AD DNS Design Problem

BACKGROUND

I have one root domain (local.net) and one child domain
(test.local.net). When I promoted the first domain controller in
the forest I allowed dcpromo to install DNS on the first DC in
the forest. It installed it as a root DNS server (there are no
root hints). Next I delegate the test.local.net zone to the first
domain controller for the test.local.net domain before I promoted
it to a domain controller. Each additional domain controller for
the test domain was added to the delegation. The root hints for
the test.local.net domain are the two forest root domain
controllers.

DESIGN CONCEPT

All domain controller in both domains are DNS server

All test domain controllers point to themselves for DNS
All DNS zones are AD integrated
There are four domain controller for the test domain: DC1, DC2,
DC3, DC4
DC2, DC3, and DC4 have recursion enabled and are set to forward
to DC1
DC1 (root DNS) is set to forward to an external non domain DNS
server (for internet name resolution)

PROBLEM

When I set DC1 to forward to the external DNS server replication
stops working. I receive DNS lookup errors. If I do an nslookup
on any of the domain controllers all the names resolve correctly.
It's like the DC's don't look to themselves first. Is this a
design flaw?

It may be a design flaw but note that it is pretty unusual
to "forward to a DNS server in the same small namespace"
-- since everything is reachable through the "root hints"
hierarchy anyway.

Certainly in the general case this is done -- where an internal
DNS server forwards to the ISP's DNS but also does its OWN
recursion as a backup or safety measure.

On first inspection (based on your description) I cannnot find an
"infinite loop" or anything, unless DC1 is forwarding to DC1 (itself).
Don't do that. for sure.

What is the forwarding accomplishing (besides the problems you
indicate)?

"Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
news:3F009444.FC22320E@dot.state.nc.us...
> BACKGROUND
>
> I have one root domain (local.net) and one child domain
> (test.local.net). When I promoted the first domain controller in
> the forest I allowed dcpromo to install DNS on the first DC in
> the forest. It installed it as a root DNS server (there are no
> root hints). Next I delegate the test.local.net zone to the first
> domain controller for the test.local.net domain before I promoted
> it to a domain controller. Each additional domain controller for
> the test domain was added to the delegation. The root hints for
> the test.local.net domain are the two forest root domain
> controllers.
>
> DESIGN CONCEPT
>
> All domain controller in both domains are DNS server
>
> All test domain controllers point to themselves for DNS
> All DNS zones are AD integrated
> There are four domain controller for the test domain: DC1, DC2,
> DC3, DC4
> DC2, DC3, and DC4 have recursion enabled and are set to forward
> to DC1
> DC1 (root DNS) is set to forward to an external non domain DNS
> server (for internet name resolution)
>
> PROBLEM
>
> When I set DC1 to forward to the external DNS server replication
> stops working. I receive DNS lookup errors. If I do an nslookup
> on any of the domain controllers all the names resolve correctly.
> It's like the DC's don't look to themselves first. Is this a
> design flaw?
>
>
>
>

Yes that is correct. Due to a lack of funds for a forward only DNS server (non
DC) that talks through the firewall to the external DNS server we made all
DC's forward to one DC which is allowed to talk to the external DNS server. We
did not want all DC's talking to an external DNS server for security reasons.
That is really one of my questions. Does this make sense? Should I just
forward all DC's to the external DNS server?

Herb Martin wrote:

> > The forwarding is setup for external name resolution. If I do not enable
> > forwarding then there is no resolution for external addresses.
>
> But are you not forwarding to an INTERNAL ("DC1") server?
>
> Instead forward to a (non-DC) DNS that is on or safe to visit the
> Internet, e.g, your ISP's DNS, or your Proxy/NAT/Firewall with a
> DNS relay.
>
> "Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
> news:3F0097FE.44065C77@dot.state.nc.us...
> > The forwarding is setup for external name resolution. If I do not enable
> > forwarding then there is no resolution for external addresses.
> >
> > Herb Martin wrote:
> >
> > > It may be a design flaw but note that it is pretty unusual
> > > to "forward to a DNS server in the same small namespace"
> > > -- since everything is reachable through the "root hints"
> > > hierarchy anyway.
> > >
> > > Certainly in the general case this is done -- where an internal
> > > DNS server forwards to the ISP's DNS but also does its OWN
> > > recursion as a backup or safety measure.
> > >
> > > On first inspection (based on your description) I cannnot find an
> > > "infinite loop" or anything, unless DC1 is forwarding to DC1 (itself).
> > > Don't do that. for sure.
> > >
> > > What is the forwarding accomplishing (besides the problems you
> > > indicate)?
> > >
> > > "Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
> > > news:3F009444.FC22320E@dot.state.nc.us...
> > > > BACKGROUND
> > > >
> > > > I have one root domain (local.net) and one child domain
> > > > (test.local.net). When I promoted the first domain controller in
> > > > the forest I allowed dcpromo to install DNS on the first DC in
> > > > the forest. It installed it as a root DNS server (there are no
> > > > root hints). Next I delegate the test.local.net zone to the first
> > > > domain controller for the test.local.net domain before I promoted
> > > > it to a domain controller. Each additional domain controller for
> > > > the test domain was added to the delegation. The root hints for
> > > > the test.local.net domain are the two forest root domain
> > > > controllers.
> > > >
> > > > DESIGN CONCEPT
> > > >
> > > > All domain controller in both domains are DNS server
> > > >
> > > > All test domain controllers point to themselves for DNS
> > > > All DNS zones are AD integrated
> > > > There are four domain controller for the test domain: DC1, DC2,
> > > > DC3, DC4
> > > > DC2, DC3, and DC4 have recursion enabled and are set to forward
> > > > to DC1
> > > > DC1 (root DNS) is set to forward to an external non domain DNS
> > > > server (for internet name resolution)
> > > >
> > > > PROBLEM
> > > >
> > > > When I set DC1 to forward to the external DNS server replication
> > > > stops working. I receive DNS lookup errors. If I do an nslookup
> > > > on any of the domain controllers all the names resolve correctly.
> > > > It's like the DC's don't look to themselves first. Is this a
> > > > design flaw?
> > > >
> > > >
> > > >
> > > >
> >

> Yes that is correct. Due to a lack of funds for a forward only DNS server
(non
> DC) that talks through the firewall to the external DNS server we made all
> DC's forward to one DC which is allowed to talk to the external DNS
server. We

You shouldn't let ANY OF THEM recurse on the Internet -- as they might
potentially need to visit and talk with EVERY machine on the net, including
BadHackers.Iq etc.

> did not want all DC's talking to an external DNS server for security
reasons.

If one of them does, then you are already exposed. Put a DNS server or
relay on your firewall and point them ALL THERE.


> That is really one of my questions. Does this make sense? Should I just
> forward all DC's to the external DNS server?

Yes, or perhaps better forward them all to the Firewall/NAT server.
Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
NAT server (or even ICS on a Workstation can.)

This is NOT expensive -- you can start from scratch and build a machine
for less than $400 (use an old essentially free one even); you either
forward
to the ISP or get ONE machine that is not your DC/"internal DNS" to do it
and forward THOSE to the single machine.


"Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
news:3F00ABA9.89450581@dot.state.nc.us...
> Yes that is correct. Due to a lack of funds for a forward only DNS server
(non
> DC) that talks through the firewall to the external DNS server we made all
> DC's forward to one DC which is allowed to talk to the external DNS
server. We
> did not want all DC's talking to an external DNS server for security
reasons.
> That is really one of my questions. Does this make sense? Should I just
> forward all DC's to the external DNS server?
>
> Herb Martin wrote:
>
> > > The forwarding is setup for external name resolution. If I do not
enable
> > > forwarding then there is no resolution for external addresses.
> >
> > But are you not forwarding to an INTERNAL ("DC1") server?
> >
> > Instead forward to a (non-DC) DNS that is on or safe to visit the
> > Internet, e.g, your ISP's DNS, or your Proxy/NAT/Firewall with a
> > DNS relay.
> >
> > "Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
> > news:3F0097FE.44065C77@dot.state.nc.us...
> > > The forwarding is setup for external name resolution. If I do not
enable
> > > forwarding then there is no resolution for external addresses.
> > >
> > > Herb Martin wrote:
> > >
> > > > It may be a design flaw but note that it is pretty unusual
> > > > to "forward to a DNS server in the same small namespace"
> > > > -- since everything is reachable through the "root hints"
> > > > hierarchy anyway.
> > > >
> > > > Certainly in the general case this is done -- where an internal
> > > > DNS server forwards to the ISP's DNS but also does its OWN
> > > > recursion as a backup or safety measure.
> > > >
> > > > On first inspection (based on your description) I cannnot find an
> > > > "infinite loop" or anything, unless DC1 is forwarding to DC1
(itself).
> > > > Don't do that. for sure.
> > > >
> > > > What is the forwarding accomplishing (besides the problems you
> > > > indicate)?
> > > >
> > > > "Chris Wagner" <cwagner@dot.state.nc.us> wrote in message
> > > > news:3F009444.FC22320E@dot.state.nc.us...
> > > > > BACKGROUND
> > > > >
> > > > > I have one root domain (local.net) and one child domain
> > > > > (test.local.net). When I promoted the first domain controller in
> > > > > the forest I allowed dcpromo to install DNS on the first DC in
> > > > > the forest. It installed it as a root DNS server (there are no
> > > > > root hints). Next I delegate the test.local.net zone to the first
> > > > > domain controller for the test.local.net domain before I promoted
> > > > > it to a domain controller. Each additional domain controller for
> > > > > the test domain was added to the delegation. The root hints for
> > > > > the test.local.net domain are the two forest root domain
> > > > > controllers.
> > > > >
> > > > > DESIGN CONCEPT
> > > > >
> > > > > All domain controller in both domains are DNS server
> > > > >
> > > > > All test domain controllers point to themselves for DNS
> > > > > All DNS zones are AD integrated
> > > > > There are four domain controller for the test domain: DC1, DC2,
> > > > > DC3, DC4
> > > > > DC2, DC3, and DC4 have recursion enabled and are set to forward
> > > > > to DC1
> > > > > DC1 (root DNS) is set to forward to an external non domain DNS
> > > > > server (for internet name resolution)
> > > > >
> > > > > PROBLEM
> > > > >
> > > > > When I set DC1 to forward to the external DNS server replication
> > > > > stops working. I receive DNS lookup errors. If I do an nslookup
> > > > > on any of the domain controllers all the names resolve correctly.
> > > > > It's like the DC's don't look to themselves first. Is this a
> > > > > design flaw?
> > > > >
> > > > >
> > > > >
> > > > >
> > >
>

In news:OOykfy1PDHA.3768@tk2msftngp13.phx.gbl,
Herb Martin <news@LearnQuick.com> posted his concerns then I replied down
below:
>> Yes that is correct. Due to a lack of funds for a forward only DNS
>> server (non DC) that talks through the firewall to the external DNS
>> server we made all DC's forward to one DC which is allowed to talk
>> to the external DNS server. We
>
> You shouldn't let ANY OF THEM recurse on the Internet -- as they might
> potentially need to visit and talk with EVERY machine on the net,
> including BadHackers.Iq etc.
>
>> did not want all DC's talking to an external DNS server for security
>> reasons.
>
> If one of them does, then you are already exposed. Put a DNS server
> or relay on your firewall and point them ALL THERE.
>
>
>> That is really one of my questions. Does this make sense? Should I
>> just forward all DC's to the external DNS server?
>
> Yes, or perhaps better forward them all to the Firewall/NAT server.
> Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
> NAT server (or even ICS on a Workstation can.)
>
> This is NOT expensive -- you can start from scratch and build a
> machine
> for less than $400 (use an old essentially free one even); you either
> forward
> to the ISP or get ONE machine that is not your DC/"internal DNS" to
> do it and forward THOSE to the single machine.
>
>
Actually, I haven't had any problems forwarding individually to an ISP's DNS
server. I haven't seen any security problems as of yet with my 3 DNS
servers.

I'm also curious, since there all have forwarders, but the original post
said that the original DC1 created was a root server, was the root zone
deleted to allow you to create a forwarder?

