Split DNS Configuration

Bill: Recently we have implemented Windows 2003 Active Directory from NT 4.0 in which my NT DNS servers forwarded to our ISP's DNS servers for external name resolution.  I still do that with our AD DNS servers and am starting to see problems. 

My proposed solution is to implement DNS servers on the DMZ that do the forwarding to the ISP.  However, for internal name resolution, I was going to use a split DNS configuration on the TCP/IP properties of the clients, with the first DNS server as the internal AD server, and the secondary and tertiary DNS as the DNS forwarding servers in the DMZ.  Would this be an optimal configuration or would it pose performance and security problems?

Also, should the DMZ caching servers forward to my ISP's DNS servers, let them cache from the root servers, or both?
—A.J.

A.J.: Here's the problem I see with your proposed configuration. If the clients can't get access to the primary server (which hosts the SRV records for Active Directory), they'll fall back on a public server that doesn't have these records. This can cause authentication and other problems that would be difficult to diagnose.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)



A better solution would be to maintain two DNS servers in the private network, both of which forward to the caching server in the DMZ. If you use AD-integrated DNS zones, you can use the second domain controller as the second DNS server.

The caching server in the DMZ should only forward to your ISP. It should not have root hints and should not be authoritative for your public DNS domain.

Hope this helps...

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.