New office - DNS server set up question

[kammy_boy186]

Hi

We are going to be building a new branch office, number of users about
100. The office will be running a Windows 2003 Domain Controller,
File/Print Server, DNS server, and DHCP server. Exchange will be
located centrally at HQ. The office will have its own subnet and be
connected to HQ via a PIX-PIX VPN.

As regards building the DNS server, what are the recommendations? We
can use our ISP's DNS servers for public DNS, but obviously need a
local DNS server for internal machines. Is this pretty straightforward?
Or should we have use the DNS server for both public and private hosts?

Does anyone have any straightforward links on how to do create DNS
server?

Thanks

 

[Kurt]

Hi

We are going to be building a new branch office, number of users about
100. The office will be running a Windows 2003 Domain Controller,
File/Print Server, DNS server, and DHCP server. Exchange will be
located centrally at HQ. The office will have its own subnet and be
connected to HQ via a PIX-PIX VPN.

As regards building the DNS server, what are the recommendations? We
can use our ISP's DNS servers for public DNS, but obviously need a
local DNS server for internal machines. Is this pretty straightforward?
Or should we have use the DNS server for both public and private hosts?

Does anyone have any straightforward links on how to do create DNS
server?

Thanks

Since you have an active directory, you should use ONLY your AD DNS
server for name resolution. If the branch office DC is a second domain
controller in the same domain as the home office, just let the AD
installation wizard install DNS at the time of promo. Windows sets up
default replication for the AD zone all by itself. If this is a new
domain, pretty much the same thing. In either case, if you don't want
your local DC resolving Internet names, add a forwarded on the DNS
server to your ISPs DNS server.

....kurt

 

[kammy_boy186]

server for name resolution. If the branch office DC is a second domain
controller in the same domain as the home office, just let the AD
installation wizard install DNS at the time of promo. Windows sets up
default replication for the AD zone all by itself. If this is a new
domain, pretty much the same thing. In either case, if you don't want
your local DC resolving Internet names, add a forwarded on the DNS
server to your ISPs DNS server.

Thanks Kurt

Yes, the branch office DC is another domain controller in the same
domain as the home office. I've checked on the DNS servers at HQ (also
DC's), and
we have a folder called 'cached lookups', is this a default to save
unnecessary DNS requests?

Also, to add a forwarder to the ISPs DNS server, do I add the ISP's DNS
server's IP address into the 'use the following DNS server addresses'
field in the TCP/IP properties of the LAN connection? Or is there a
different method to add a DNS forwarder?

Many thanks.

 

[Kurt]

Thanks Kurt

Yes, the branch office DC is another domain controller in the same
domain as the home office. I've checked on the DNS servers at HQ (also
DC's), and
we have a folder called 'cached lookups', is this a default to save
unnecessary DNS requests?
Exarctly!


Also, to add a forwarder to the ISPs DNS server, do I add the ISP's DNS
server's IP address into the 'use the following DNS server addresses'
field in the TCP/IP properties of the LAN connection? Or is there a
different method to add a DNS forwarder?

You should only list your own DNS server in the TCP/IP properties of all
workstations and servers. To enable forwarders, on the DNS server,
right-click the server name in the DNS snap-in and specify forwarders
there. That will make sure you can always resolve your own local names
and services, but will off-load recursive lookups for off-site names to
your ISP (after all, you're paying for that service). Note that your own
DNS server is completely capable of looking up Internet names without
your ISP's help. It really is a matter of server load. Many DCs are just
DCs, and have plenty of time to look up a few names.

....kurt

 

[kammy_boy186]

workstations and servers. To enable forwarders, on the DNS server,
right-click the server name in the DNS snap-in and specify forwarders
there. That will make sure you can always resolve your own local names
and services, but will off-load recursive lookups for off-site names to
your ISP (after all, you're paying for that service). Note that your own
DNS server is completely capable of looking up Internet names without
your ISP's help. It really is a matter of server load. Many DCs are just
DCs, and have plenty of time to look up a few names.

...kurt

Cheers...just one final question to satisfy my own curiosity.... is
this the way DNS is handled in most organisations (i.e. the local DNS
servers handling local lookups only and using a forwarder to their ISP
DNS servers for external lookups)?
If I wanted to build a seperate DNS server, independant of the DC, that
would handle both internal and external lookups, what would be the
process and advantages/ disadvantages? Am I correct in thinking that
larger organisations use their own DNS servers for web lookups rather
than their ISP's?

 

[Kurt]

Cheers...just one final question to satisfy my own curiosity.... is
this the way DNS is handled in most organisations (i.e. the local DNS
servers handling local lookups only and using a forwarder to their ISP
DNS servers for external lookups)?
If I wanted to build a seperate DNS server, independant of the DC, that
would handle both internal and external lookups, what would be the
process and advantages/ disadvantages? Am I correct in thinking that
larger organisations use their own DNS servers for web lookups rather
than their ISP's?

Again, it really depends on the particulars of the site. If a domain
controller is busy handling it's basic responsibilities, an organization
might use other servers for DNS. In a large organization where Internet
name lookups are fast and furious, the DNS admins may prefer to have the
ISP's servers doing lookups, and so will configure forwarders. Or, in
some cases (like where I work) we have our own BIND (Linux) caching-only
DNS servers for Internet lookups and our DCs/DNS servers forward to them
for off-site name resolution. DNS lookups are not really a high overhead
process. Other than the local cache, no database is maintained. Take a
look at your server load, then add a forwarder and see if it makes any
significant difference.

....kurt

 

[Herb Martin]

Cheers...just one final question to satisfy my own curiosity.... is

this the way DNS is handled in most organisations (i.e. the local DNS
servers handling local lookups only and using a forwarder to their ISP
DNS servers for external lookups)?

Yes (sort of). Most organizations that "do it right"
have the internal DNS servers handling the internal
resolution, and forwarding [SOMEWHERE].

That SOMEWHERE is frequently the ISP DNS server
but better (even than that) is to forward to your own
"caching only" DNS Server at your Firewall/Gateway
(area).

The latter is best because this keeps critical and
sensitive internal servers from having to visit the
Internet at all.

A case can be made that the ISP is less safe than
a DNS server under the control of a smart admin (you.)

If I wanted to build a seperate DNS server, independant of the DC, that
would handle both internal and external lookups, what would be the
process and advantages/ disadvantages?

It's overcomplicated and not more effective unless you
do it as suggested above:

Internal machines use internal DNS server which forward
to either the ISP or Firewall/Gateway DNS.

Am I correct in thinking that
larger organisations use their own DNS servers for web lookups rather
than their ISP's?

Yes, generally -- as suggested above.

Although a case can be made for preferaing "own" over
ISP, a performance case can sometimes be made the
other way around -- and this does depend on the reliability
and (strong) security practices of the ISP (versus how
smart and proactive about security the corp admins are.)