6

I have client which has multiple sites all over the world. They have 2 domain controllers in main location and every other location connects thru to main site with vpn tunnel. Currently the network is more or less disaster so I'm trying to fix it. One thing in common for the secondary sites is that their routers in network settings have ISP local DNS servers so their DHCP based computers get "wrong" DNS servers. It's been like that for ages and they use IP address to connect to servers.

So I would like to fix it with proper DNS servers etc. So I was planning to use RODC and DNS server on the only server (with Terminal Services and couple of programs like Visual Studio that people use to work) that is located in the location. The other option was to enter DNS servers from main location but if the tunnel goes down employees will be confused and won't be able to access internet (as they would need to change router settings) so this doesn't seem as reliable solution.

My questions are as follows:

  1. If VPN Tunnel goes down can people use DNS without problems (they can access internet) and they can authenticate to local servers/workstations?
  2. Is it safe and recommended (??) or in contrary not advised to put RODC/DNS server on the very same server with users and other programs?
  3. Any other advices regarding this setup ?
MadBoy
  • 3,703
  • 13
  • 61
  • 93

1 Answers1

7

When using a RODC you really have 2 options for DNS

  • A read only primary zone (yes I know that doesn't sound right, but it is) which is active directory integrated or
  • A standard secondary zone

Obviously having a writeable primary zone on a RODC (or in that office) is a security issue.

Assuming you have this, and you have setup cached credentials correctly in your Password Replication Policy then when the network goes down, your users should be able to continue working.

Assuming you have a read only DNS zone to go with your RODC then this should be safe. Obviously if you are caching credentials locally there is a slight risk there, but if you are using your PRP properly then you should be able to revoke these credentials should anything happen.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • I guess Read Only DNS also queries forwarders like any normal DNS does? So when network goes down it tries to resolve external dns names like it would normally do? – MadBoy Aug 01 '11 at 20:19
  • So you would usually (assuming an AD Intgrated Zone) create forwarders on your primary zone and let them replicate across to the RODC DNS, but other than that, yes. – Sam Cogan Aug 01 '11 at 20:23
  • Great, exactly what I was looking for. I'll set it up. It shouldn't be resource intensive so I guess it won't matter for users. – MadBoy Aug 01 '11 at 20:24