Tuesday, July 3, 2007

Do not point your DC/DNS servers to your ISP DNS servers




Do not configure the DNS settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers .Here is the short story behind why or why not you should not point your DC (domain Controller)/DNS server to another IP address, than server itself IP address. When you promote a server to be domain controller active directory database gets installed on the server (NTDS.DIT database.) After installation, the DNS service on the domain controller, and the clients who needs to be serviced by your DC, needs to be able to provide the services and the information to your clients (work stations)

The DC/DNS server, which is Authentication server is ready to service the clients (work stations) when they need to use these services.

What type of services a client would request in Active directory environment. Authentication service( when a client enters user name and password) some entity needs to look into existing database, and compare the information against, existing information and provide validation, also assign a windows token back to the clients, so that client can log into the domain.

Let's say, Client needs file access on the File server, or your work station needs DHCP service, to obtain IP address. How your client will get thee services. Client will use DNS and look at the SRV (service records) and identify the Domain controller, DHCP server File server and so on.

Who your client will ask all these questions is going to be your DC/DNS server, and you want your DC/DNS server to go to DIT database and get all these good information and return it back to the client as services.

Now think about a scenario, if you configure your DC/DNS server primary DNS IP addresses point to your ISP DNS servers. In sense you are telling your server, if someone asks you a question, you need to ask this server (ISP DNS server). Let's think if this will work or not. If your client is asking question to your DC/DNS and wants to locate a printer, and your DC/DNS has to ask ISP DNS servers, where the closes printer is located? ISP DNS servers will go back and tell your DC/DNS server, what are you talking about? Who cares about your internal printer, ask me how to get to such web site I will assist you, please do not ask me personal questions and I don't care. So you got the answer from ISP DNS servers and now you need to pass this on to your client, do you think your client will be happy to hear this? Answer will be no.

So short of this story is when you run DCPROMO and define DNS name space (yourcompany.com), your server becomes authoritative for this DNS name space. Your server should be able answer all the question regarding to this DNS name space.

The story with using forwarders, When a client ask question about another DNS name space, where your server is not autherative for, you are telling your server, ask this guy (ISP DNS server), called recursive query, if he does not know he will ask someone else and get partial answer and eventually the information has been asked by a client will come back to the client, so that client can make direct TCP/IP connection to the requested resource

By the way windows 2003 server out the box can connect to the internet by asking questions to the root servers by using root hints.

http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html


Best

No comments: