where to place active directory integrated DNS server and what type to use

24
2014-07
  • Don

    I am working at two branch offices and have been tasked with where to place active-directory integrated DNS severs and what type to use.

    one of the branch offices is very small (5 users) and has very slow network connectivity. do I need a DNS server and, if so, what type of zone should it host?

    the second branch office is much larger (about 30 users) and has a better network connectivity. does this office need a DNS Server and , if so, what type of zone Would you recommend?

  • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    dns - Active Directory design for hosted services provision
  • Dai

    I operate a small-time hosted services[1] company as a means of paying off my student loans. I own a few Windows rackmount servers located in a datacentre. Provisioning is done by some tools I wrote in C# that tie in with WMI and ADSI to configure Active Directory, IIS, and Exchange for my clients.

    [1]I probably should say "web hosting" but I provide more services than that.

    It all works alright so far, but when I started I decided to use the same domain name internally as externally. "Foohost.com" is both my AD directory name, and the domain name of my company's website. The AD DNS servers are exposed.

    When I expanded to two servers and established a private link between them (using the 192.168.x.x band) things started breaking as the DNS servers were returning these private IP addresses when people on the Internet tried to nslookup the addresses of my servers.

    I've now read a few articles on TechNet on Active Directory design, they recommend using "internal.foohost.com" for the Active Directory domain and "foohost.com" externally. This makes sense to me, but I'm confused when it comes to setting up my DNS servers properly:

    I'm using the Microsoft DNS Server that comes on Server 2008, which doesn't have support for ACLs or tigher control over recursion. The DNS server has a zone file (sometimes AD-integrated, other times using the filesystem) for each website or client's domain name. I don't know if I should use a separate, dedicated DNS server (which I can't really afford) with recursion disabled just for hosting my client's zone files, and use the AD's DNS servers strictly for the AD domain zone files, and have recursion enabled (so servers in the domain can resolve Internet DNS entries) but have it sealed off from the public by a firewall.

    ...which is another thing: I don't have a proper firewall in place. I'm just using Windows Firewall on all of my servers.


  • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.