PHWinfo - Afficher un message - Default SOA and NS records with Windows 2000 AD Integrated DNS

05/02/2008, 14h34

>> No, just common knowledge to not use a DC for something that is just
>> hosting
DNS. All documentation points to how to use a DC for what it is meant and
designed for. If management chose to use a DC for public DNS hosting, I'm
sure they had some sort of reason that I can't think of.

I've honestly never read or heard anyone mention this. I was not with my
company when the decision was made to utilize our AD integrated DNS servers
for hosting public DNS. I suspect the rationale was to save resources.

When my company was first forming ten years ago, two extra DNS servers would
have been too expensive. Since then we have grown from 1 customer to 250
with over 500 DNS zones. As we grew there weren't any DNS performance
problems per se, and as the old addage goes - if its not broke don't fix it!

I'm sure we could afford seperate DNS servers now. The only issue is
convincing management. I'm sure they will want some sort of explanation and
references to Microsoft or third party documentation explaining why we
should do that.

>> So you got me curious now, and with all due respect, I am not criticizing
anyone, just curious - What was the reason for choosing to use DCs for
public DNS servers? Just for AD integrated zones? There's a huge overhead
with DCs just to reap that benefit, especially with hundreds of zones. Are
these DCs your domain controllers for your internal corporate domain as
well?

As mentioned above - cost savings and ease. We already had DNS servers setup
for AD I'm sure it just made sense at the time to re-use it. As far as
performance goes we've never really noticed an issue.

The only reason we're running into a problem now is due to the way AD
integrated DNS works - I.E. it seems to register some records (primarily
SOA and NS) itself and its using server names that we don't really want
utilized. We're planning up upgrading our DC's and as such the DC server
names will change. This will result in problems with all our DNS zones as I
think we will end up with invalid NS records and conceivably SOA records.

There are some other problems - notably that there are getting to be too
many zones on the server - which makes using the Microsoft DNS MMC slow. But
besides that, everything works fine on some rather old servers (DELL
PE1550s). Reports at dnsstuff.com gives our servers a score of Score: B-
(Noting: a rating of 'B' or higher is generally good (this tool is very
picky!)

> Here's an interesting read, but I don't think it adds much to the
conversation other than recommending not to do this:
Rarely would you ever host public DNS on your DC...
http://www.neowin.net/forum/lofivers...p/t598323.html

I wish there was an MS KB article that stated this. It would certainly be a
lot more authoritative. But thanks for the link - at least its a starting
point and something I can concretely reference when I bring this to
managements attention.

> Multihoming a DC can be a disaster for the DC as well.

I've heard that before from Microsoft support - one of our two dcs/dns
servers has multiple IPs on it. I'm hoping to fix that when we upgrade AD.

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:e$O%23YO7ZIHA.1208@TK2MSFTNGP05.phx.gbl...
> In news:uG7JHV0ZIHA.4440@TK2MSFTNGP06.phx.gbl,
> Brad Baker <brad@nospam.nospam> typed:
>> > Your using AD with DNS for public servers? Usually not recommended,
>> > but that's ok.
>>
>> I can certainly switch (its something I've considered anyway) but can
>> you point me to any documentation which backs up your statement? That
>> would go a long way in convincing management that this is something
>> we should do.
>> Thank You,
>> Brad
>
> No, just common knowledge to not use a DC for something that is just
> hosting DNS. All documentation points to how to use a DC for what it is
> meant and designed for. If management chose to use a DC for public DNS
> hosting, I'm sure they had some sort of reason that I can't think of.
>
> So you got me curious now, and with all due respect, I am not criticizing
> anyone, just curious - What was the reason for choosing to use DCs for
> public DNS servers? Just for AD integrated zones? There's a huge overhead
> with DCs just to reap that benefit, especially with hundreds of zones. Are
> these DCs your domain controllers for your internal corporate domain as
> well?
>
> Besides, a DC's overhead just slows it down, especially with hosting
> hundreds and hundreds of zones. When I used to host DNS for public
> records, I had two standalone servers, disabled NetBIOS on it as well as
> F&P services as well as used IPSec to control port access. Ran lean and
> mean. It will be difficult to do that with DCs. A DC is meant to host a
> directory service providing centralized account and security control for
> it's domain, not for hosting public zones.
>
> Here's an interesting read, but I don't think it adds much to the
> conversation other than recommending not to do this:
> Rarely would you ever host public DNS on your DC...
> http://www.neowin.net/forum/lofivers...p/t598323.html
>
> The SOAs will also change back forth on the zones because of AD processes,
> replication between the two DCs, as well as DNS registration. This is
> something that may make you wonder what is going on, but is part of the
> whole process.
>
> Multihoming a DC can be a disaster for the DC as well.
>
> Ace
>

