DNS settings for Branch Offices

[Miranda]

I have several small branch offices (5 users each) that
have a permanent connection (site to site VPN) to our head
office. We have a Windows 2000 domain and both Domain
Controllers and both DNS servers at Head Office. Right now
I have my client computers at the branch offices
configured with both internal DNS server's IP addresses.
My internal DNS servers forward external requests to our
ISP's DNS server.

Q. How should the DNS settings on the branch clients be
configured? Would it be better to have the first DNS
server listed as an external DNS server and the second DNS
server listed as an interanl DNS server combined with a
host file on each client pc to reduce bandwidth
consumption and improve web browsing? Regards, Miranda.

 

[Herb Martin]

I have several small branch offices (5 users each) that
have a permanent connection (site to site VPN) to our head
office. We have a Windows 2000 domain and both Domain
Controllers and both DNS servers at Head Office. Right now
I have my client computers at the branch offices
configured with both internal DNS server's IP addresses.
My internal DNS servers forward external requests to our
ISP's DNS server.

I take it that by "internal" you mean "local" or "branch" DNS
as opposed to HQ-DNS?

Q. How should the DNS settings on the branch clients be
configured?

You haven't given enough information. What zones do you
hold on each (set of) DNS servers? How many stations
locally? What percentage of traffic is going to access local
DATA after the resolution?

Would it be better to have the first DNS
server listed as an external DNS server and the second DNS
server listed as an interanl DNS server combined with a
host file on each client pc to reduce bandwidth
consumption and improve web browsing?

My guesses -- and they are only guesses: Clients should point
to the local DNS server FIRST, and perhaps to the HQ/remote
second. If the local DNS server is also the VPN server consider
that if it is unresponsive then the odds of reaching another DNS
server are very low and there might not even be sufficient reason
to list the remote server -- and take a chance that clients will
"latch onto them" for ordinary resolution.

If their is local data (local DCs, file servers, email servers, peer
to peer workstation servers) then you would expect that much
traffic will stay local and I would want to keep the DNS
resolution local too.

If there were no local resources and only a single segment
(no subnets) locally my evaluation might change - and I might
even dispense with the local DNS or make it caching-only
since many VPN servers can do this without a full DNS server
having to run on them.

As to hosts files, avoid them if possible. They are unworkable
for more than about 100 local destinations and must be
distributed to each and every machine at every update (new
servers, NIC change when one breaks or is upgraded, etc.)

Hosts files should be used for special situations in modern
networks -- they represent a lot of administrative overhead
that can best be consolidated or eliminated by the DNS server.

 

[Ace Fekay [MVP]]

In

I have several small branch offices (5 users each) that
have a permanent connection (site to site VPN) to our head
office. We have a Windows 2000 domain and both Domain
Controllers and both DNS servers at Head Office. Right now
I have my client computers at the branch offices
configured with both internal DNS server's IP addresses.
My internal DNS servers forward external requests to our
ISP's DNS server.

Q. How should the DNS settings on the branch clients be
configured? Would it be better to have the first DNS
server listed as an external DNS server and the second DNS
server listed as an interanl DNS server combined with a
host file on each client pc to reduce bandwidth
consumption and improve web browsing? Regards, Miranda.

In addition to Herb's suggestions:

Never ever use an external DNS server in any client or DC in an AD
infrastructure:
http://support.microsoft.com/?id=291382

How to Use a forwarder (Step 3):
http://support.microsoft.com/?id=300202

Each DNS server must have a copy of the AD zone for proper AD functionality.

I would place two DNS servers per branch. If all in one domain, then make
the zone AD Integrated. This way all DNS servers have a copy of the zone. I
would also suggest to use both these DNS servers on the clients in the
respective branch offices. If using one DNS server, you can set the 1st to
the one at the branch and the 2nd to the corp office. Forward individually
to the ISP's in this scenario.

If mutliple domains, child domains, delegate the child zone from the parent
DNS servers to the child DNS servers and set a forwarder from the child DNS
servers to the parent DNS server and set a forwarder from the parent DNS
server to the ISP's.
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain: http://support.microsoft.com/?id=255248


More reading:
Chapter 2 - Structural Planning for Branch Office Environments:
http://www.microsoft.com/technet/tr...windows2000/deploy/adguide/adplan/adpch02.asp

How to Deploy Active Directory [Also Links to the AD Migration Cookbook and
Branch Deployment Guides]:
http://www.microsoft.com/technet/tr...et/prodtechnol/windows2000serv/deploy/ADD.asp

Active Directory Branch Office Guide Series:
http://www.microsoft.com/technet/tr...nol/ad/windows2000/deploy/adguide/DEFAULT.asp

Hope that helps.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Miranda]

I have several small branch offices (5 users each) that

I take it that by "internal" you mean "local" or "branch" DNS
as opposed to HQ-DNS? (No. I mean HQ-DNS. There are no

DNS servers at the branches and I don't plan to have any.)

You haven't given enough information. What zones do you
hold on each (set of) DNS servers? (A/D Intergrated.) How many stations
locally? (5 client machines per branch.) What percentage

of traffic is going to access local