
|
| Back to top |
|
|
Mark
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
Re: DNS AD design - what is wrong with this please? |
|
|
OK, to simplify use a single domain with a namespace of fakedomain.com and
the dn is dc=fakedomain,dc=com. There is a Forward lookup zone called
fakedomain.com which contains records for that domainname. There is another
forward zone called _msdcs.fakedomain.com that contains srv records for our
DCs.
The fully qualified domain name of an internal server would be
serverA.fakedomain.com and its dns client service would point to one of the
internal DC dns servers. If serverA is trying to find a DC it will query the
internal DNS for SRV and A records and be able to logon.
Now, if you implement dynamic dns, every machine that supports ddns and
obtains an IP from your dhcp will be registered and can be found through your
internal dns. This why these zones are not transfered to internet facing
nameservers. Because anyone will be able to see every
client\server\mailserver\dc etc that is on our network and where to find
them.
Fakedomain needs people on the internet to find them (for smtp, http, ftp
.... etc) so the internet facing nameservers also host a zone called
fakedomain.com with just these records in them.
No outside clients can login to our AD at all to be honest (well, without a
vpn being configured first). As a company security is quite a big thing,
don't know if you have the same constraints. Do people need to login to your
AD while not in you internal network ?? Can you send a bit more information
into how your users work in and out of the network ? Might be able to offer
some suggestions.
Thanks,
Mark |
|
| Back to top |
|
|
Joe Flowers
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
Re: DNS AD design - what is wrong with this please? |
|
|
Yes, it makes sense now. Can you please send along more details though,
like your AD Base DN, your internal DNS forward zone(s), are these zones
defined somehow in your public DNS servers, etc.?
Are you saying that outside clients cannot logon to your AD if they do
not explicitly use your internal DNS servers in their TCP/IP client stack?
Thanks Mark!!!
Joe
Mark wrote:
| Quote: | Hi Joe,
Sorry, maybe I didn't use the best wording to explain myself. Our internal
DNS servers host AD integrated zones that are authoritive for our internal
namespace. All clients\servers point to these internal servers for resolution
and to find DCs\sites etc. Our domain controllers' dns clients point to
themselves for resolution. Then our DCs dns service forwards any queries it
cannot resolve to our public servers. Our public servers then do the legwork.
So in this config we don't rely on our external servers for a healthy AD
since all internal clients point to and update the internal servers. Make
sense ?
Let me know,
Thanks,
Mark |
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 am Post subject:
Re: DNS AD design - what is wrong with this please? |
|
|
In news:u83r9vu5FHA.2576@TK2MSFTNGP09.phx.gbl,
Joe Flowers <flowers@social.chass.ncsu.edu> made this post, which I then
commented about below:
| Quote: | Yes, it makes sense now. Can you please send along more details
though, like your AD Base DN, your internal DNS forward zone(s), are
these zones defined somehow in your public DNS servers, etc.?
Are you saying that outside clients cannot logon to your AD if they do
not explicitly use your internal DNS servers in their TCP/IP client
stack?
Thanks Mark!!!
Joe
|
Actually Joe, you wouldn't want to host your AD namespace publicly. All zone
data for your AD infrastructure only exist on your internal DNS servers. The
forwarders are configured to resolve names your servers do not host. Albeit,
the root Hints will resolve external names, but a forwarder will alleve your
DNS server from this recursion overhead. A DNS server will only forward
queries for names it does not know about. What Mark has is forwarding to
their own public servers.
If Mark has a split-zone, split-namespace or split-brain scenario (whatever
you want to call it) where his internal AD and external DNS domain names are
the same, and he is hosting the external name on his own public DNS servers
with their external public records (www, mail, ftp, etc), with their
respective public IPs, that wouldn't have anything to do with the internal
network since the outside ones are just for public data, and keep in mind,
if your internal server cannot answer a query for a record under your own
internal AD namespace, it will not forward it. What gets forwarded is names
it's not aware of, as I mentioned.
So there is no need to define them externally, unless you are hosting your
public domain name and the internal name and external are the same. For the
most part, folks just configure forwarding to their ISP's DNS. Many
companies rely on their ISP or the Registrar to host their external names.
But as Mark said, it is very important for all internal machines to ONLY use
the internal DNS servers, since they host the AD namespace.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in