I've seen issues when forwarding from one server to another within the same
domain when all the servers host the same zone name. I can see forwarding
from a child to the parent when there is a delegation, but this design is
just one domain. In this case, for the most part, we just forward
individually out.

Otherwise, as you said Herb, create another inexpensive server to forward to
that is forwarding to the ISP's.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

The two DNS server for the parent domain (empty placeholder domain) are root DNS
servers. DC1, DC2, DC3, and DC4 are in the child domain and are not root DNS
servers. There is no forwarding in the root domain. The basic idea was to allow
the child domain DNS servers to resolve all test.local.net request. Recrusion on
the child DNS servers is enabled to allow all local.net name resolution and
forwarding was setup to accomplish internet name resolution. Sorry for any
confusion.

I guess the best thing to do is acquire a forward only server and forward all
DC's to this forwarding server which forwards to the external DNS server. Thanks
for all the help Ace and Herb. If there is anything more that you want to add I
am listening.



"Ace Fekay [MVP]" wrote:

> In news:OOykfy1PDHA.3768@tk2msftngp13.phx.gbl,
> Herb Martin <news@LearnQuick.com> posted his concerns then I replied down
> below:
> >> Yes that is correct. Due to a lack of funds for a forward only DNS
> >> server (non DC) that talks through the firewall to the external DNS
> >> server we made all DC's forward to one DC which is allowed to talk
> >> to the external DNS server. We
> >
> > You shouldn't let ANY OF THEM recurse on the Internet -- as they might
> > potentially need to visit and talk with EVERY machine on the net,
> > including BadHackers.Iq etc.
> >
> >> did not want all DC's talking to an external DNS server for security
> >> reasons.
> >
> > If one of them does, then you are already exposed. Put a DNS server
> > or relay on your firewall and point them ALL THERE.
> >
> >
> >> That is really one of my questions. Does this make sense? Should I
> >> just forward all DC's to the external DNS server?
> >
> > Yes, or perhaps better forward them all to the Firewall/NAT server.
> > Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
> > NAT server (or even ICS on a Workstation can.)
> >
> > This is NOT expensive -- you can start from scratch and build a
> > machine
> > for less than $400 (use an old essentially free one even); you either
> > forward
> > to the ISP or get ONE machine that is not your DC/"internal DNS" to
> > do it and forward THOSE to the single machine.
> >
> >
> Actually, I haven't had any problems forwarding individually to an ISP's DNS
> server. I haven't seen any security problems as of yet with my 3 DNS
> servers.
>
> I'm also curious, since there all have forwarders, but the original post
> said that the original DC1 created was a root server, was the root zone
> deleted to allow you to create a forwarder?
>
> I've seen issues when forwarding from one server to another within the same
> domain when all the servers host the same zone name. I can see forwarding
> from a child to the parent when there is a delegation, but this design is
> just one domain. In this case, for the most part, we just forward
> individually out.
>
> Otherwise, as you said Herb, create another inexpensive server to forward to
> that is forwarding to the ISP's.
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
> --
> =================================

> Actually, I haven't had any problems forwarding individually to an ISP's
DNS
> server. I haven't seen any security problems as of yet with my 3 DNS
> servers.

I agree but he embedded this idea as a "security requirement" in one of
is previous posts.

Some people can actually benefit more from the "Consolitdation" by
forwarding to a single point if they have a slow WAN line -- this
consolidates the cache of EXTERNAL ENTRIES on one machine.

> I'm also curious, since there all have forwarders, but the original post
> said that the original DC1 created was a root server, was the root zone
> deleted to allow you to create a forwarder?

You know I thought I read that too -- and of course it cannot be a ROOT
and FORWARD at the same time because the MS gui disables the forwarding
tab in the case of being a Root.


