AD DNS question

[Lamar Thomas]

We are about to upgrade from NT 4.0 to Win 2003, AD and DNS. Can someone
help me understand how to use this DNS stuff. I mean, I know what DNS is
and how it works. What I don't understand is how my ISP's DNS and my AD DNS
work together on my network.

We have a T1 line at work and our ISP provides public DNS for us. So my
DHCP server (Win NT 4.0) gives out their IP addresses and we get Internet
access via our CISCO PIX box.

Now we throw in (non-public) AD DNS on our internal network. What do we do
next? Do we have to configure each client (i.e. via DHCP) to point to our
internal DNS servers? What about our ISP's DNS servers? How do we talk to
the outside world if we do that.

Or is AD DNS a little defferent then the ISP DNS? Is AD DNS only for
internal (within windows it self) commuication between AD nodes/objects on
the network?

I'm just not sure if I am supposed to configure all my clients for the AD
DNS. Can anyone shed some light on the subject? Thanks for any and all
help.


Lamar

 

[Simon Woolley]

Hi Lamar,

Configure all your clients to point to the AD DNS. You AD DNS also needs to
point to itself for DNS.

In the DNS console, Right click on the Servername > Properties > Forwarders.
Add in your ISP's DNS servers here.
Your clients will query the local DNS server. If the Local DNS server does
not have a valid record for a client request, it will forward the request
onto the ISP's DNS server. The client machines do not need to know about the
ISP DNS at all.

Regards
Simon

 

[Brent Westmoreland]

We are about to upgrade from NT 4.0 to Win 2003, AD and DNS. Can someone
help me understand how to use this DNS stuff. I mean, I know what DNS is
and how it works. What I don't understand is how my ISP's DNS and my AD DNS
work together on my network.

Well,

There are many schools of thought on this very subject, Probably the
widest proliferation at this point is to seperate your internal and
external DNS namespaces so that they don't clash. This would mean
leaving your external dns namespace listed with your ISP and
maintaining a seperate internal dns infrastructure.

We have a T1 line at work and our ISP provides public DNS for us. So my
DHCP server (Win NT 4.0) gives out their IP addresses and we get Internet
access via our CISCO PIX box.

This is slightly out of scope, but consider a proxy server to fill this
roll. Your clients don't need to resolve internet dns names when a
proxy can do this for them. It also allows you to do virus scanning on
websites, track site visits, control access by userid, etc, etc.

Now we throw in (non-public) AD DNS on our internal network. What do we do
next? Do we have to configure each client (i.e. via DHCP) to point to our
internal DNS servers? What about our ISP's DNS servers? How do we talk to
the outside world if we do that.

If you want to continue allowing your clients to access public dns
records this can be accomplished by way of roothints and forward lookup
zones. You could, for example, send all requests that can't be
resolved by your internal dns servers to the ISP DNS servers by way of
a forwarder. To see what I mean:

1. install windows 2000/2k3 on a test box or a virtual machine and install dns.

2. open the dns console, right-click on the server and select properties.

3. click on the forwarders tab, enable forwarders and enter your isp's
ip addresses.

This way allows you to specify your upstream dns servers.

Out of the box win2k dns comes with the standard internet root-hints
already downloaded and configured. Root-Hints are the name servers on
the internet that are authoritative for domains like com., gov.,
edu., etc. By virtue of this, if you install a win2k dns server with
a default gateway that leads to the internet, then you should naturally
be able to resolve internet domain names from your internal dns servers.

(proxy is still a better, idea)

Or is AD DNS a little defferent then the ISP DNS? Is AD DNS only for
internal (within windows it self) commuication between AD nodes/objects on
the network?

Active Directory DNS is a little different than older bind
implementations of dns. The features that really start to show up as
benefits are when you install an AD integrated zone. These zones
actually are stored inside ad and take advantage of your
ActiveDirectory replication environment. This also automatically
enables secure incremental zone transfers and compression ( all good
things). The final major benefit is Dynamic DNS... You need this with
Active Directory, although it is theoretically possible to make all of
your srv records manually, don't. Dynamic DNS will allow Active
Directory to automatically register the necessary records for your
clients to find services.

I'm just not sure if I am supposed to configure all my clients for the AD
DNS. Can anyone shed some light on the subject? Thanks for any and all
help.

Yes, Your clients will need to find ldap, kerberos, and global catalog
servers all based on srv records registered in your ad implementation
of DNS.

Lamar

Before undertaking AD as a subject, I recommend loading up on o'reilly
books. I have never read a bad one. If you are under crunch time to
get this done, consider bringing in a temporary consultant who has
experience with an organization of your size. It is a large topic, and
not one to be taken lightly.

Good Luck

Brent

 

[Lamar Thomas]

Thanks guys,

That is just the info. I needed. After reading your posts I looked up the
subjects in some of the books that I have and you are right! I now have a
much better understanding of DNS and AD DNS. Thanks for you help.


Lamar