Best Practice DNS Structure

  • Thread starter Thread starter guv
  • Start date Start date
G

guv

I need assistance in best practice to setup our DNS Structure. We have a
only one windows 2000 native domain and have windows 2000 and windows 2003
domain controllers.

We are running one domain but have 4 sites which are UK, Ireland, Belgium
and Czech Rep. Each site has 2 domain controllers. The UK site is where
all internet traffic should go to. Such as all internet access, external
email all comes to the UK. For external name DNS resolution the UK dns
servers have access to the external DNS servers of our ISP.

From this I need to setup our DNS structure such as the how to setup
forwarders and zone transfers.

I have 2 domain controllers in the UK, I have DC1 where I have setup the
forwarders to the external DNS servers. DC2 in the UK, should I set its
forwarders to the external DNS or DC1 ?

Also the 2 domain controllers in the other sites should their DNS forwarders
be the same or should one be set to the a UK DC and the other DC forwarder
set to the other DC in the same site. For example in Belgium, should one of
the DC BEDC1 forwarding setting set to DC1 in UK, and the other BEDC2
fowarder setting set to BEDC1???

Also regarding the zone transfers should all domain controllers in all sites
have all other domain controllers listed under zone transfers ???

Can someone please advise.
 
guv said:
I need assistance in best practice to setup our DNS Structure. We have a
only one windows 2000 native domain and have windows 2000 and windows 2003
domain controllers.
Click to expand...

Then you really won't have a "DNS Structure" but need rather to
create a single ZONE, and supply DNS servers to service it, i.e.,
AD Integrated DNS-DCs or Primary, with Second DNS servers for
that zone.
We are running one domain but have 4 sites which are UK, Ireland, Belgium
and Czech Rep. Each site has 2 domain controllers.
Click to expand...

Then you should (typically, almost always) have DNS Servers for your
zone in each of those locations -- easiest and likely best is to just use
AD Integrated DNS on each of the DCs, or at least one per site.
The UK site is where all internet traffic should go to. Such as all
internet access, external email all comes to the UK. For external name
DNS resolution the UK dns servers have access to the external DNS servers
of our ISP.
Click to expand...

So you mean that all external traffic must go out through router/firewalls
in the UK Site?

Generally that means the local DNS Servers should forward external DNS
queries to a "caching only DNS Server (set)" on the UK firewall/router or
firewall area.

It is also possible with a large number of local DNS servers that these
would
forward to the local firewall/gateway area caching DNS Server which would
then forward to the main one in the UK.
From this I need to setup our DNS structure such as the how to setup
forwarders and zone transfers.
Click to expand...

Zone transfers are from Primary or AD Integrated to Secondary DNS
servers for that zone. You can usually do better by just using AD
Integrated
DNS for all of this (instead of the traditional Primary or Secondaries.)
I have 2 domain controllers in the UK, I have DC1 where I have setup the
forwarders to the external DNS servers. DC2 in the UK, should I set its
forwarders to the external DNS or DC1 ?
Click to expand...

Depends on which works better but my suggestion above for forwarding
(all of them) directly to the firewall/router to the Internet is both safer
and
usually more efficient.

When you forward to the ISP you are subject to the ISP's bad security
practices, and when you do it directly (accepting the slight security risk)
you must allow DNS (frequently DCs) "out onto the Internet" where they
do NOT belong.
Also the 2 domain controllers in the other sites should their DNS
forwarders be the same or should one be set to the a UK DC and the other
DC forwarder set to the other DC in the same site.
Click to expand...

Usually the same. But I recommend a caching only DNS Server (set) for this
purpose. Usually on your gateway/firewall to the Internet.
For example in Belgium, should one of the DC BEDC1 forwarding setting set
to DC1 in UK, and the other BEDC2 fowarder setting set to BEDC1???
Click to expand...

What value is there to forwarding to the UK internal DNS servers?
Also regarding the zone transfers should all domain controllers in all
sites have all other domain controllers listed under zone transfers ???
Click to expand...

Yes, if you use Secondaries. Zone transfers are not done (nor required to
be enabled) for AD Integrated DNS Servers which use AD for their replication
of the zone.
 
Back
Top