Externally Managed DNS namespace and Active Directory

[Alex]

Hi there,

Wondered if anyone could offer some good advice regarding integrating our
external/internal domain namespace with Active Directory.

Background:

We currently have a managed DNS solution with UltraDNS for our company
domain abc.com

However, we also need to make use of the same domain name abc.com as part of
our Active Directory internal infrastructure, this process enables our users
to have a single User Principal Name that can be used for Windows
authentication and email purposes.

Active Directory requires a DNS server which allows for DDNS updates and
even if UltaDNS could allow our Windows 2003 Servers to contact the UltraDNS
servers to dynamically update our zone file this solution is neither
practical nor secure for our internal client systems to traverse a WAN link
just to request information about local resources.

The Problem:
We currently have two disparate DNS Services running trying to manage the
same namespace!

1. The external DNS service managed by UltraDNS to provide a fault tolerant,
load balanced DNS Service for public web/mail etc
2. An internal DNS service which handles Active Directory resource and
directory searches.

DNS Name Resolution problems start to occur when we need to resolve DNS
records for abc.com domain which are not held locally but are managed by the
UltraDNS Servers.

An example would be our MX resource records. At present our mx0.abc.com
record cannot be resolved internally because our internal Active
Director/DNS Server has no record of our mail server but is the
authoritative name server internally for the abc.com domain.

Some possible workaround suggestions have been;

1. Promote our internal DNS Server to a Secondary nameserver in conjuction
with the UltraDNS nameservers.

Cons - This would negate the benefits of outsourcing our external DNS, plus
we would need to traverse a WAN link just to request information about local
resources. I'm pretty sure we would also need to untangle the Active
Diretory reliance unpon our internal DNS Server and re-point to the UltraDNS
primary name server as the new authoritative DNS Server... I think this
could be tricky and again would not really solve our problem.

2. We could pull a zone transfer periodically from our external DNS Servers
to synch up with our external DNS zone file

Cons - I'm pretty sure this would overwrite our internal DNS records which
would mean all the SRV records and other dynamic updates via Active
Directory would be lost - not a smart move

3. Manually add the relevant zone file records from the extern DNS zone file
to the internal DNS Server.

Cons - This would require a manual modification to our internal DNS Servers
every time we made any changes to the UltraDNS abc.com zone file.

The last option is the one I have currently implemented but I would love to
hear from anyone who can think of a better alternative.

Q. Can you think of a better work around solution to this dilemma for
example can we periodically pull the latest copy of the external abc.com
zone file down and import this locally into our internal DNS Servers without
overwriting the existing zone file? Or could we allow some form or
incremental zone transfer but still allow only the UltraDNS name servers to
be regarded as the primary/secondary name servers for the abc.com domain?

Many Thanks

Alex

 

[Herb Martin]

However, we also need to make use of the same domain name abc.com as part
of

our Active Directory internal infrastructure, this process enables our users
to have a single User Principal Name that can be used for Windows
authentication and email purposes.

There are other ways to do THIS, but your choice is still perfectly valid.

Active Directory requires a DNS server which allows for DDNS updates and
even if UltaDNS could allow our Windows 2003 Servers to contact the UltraDNS
servers to dynamically update our zone file this solution is neither
practical nor secure for our internal client systems to traverse a WAN link
just to request information about local resources.

Correct -- Dynamic DNS (almost) never belongs on the Internet.

The Problem:
We currently have two disparate DNS Services running trying to manage the
same namespace!

Perfectly normal for the same "dns name" zone being used both externally and
also internally.

1. The external DNS service managed by UltraDNS to provide a fault tolerant,
load balanced DNS Service for public web/mail etc
2. An internal DNS service which handles Active Directory resource and
directory searches.

Use AD Integrated DNS for the latter -- this is almost always the best
solution.
Stay with this (basic solution.)

DNS Name Resolution problems start to occur when we need to resolve DNS
records for abc.com domain which are not held locally but are managed by the
UltraDNS Servers.

Manually duplicate all external DNS records to the Internal DNS servers.
If you have a giant Zone externally then you must setup some kind of "change
control"
practice which is likely needed anyway.

Use Shadow DNS (that's the name for the two zones which have the same name,
that you are currently using.)

