Windows DC name vs. Public DNS name

[Ohaya]

Hi,

I hope that this is not a dumb question...

If I have a Windows 2K Server that's configured as a "standalone" root
domain controller for, say domain "foo.com" (i.e., it's not part of
another domain), and this server is only used to host a website (using
IIS), does it matter what name I register with a public registrar and
the registrar's domain name servers?

What I mean is, if I happened to configure the Win2K server/DC with the
name "foo.com", then later, we decide that, from the external world, we
want them to use, say "whatever.com", and I register that name with a
public registry of, say, "whatever.com", and use that name in public
domain name server (from the registrar), will this work all right? Will
people be able to get to this server using http://whatever.com?

Thanks!

Jim

 

[Ace Fekay [MVP]]

In

Hi,

I hope that this is not a dumb question...

If I have a Windows 2K Server that's configured as a "standalone" root
domain controller for, say domain "foo.com" (i.e., it's not part of
another domain), and this server is only used to host a website (using
IIS), does it matter what name I register with a public registrar and
the registrar's domain name servers?

What I mean is, if I happened to configure the Win2K server/DC with
the name "foo.com", then later, we decide that, from the external
world, we want them to use, say "whatever.com", and I register that
name with a public registry of, say, "whatever.com", and use that
name in public domain name server (from the registrar), will this
work all right? Will people be able to get to this server using
http://whatever.com?

Thanks!

Jim

Yes they can. Not a dumb question. This is normal if your server is hosting
mutliple domains, as an ISP. I host about 25 names the same exact way. Just
register the name, but they require 2 nameservers to host it. You can fudge
that by giving two IP addresses pointing to the same server (not really
recommended). What is also NOT recommended is using an AD DC to host public
data, since this would be a security concern.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ohaya]

In

Yes they can. Not a dumb question. This is normal if your server is hosting
mutliple domains, as an ISP. I host about 25 names the same exact way. Just
register the name, but they require 2 nameservers to host it. You can fudge
that by giving two IP addresses pointing to the same server (not really
recommended). What is also NOT recommended is using an AD DC to host public
data, since this would be a security concern.

Ace,

Thanks for the really quick response !

FYI, we don't want this server to be accessible from the outsite world
using AD DC name ("foo.com" in my example).

And, I think the registrar we're using maintains two separate domain
name servers, so I think we're ok, right?

Jim

 

[Ace Fekay [MVP]]

In

Ace,

Thanks for the really quick response !

FYI, we don't want this server to be accessible from the outsite world
using AD DC name ("foo.com" in my example).

And, I think the registrar we're using maintains two separate domain
name servers, so I think we're ok, right?

Jim

Then yes, you're safe. No outside access.

If you have any other concerns, please post back.
Happy Holidays!



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ohaya]

In

Then yes, you're safe. No outside access.

If you have any other concerns, please post back.
Happy Holidays!

Ace,

Thanks. You've been very helpful, and, same to you and all on this
NG!!!

 

[Ace Fekay [MVP]]

In

Ace,

Thanks. You've been very helpful, and, same to you and all on this
NG!!!

Thanks!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ohaya]

Ace,

Thanks. You've been very helpful, and, same to you and all on this
NG!!!

Hi,

I've been re-reading this thread, and a thought occurred to me (happens
once in a while !).

In one of your earlier posts, you mentioned that it's not recommended to
"use an AD DC to host public data".

In our case, as I explained, the AD DC machine is the only one connected
to the "external network". There are several other machines connected
to this AD DC machine, via a 2nd NIC, and this NIC is on a separate,
private subnet assigned to it. In other words, it looks something like:

External
Network
| |
| +-- Backend Server1
| |
+-- AD/DC machine -- SWITCH --+
| ^ ^ |
| | | +-- Backend Server2
| | | | ^
| | |
Public Private All Private
IP Add. IP Add. IP Addresses


As I explained, we have AD and DNS Servers, as well as IIS, running on
the AD DC machine, but no "data", either public or private, on it
(except for whatever an Active Directory and DNS needs).

Is this "not good"?

Should we instead, maybe, re-arrange things so that one of the backend
servers run AD and DNS server?

This is kind of our "standard" configuration (i.e., I didn't come up
with it, it was kind of given to me to implement), so I don't know if I
could get them to agree to such a change, but if this config is
particularly vulnerable from a security standpoint, I can try to at
least make the point. From what I understand, the main reason we're
running AD on any of these machines is because management-wise, they
like to use AD and GPOs to disseminate settings to the other machines
from one machine (the AD DC).

Jim

 

[Ace Fekay [MVP]]

In

Hi,

I've been re-reading this thread, and a thought occurred to me
(happens once in a while !).

In one of your earlier posts, you mentioned that it's not recommended
to "use an AD DC to host public data".

In our case, as I explained, the AD DC machine is the only one
connected
to the "external network". There are several other machines connected
to this AD DC machine, via a 2nd NIC, and this NIC is on a separate,
private subnet assigned to it. In other words, it looks something
like:

External
Network
| |
| +-- Backend Server1
| |
+-- AD/DC machine -- SWITCH --+
| ^ ^ |
| | | +-- Backend Server2
| | | | ^
| | |
Public Private All Private
IP Add. IP Add. IP Addresses


As I explained, we have AD and DNS Servers, as well as IIS, running on
the AD DC machine, but no "data", either public or private, on it
(except for whatever an Active Directory and DNS needs).

Is this "not good"?

Should we instead, maybe, re-arrange things so that one of the backend
servers run AD and DNS server?

This is kind of our "standard" configuration (i.e., I didn't come up
with it, it was kind of given to me to implement), so I don't know if
I could get them to agree to such a change, but if this config is
particularly vulnerable from a security standpoint, I can try to at
least make the point. From what I understand, the main reason we're
running AD on any of these machines is because management-wise, they
like to use AD and GPOs to disseminate settings to the other machines
from one machine (the AD DC).

Jim

Well, you never want to have mixed internal and external IPs on a DNS. This
is whether your hosting your external domain or not. It's tricky running a
DC with DNS that's mutli homed due to the mixed records and can cause issues
with domain communication, logons, etc. Normally recommend not to use such a
box for this but rather a standalone.

Anyway you can use a Linksys or Netscreen or something like that instead?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

AF> What is also NOT recommended is using an AD DC to host
AF> public data, since this would be a security concern.

O> [...] we have AD and DNS Servers, as well as IIS, running on
O> the AD DC machine, but no "data", either public or private,
O> on it (except for whatever an Active Directory and DNS needs).
O>
O> Is this "not good"?

Ace specifically said that the hosting of actual data was a part of the
security concern. (Actually, the main problem is that when using an Active
Directory integrated DNS server one _cannot hide private data_, which
sometimes can cause severe problems for query resolution; not that there is a
problem with public data /per se/.) There can also be, as he mentioned,
problems with running Microsoft DNS servers on machines with multiple
interfaces.

However, what would _definitely_ be "not good" would be if that machine
provided DNS service to the rest of Internet. Best practice, where (as here)
there is no actual DNS database content at all to be published to the rest of
Internet, is to ensure that one's firewall rules completely prevent query
datagrams from the rest of Internet actually reaching one's DNS server in the
first place.