"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNameHere@hotmail.com>
wrote in message news:etUpWS3PDHA.2460@TK2MSFTNGP10.phx.gbl...
> In news:OOykfy1PDHA.3768@tk2msftngp13.phx.gbl,
> Herb Martin <news@LearnQuick.com> posted his concerns then I replied down
> below:
> >> Yes that is correct. Due to a lack of funds for a forward only DNS
> >> server (non DC) that talks through the firewall to the external DNS
> >> server we made all DC's forward to one DC which is allowed to talk
> >> to the external DNS server. We
> >
> > You shouldn't let ANY OF THEM recurse on the Internet -- as they might
> > potentially need to visit and talk with EVERY machine on the net,
> > including BadHackers.Iq etc.
> >
> >> did not want all DC's talking to an external DNS server for security
> >> reasons.
> >
> > If one of them does, then you are already exposed. Put a DNS server
> > or relay on your firewall and point them ALL THERE.
> >
> >
> >> That is really one of my questions. Does this make sense? Should I
> >> just forward all DC's to the external DNS server?
> >
> > Yes, or perhaps better forward them all to the Firewall/NAT server.
> > Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
> > NAT server (or even ICS on a Workstation can.)
> >
> > This is NOT expensive -- you can start from scratch and build a
> > machine
> > for less than $400 (use an old essentially free one even); you either
> > forward
> > to the ISP or get ONE machine that is not your DC/"internal DNS" to
> > do it and forward THOSE to the single machine.
> >
> >
> Actually, I haven't had any problems forwarding individually to an ISP's
DNS
> server. I haven't seen any security problems as of yet with my 3 DNS
> servers.
>
> I'm also curious, since there all have forwarders, but the original post
> said that the original DC1 created was a root server, was the root zone
> deleted to allow you to create a forwarder?
>
> I've seen issues when forwarding from one server to another within the
same
> domain when all the servers host the same zone name. I can see forwarding
> from a child to the parent when there is a delegation, but this design is
> just one domain. In this case, for the most part, we just forward
> individually out.
>
> Otherwise, as you said Herb, create another inexpensive server to forward
to
> that is forwarding to the ISP's.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
> --
> =================================
>
>

In news:3F017AEC.1A30473D@dot.state.nc.us,
Chris Wagner <cwagner@dot.state.nc.us> posted his concerns then I replied
down below:
> The two DNS server for the parent domain (empty placeholder domain)
> are root DNS servers. DC1, DC2, DC3, and DC4 are in the child domain
> and are not root DNS servers. There is no forwarding in the root
> domain. The basic idea was to allow the child domain DNS servers to
> resolve all test.local.net request. Recrusion on the child DNS
> servers is enabled to allow all local.net name resolution and
> forwarding was setup to accomplish internet name resolution. Sorry
> for any confusion.
>
> I guess the best thing to do is acquire a forward only server and
> forward all DC's to this forwarding server which forwards to the
> external DNS server. Thanks for all the help Ace and Herb. If there
> is anything more that you want to add I am listening.
>
>
>

That sounds like the best bet if you're concerned with security. My actual
AD's DNS server (not accessible from the Internet) is actually forwarding to
my public servers, which have access to the Internet and Internet to them
thru my firewall.

Good luck!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

In news:OLkuIx9PDHA.3664@tk2msftngp13.phx.gbl,
Herb Martin <news@LearnQuick.com> posted his concerns then I replied down
below:
>> Actually, I haven't had any problems forwarding individually to an
>> ISP's DNS server. I haven't seen any security problems as of yet
>> with my 3 DNS servers.
>
> I agree but he embedded this idea as a "security requirement" in one
> of
> is previous posts.
>
> Some people can actually benefit more from the "Consolitdation" by
> forwarding to a single point if they have a slow WAN line -- this
> consolidates the cache of EXTERNAL ENTRIES on one machine.

True, I even forward to my own public server, not necessarily for security,
but for less hop distance to recurse.But the benefit, of course, is
security.

>
>> I'm also curious, since there all have forwarders, but the original
>> post said that the original DC1 created was a root server, was the
>> root zone deleted to allow you to create a forwarder?
>
> You know I thought I read that too -- and of course it cannot be a
> ROOT and FORWARD at the same time because the MS gui disables the
> forwarding tab in the case of being a Root.
>
>

Yeah, wasn;'t sure about that, but his latest reply straightened that out.

:-)




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================