3

I have to setup a small windows network inside my bigger linux/mac infrastructure. In order to get the windows clients logging onto the domain, I have had to make the DC their primary DNS server, which seems to have worked.

I would much prefer to have one DNS server running on my network, or at least one authoritative server running on the network.

I have a USG 200 router/firewall and I can configure some static records for DNS, but I an not sure what I need to put in order to get DNS and AD working together, and hints and tips appreciated.

Mister IT Guru
  • 1,158
  • 3
  • 15
  • 35

3 Answers3

14

The first thing you should know is that Active Directory and DNS are so intertwined that they're almost one. For all intents and purposes, you should forget the idea of having an Active Directory domain which doesn't have a primary DNS server for Windows clients.

I won't say it's "impossible", but I will strongly advise you that it's a path with only pain.

As an alternative, why not let AD and DNS do their thing together and then add forwarders to your normal DNS servers. It's the same end result, you can basically forget about your Microsoft DNS server as it will just plod along doing its own thing as you actively maintain and update your other Name Servers.

Dan
  • 15,280
  • 1
  • 35
  • 67
  • 5
    This is the right answer. Point all Windows clients to the DCs for DNS and then use a global forwarder to forward everything else to your other DNS servers. You are using a third-level unused namespace for your AD domain, as outlined in Microsoft's best practices, right? That way you don't have a split brain DNS. – MDMarra Jun 25 '12 at 12:38
  • There is no reason to add forwards and complicate the setup if DNS is already functioning properly. Might as well carry around 4 spare tires for your car. – Jim B Jun 26 '12 at 20:09
  • 5
    Totally disagree @JimB , I think an inexperienced Windows Admin trying to get AD working on a non integrated DNS system will only face problems in the long run. I really don't see an issue with letting AD DNS do its own thing for the Windows Clients. – Dan Jun 27 '12 at 07:24
  • @dan, having cleaned up about 30 different infrastructures where there were 2 separate dns systems, and one side or the other was poorly maintained, there is simply no advantage, whatsoever in duplicating efforts, especially when you think you can just "forget about it". Proper DNS is vital to functional AD. – Jim B Jun 27 '12 at 12:07
  • @JimB Well, I don't know about your systems, but on systems I build DNS doesn't require constant maintenance. And your last line is exactly why I recommend sticking to MS DNS running on your DC. But, we disagree, and I don't think that's going to change. – Dan Jun 27 '12 at 12:12
  • 1
    @Dan do you normally require multiple dns infrastructures? Most places use 1 DNS system (as per the OP's request) In the places where you have duplicated DNS infrastructures how do you keep the directories in sync? I find it amazing that somehow you think that an inexperienced admin will find it easier maintaining a parallel DNS service (that they likely have no experience with) on top of AD rather than simply using the DNS service they already have (and presumably understand how to run). What are these "pain" points you are worried about using DNS that wasn't made by Microsoft? – Jim B Jun 28 '12 at 03:01
  • I have tried the forwarder setup, and this seemed to consistently fail. I'm beginning to think that it was the forwarder. I don't like having more than one node on my network serving DNS queries to clients. – Mister IT Guru Jun 28 '12 at 11:56
  • @mister it guru, what is your current dns server running? – Jim B Jun 28 '12 at 13:34
  • I'm currently using a USG 200 firewall/router to do my DNS, I've also got it slaving to my internal OSX OD instance for DNS from there, and also slaving to the windows server for that zone too - but it doesn't work for some reason – Mister IT Guru Jun 28 '12 at 14:42
  • @MisterITGuru to be clear are you Slaving (meaning that the internal OSX dns server has a copy of records from the usg 200) or have you set up forwarding (if the osx dns doesn't know the answer send it along to the USG200) – Jim B Jun 28 '12 at 20:09
1

Just deploy AD on subdomain like windowsdomain.example.com instead of on example.com, and then delegate this subdomain to your domain controllers. This way, you will get two domains, which you could potentially split up for greater security.

Andrew Smith
  • 1,123
  • 13
  • 23
  • having separate dns namespaces does not increase security. – Jim B Jun 25 '12 at 16:01
  • Like I have facebook.com, google.com and hotmail.com, if you got my password from google.com, you can hack into facebook.com, but not hotmail.com, so y having two email accounts on two domains limits damage when you manage to hack into one of them, e.g. via hotmail via cookie check bug or something. – Andrew Smith Jun 26 '12 at 00:50
  • ps. this is active directory, it has it's own independent authentication, policy and so on, so the users list is even different. – Andrew Smith Jun 26 '12 at 00:55
  • I mean to isolate this domain with the firewall would make a lot's of sense - so the viruses wont jump around. Windows ISA Firewall is working good. – Andrew Smith Jun 26 '12 at 01:02
  • Having separate DNS namespaces has no impact on access. dom.com and dom2.com can be served by the same infrastructure. facebook and hotmaail (should the gods decree) could very simply unify authentication services. Having 2 authentication providers would potentially double administration costs. – Jim B Jun 26 '12 at 20:09
  • @JimB so, what is your suggestion then, to ease the extreme costs of several DNS servers? Cause I can't see that your proposing anything (useful) at all, except letting the whole world see his internal AD zone? – pauska Jun 27 '12 at 08:07
  • Why would the whole world see his internal DNS? This is all internal. – Jim B Jun 27 '12 at 12:09
  • The windows domain is a separate subdomain completely. I thought ins't this best practice? I've been doing this since NT4 I think :) – Mister IT Guru Jun 28 '12 at 11:54
  • @MisterITGuru, it's not a best practice to set up a separate DNS domain for windows, There is also nothing wrong with doing so if your needs require it, but nothing in windows (or *nix for that matter) requires it. – Jim B Jun 28 '12 at 20:26
0

You do not need to run windows DNS on a domain controller for proper functionality of AD. DNS is the backbone of AD so you want to have a very resilient very reliable DNS infrastructure prior to adding active directory. I would strongly recommend using either windows OR your existing DNS infrastructure but I would not use both. Bind 9 will work fine. You should verify that the namespace you are using is valid for active directory.

Jim B
  • 23,938
  • 4
  • 35
  • 58