Split DNS Configuration

Bill: Recently we have implemented Windows 2003 Active Directory from NT 4.0 in which my NT DNS servers forwarded to our ISP's DNS servers for external name resolution.  I still do that with our AD DNS servers and am starting to see problems. 

My proposed solution is to implement DNS servers on the DMZ that do the forwarding to the ISP.  However, for internal name resolution, I was going to use a split DNS configuration on the TCP/IP properties of the clients, with the first DNS server as the internal AD server, and the secondary and tertiary DNS as the DNS forwarding servers in the DMZ.  Would this be an optimal configuration or would it pose performance and security problems?

Also, should the DMZ caching servers forward to my ISP's DNS servers, let them cache from the root servers, or both?
—A.J.

A.J.: Here's the problem I see with your proposed configuration. If the clients can't get access to the primary server (which hosts the SRV records for Active Directory), they'll fall back on a public server that doesn't have these records. This can cause authentication and other problems that would be difficult to diagnose.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)



A better solution would be to maintain two DNS servers in the private network, both of which forward to the caching server in the DMZ. If you use AD-integrated DNS zones, you can use the second domain controller as the second DNS server.

The caching server in the DMZ should only forward to your ISP. It should not have root hints and should not be authoritative for your public DNS domain.

Hope this helps...

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured

  • Microsoft Ending Azure Container Service Support in 2020

    Microsoft gave notice earlier this month that it will be ending its Azure Container Service on Jan. 31, 2020.

  • Microsoft Releases Surface Diagnostic Toolkit for Business

    Microsoft released a new tool, Surface Diagnostic Toolkit for Business, earlier this month, providing a means for IT pros to find and troubleshoot problems on Microsoft Surface devices.

  • How To Enable Guest Access for Office 365

    While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

  • Microsoft Now Supports OpenSSH in Windows Server 2019

    Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.