 

[Simon Geary]

Your solution is the best available for this split horizon problem. It is a
common setup and I'm not aware of any other workarounds.

 

[Alex]

Thanks Herb appreciate your comments

Q. How do you implement Shadow DNS - does anyone know any good articles on
this
Q. Can we somehow synronize our External DNS zone file with our Internal DNS
zone file without overwritting the existing Inernal zone file?

thanks again

 

[Herb Martin]

Thanks Herb appreciate your comments

Q. How do you implement Shadow DNS - does anyone know any good articles on
this

Someone will probably provide you a link but it is almost trivial to
describe (to anyone
who understands DNS) and you seem to have implemented it without knowing the
term <grin>

"Shadow DNS" -- Using a single Zone Name configure:
One DNS server (set) on the outside with ONLY public records
(i.e., records you wish the public to see)
Second DNS server (set) on the inside with BOTH public records and
private
records (i.e., those records you wish to keep from public view)

Manually add new external records or changes to BOTH Primary DNS.

Since you have two DNS server sets with two Primaries (or equivalent) you
will
never replicate automatically. This is good since it protects the private
records.

Q. Can we somehow synronize our External DNS zone file with our Internal DNS
zone file without overwritting the existing Inernal zone file?

Don't try it (unless you just write some scripts to do the equivalent of
manual update.)

This is the (only real) disadvantage of Shadow DNS: Duplication of effort
in adding
or changing EXTERNAL records.

 

[Enkidu]

Inline.

Cheers,

Cliff

Hi there,

Wondered if anyone could offer some good advice regarding integrating our
external/internal domain namespace with Active Directory.

Background:

We currently have a managed DNS solution with UltraDNS for our company
domain abc.com

However, we also need to make use of the same domain name abc.com as part of
our Active Directory internal infrastructure, this process enables our users
to have a single User Principal Name that can be used for Windows
authentication and email purposes.

Active Directory requires a DNS server which allows for DDNS updates and
even if UltaDNS could allow our Windows 2003 Servers to contact the UltraDNS
servers to dynamically update our zone file this solution is neither
practical nor secure for our internal client systems to traverse a WAN link
just to request information about local resources.

The Problem:
We currently have two disparate DNS Services running trying to manage the
same namespace!

1. The external DNS service managed by UltraDNS to provide a fault tolerant,
load balanced DNS Service for public web/mail etc
2. An internal DNS service which handles Active Directory resource and
directory searches.

DNS Name Resolution problems start to occur when we need to resolve DNS
records for abc.com domain which are not held locally but are managed by the
UltraDNS Servers.

An example would be our MX resource records. At present our mx0.abc.com
record cannot be resolved internally because our internal Active
Director/DNS Server has no record of our mail server but is the
authoritative name server internally for the abc.com domain.

I guess your internal servers relay mail through the internal mail
server? Otherwise, I can't see the need to access the MX records
internally. I must be missing something obvious.

Some possible workaround suggestions have been;

1. Promote our internal DNS Server to a Secondary nameserver in conjuction
with the UltraDNS nameservers.

Cons - This would negate the benefits of outsourcing our external DNS, plus
we would need to traverse a WAN link just to request information about local
resources. I'm pretty sure we would also need to untangle the Active
Diretory reliance unpon our internal DNS Server and re-point to the UltraDNS
primary name server as the new authoritative DNS Server... I think this
could be tricky and again would not really solve our problem.

In addition the external nameservers will have to support DDNS and SRV
records, AND you will be publishing LAN information on an external
server.

2. We could pull a zone transfer periodically from our external DNS Servers
to synch up with our external DNS zone file

Cons - I'm pretty sure this would overwrite our internal DNS records which
would mean all the SRV records and other dynamic updates via Active
Directory would be lost - not a smart move

Shouldn't be too hard to script something though.

3. Manually add the relevant zone file records from the extern DNS zone file
to the internal DNS Server.

Cons - This would require a manual modification to our internal DNS Servers
every time we made any changes to the UltraDNS abc.com zone file.

The last option is the one I have currently implemented but I would love to
hear from anyone who can think of a better alternative.

It depends on how often things change on the external side. Shouldn't
be too often should it?

You have a good solution here - the external and internal DNS are
seperate which is the best way to go. The issues aren't that big, I
feel.

Cheers,

Cliff