DNS Installation and configuration

04/01/2007, 15h35

I have been working with windows servers for over 3 years now and I really
thought I had a good understanding of how to install and configure dns, but I
just read a kb that disputes information I was given from microsoft techs
during support calls. Here is the kb:

http://support.microsoft.com/kb/814591

There are two points that were news to me. First, the article states that
you should setup your isp's dns server as a forwarder. I at one point in time
setup a server 2003 machine on my local lan at home using ad integrated dns
and had put verizon's dns server as a forwarder and had problems because of
it and was told that this isn't a good practice. I removed it and everything
worked fine after that. So what is the best practice? Second, the article
says that you should allow both secure and unsecure dynamic updates, but on
several support calls from different techs, they always make sure that is set
to secure only. So, which is correct?
I also remember reading that it is a common practice for companies setting
up active directory to create a public and and private forward lookup zone;
i.e. contoso.com and contoso.local, but I really am not sure how to configure
the contoso.com zone, where can I find info on this?

04/01/2007, 15h52

"Rodge" <Rodge@discussions.microsoft.com> wrote in message
news:EA1E5060-43A6-4153-B0E9-086DCCFAECFA@microsoft.com...
> I have been working with windows servers for over 3 years now and I really
> thought I had a good understanding of how to install and configure dns,
but I

[After reading your entire post, you problably do have a "good
understanding" but I would venture that your main misunderstanding
is in 'believing' what may have been offered as valid but general
recommendations without fully understanding the issues that can
change such recommendations in a particular situation.

It may be that the sources you used to learn were not sufficiently clear
about such caveats or you may have just not noticed or remembered
them. PLEASE read my response in this light; there may not be a "right"
answer for many design decisions, but there are generally better options
when all the facts are known about a particular deployment.]

> just read a kb that disputes information I was given from microsoft techs
> during support calls. Here is the kb:
>
> http://support.microsoft.com/kb/814591
>
> There are two points that were news to me. First, the article states that
> you should setup your isp's dns server as a forwarder.

It's a CHOICE. "Should" is too strong a word, unless it is
accompanied by a more full explanation.

Generally you "should NOT" allow your internal DNS, especially a DC,
to do it's own recursion (visit potentially every location) on the Internet,
but rather prefer forwarding to either your own Gateway/Firewall DNS
or to your ISP.

> I at one point in time
> setup a server 2003 machine on my local lan at home using ad integrated
dns
> and had put verizon's dns server as a forwarder and had problems because
of
> it and was told that this isn't a good practice.

It is not a good practice whenever the ISP is either unable to
maintain a STABLE or SECURE DNS server. If your ISP
were (perfectly) reliable then it would be a very good practice
in many cases.

> I removed it and everything
> worked fine after that. So what is the best practice?

Forwarding from internal (sensitive) DNS servers to a RELIABLE
and SECURE DNS server which handles the actual recursion on the
Internet. (Either one in your gateway/firewall area or perhaps to the
ISP if you can trust them.)

> Second, the article
> says that you should allow both secure and unsecure dynamic updates, but
on
> several support calls from different techs, they always make sure that is
set
> to secure only. So, which is correct?

Personally I think that allowing "unsecured" updates is a very poor
choice -- much worse than forwarding to most ISPs -- and strongly
recommend that you use AD Integrated DNS with SECURE ONLY.

IF you are already using AD Integrated DNS there is seldom a reason
to allow unsecured updates.*

* Theorectically you might have non-domain computers which need to
be dynamically registered, but usually these can be handled by either
the DHCP server (securely) or should be (re-thought and) done manually.

> I also remember reading that it is a common practice for companies setting
> up active directory to create a public and and private forward lookup
zone;
> i.e. contoso.com and contoso.local, but I really am not sure how to
configure
> the contoso.com zone, where can I find info on this?

You only have to worry about the PUBLIC name (.com) if you actually wish
to use that name either privately or on both the internal AND the Internet.

Generally the public zone should be maintained on separate DNS servers,
and for most small companies the public zone is best kept at the
REGISTRAR rather than own your own DNS servers OR at an ISP.

--
Herb Martin, MCSE MVP
www.LearnQuick.Com

04/01/2007, 15h35	#1
Rodge Messages: n/a Hébergeur:	DNS Installation and configuration I have been working with windows servers for over 3 years now and I really thought I had a good understanding of how to install and configure dns, but I just read a kb that disputes information I was given from microsoft techs during support calls. Here is the kb: http://support.microsoft.com/kb/814591 There are two points that were news to me. First, the article states that you should setup your isp's dns server as a forwarder. I at one point in time setup a server 2003 machine on my local lan at home using ad integrated dns and had put verizon's dns server as a forwarder and had problems because of it and was told that this isn't a good practice. I removed it and everything worked fine after that. So what is the best practice? Second, the article says that you should allow both secure and unsecure dynamic updates, but on several support calls from different techs, they always make sure that is set to secure only. So, which is correct? I also remember reading that it is a common practice for companies setting up active directory to create a public and and private forward lookup zone; i.e. contoso.com and contoso.local, but I really am not sure how to configure the contoso.com zone, where can I find info on this?

04/01/2007, 15h52	#2
Herb Martin Messages: n/a Hébergeur:	Re: DNS Installation and configuration "Rodge" <Rodge@discussions.microsoft.com> wrote in message news:EA1E5060-43A6-4153-B0E9-086DCCFAECFA@microsoft.com... > I have been working with windows servers for over 3 years now and I really > thought I had a good understanding of how to install and configure dns, but I [After reading your entire post, you problably do have a "good understanding" but I would venture that your main misunderstanding is in 'believing' what may have been offered as valid but general recommendations without fully understanding the issues that can change such recommendations in a particular situation. It may be that the sources you used to learn were not sufficiently clear about such caveats or you may have just not noticed or remembered them. PLEASE read my response in this light; there may not be a "right" answer for many design decisions, but there are generally better options when all the facts are known about a particular deployment.] > just read a kb that disputes information I was given from microsoft techs > during support calls. Here is the kb: > > http://support.microsoft.com/kb/814591 > > There are two points that were news to me. First, the article states that > you should setup your isp's dns server as a forwarder. It's a CHOICE. "Should" is too strong a word, unless it is accompanied by a more full explanation. Generally you "should NOT" allow your internal DNS, especially a DC, to do it's own recursion (visit potentially every location) on the Internet, but rather prefer forwarding to either your own Gateway/Firewall DNS or to your ISP. > I at one point in time > setup a server 2003 machine on my local lan at home using ad integrated dns > and had put verizon's dns server as a forwarder and had problems because of > it and was told that this isn't a good practice. It is not a good practice whenever the ISP is either unable to maintain a STABLE or SECURE DNS server. If your ISP were (perfectly) reliable then it would be a very good practice in many cases. > I removed it and everything > worked fine after that. So what is the best practice? Forwarding from internal (sensitive) DNS servers to a RELIABLE and SECURE DNS server which handles the actual recursion on the Internet. (Either one in your gateway/firewall area or perhaps to the ISP if you can trust them.) > Second, the article > says that you should allow both secure and unsecure dynamic updates, but on > several support calls from different techs, they always make sure that is set > to secure only. So, which is correct? Personally I think that allowing "unsecured" updates is a very poor choice -- much worse than forwarding to most ISPs -- and strongly recommend that you use AD Integrated DNS with SECURE ONLY. IF you are already using AD Integrated DNS there is seldom a reason to allow unsecured updates.* * Theorectically you might have non-domain computers which need to be dynamically registered, but usually these can be handled by either the DHCP server (securely) or should be (re-thought and) done manually. > I also remember reading that it is a common practice for companies setting > up active directory to create a public and and private forward lookup zone; > i.e. contoso.com and contoso.local, but I really am not sure how to configure > the contoso.com zone, where can I find info on this? You only have to worry about the PUBLIC name (.com) if you actually wish to use that name either privately or on both the internal AND the Internet. Generally the public zone should be maintained on separate DNS servers, and for most small companies the public zone is best kept at the REGISTRAR rather than own your own DNS servers OR at an ISP. -- Herb Martin, MCSE MVP www.LearnQuick.Com

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email