05/02/2008, 14h34	#5
Brad Baker Messages: n/a Hébergeur:	Re: Default SOA and NS records with Windows 2000 AD Integrated DNS >> No, just common knowledge to not use a DC for something that is just >> hosting DNS. All documentation points to how to use a DC for what it is meant and designed for. If management chose to use a DC for public DNS hosting, I'm sure they had some sort of reason that I can't think of. I've honestly never read or heard anyone mention this. I was not with my company when the decision was made to utilize our AD integrated DNS servers for hosting public DNS. I suspect the rationale was to save resources. When my company was first forming ten years ago, two extra DNS servers would have been too expensive. Since then we have grown from 1 customer to 250 with over 500 DNS zones. As we grew there weren't any DNS performance problems per se, and as the old addage goes - if its not broke don't fix it! I'm sure we could afford seperate DNS servers now. The only issue is convincing management. I'm sure they will want some sort of explanation and references to Microsoft or third party documentation explaining why we should do that. >> So you got me curious now, and with all due respect, I am not criticizing anyone, just curious - What was the reason for choosing to use DCs for public DNS servers? Just for AD integrated zones? There's a huge overhead with DCs just to reap that benefit, especially with hundreds of zones. Are these DCs your domain controllers for your internal corporate domain as well? As mentioned above - cost savings and ease. We already had DNS servers setup for AD I'm sure it just made sense at the time to re-use it. As far as performance goes we've never really noticed an issue. The only reason we're running into a problem now is due to the way AD integrated DNS works - I.E. it seems to register some records (primarily SOA and NS) itself and its using server names that we don't really want utilized. We're planning up upgrading our DC's and as such the DC server names will change. This will result in problems with all our DNS zones as I think we will end up with invalid NS records and conceivably SOA records. There are some other problems - notably that there are getting to be too many zones on the server - which makes using the Microsoft DNS MMC slow. But besides that, everything works fine on some rather old servers (DELL PE1550s). Reports at dnsstuff.com gives our servers a score of Score: B- (Noting: a rating of 'B' or higher is generally good (this tool is very picky!) > Here's an interesting read, but I don't think it adds much to the conversation other than recommending not to do this: Rarely would you ever host public DNS on your DC... http://www.neowin.net/forum/lofivers...p/t598323.html I wish there was an MS KB article that stated this. It would certainly be a lot more authoritative. But thanks for the link - at least its a starting point and something I can concretely reference when I bring this to managements attention. > Multihoming a DC can be a disaster for the DC as well. I've heard that before from Microsoft support - one of our two dcs/dns servers has multiple IPs on it. I'm hoping to fix that when we upgrade AD. "Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message news:e$O%23YO7ZIHA.1208@TK2MSFTNGP05.phx.gbl... > In news:uG7JHV0ZIHA.4440@TK2MSFTNGP06.phx.gbl, > Brad Baker <brad@nospam.nospam> typed: >> > Your using AD with DNS for public servers? Usually not recommended, >> > but that's ok. >> >> I can certainly switch (its something I've considered anyway) but can >> you point me to any documentation which backs up your statement? That >> would go a long way in convincing management that this is something >> we should do. >> Thank You, >> Brad > > No, just common knowledge to not use a DC for something that is just > hosting DNS. All documentation points to how to use a DC for what it is > meant and designed for. If management chose to use a DC for public DNS > hosting, I'm sure they had some sort of reason that I can't think of. > > So you got me curious now, and with all due respect, I am not criticizing > anyone, just curious - What was the reason for choosing to use DCs for > public DNS servers? Just for AD integrated zones? There's a huge overhead > with DCs just to reap that benefit, especially with hundreds of zones. Are > these DCs your domain controllers for your internal corporate domain as > well? > > Besides, a DC's overhead just slows it down, especially with hosting > hundreds and hundreds of zones. When I used to host DNS for public > records, I had two standalone servers, disabled NetBIOS on it as well as > F&P services as well as used IPSec to control port access. Ran lean and > mean. It will be difficult to do that with DCs. A DC is meant to host a > directory service providing centralized account and security control for > it's domain, not for hosting public zones. > > Here's an interesting read, but I don't think it adds much to the > conversation other than recommending not to do this: > Rarely would you ever host public DNS on your DC... > http://www.neowin.net/forum/lofivers...p/t598323.html > > The SOAs will also change back forth on the zones because of AD processes, > replication between the two DCs, as well as DNS registration. This is > something that may make you wonder what is going on, but is part of the > whole process. > > Multihoming a DC can be a disaster for the DC as well. > > Ace >