none
Setting Up DNS - BPA Questions

    Question

  • We're going to be transitioning our domain(s) to Server 2012 (from 2003 and 2008).  We'll have 2 servers running Server 2012.

    1:  A file server and primary domain controller.
    2:  A WSUS server, remote desktop services server, and domain controller.  (I know it's not recommended to run WSUS on a domain controller - we may move WSUS to a different server.)

    Both servers will be running DNS, but only to resolve names in our own domain.  We use an external DNS to resolve stuff on the internet.  The domain controllers are generally firewalled off from incoming connections from the internet, but they must be able to reach out (such as to grab Windows Updates, since we don't store them on the WSUS server), so they need to have the external DNS servers added to their network adapters' settings.

    To make things a bit clearer, assume the following:

    Our first server has an IP of A.B.C.X
    Our second server has an IP of A.B.C.Y
    Our first external DNS is A.B.Z.X
    Our external DNS is A.B.Z.Y

    We disable recursion (which also disables forwarders) in the DNS (server) config.  Our domain is running on the A.B.C subnet (/24).  When we configure the DNS servers on the network adapters of the domain controllers, we use currently use (for the first server):

    1: A.B.C.Y (the second server's IP)
    2: A.B.Z.X (the first DNS that resolves external names)
    3: 127.0.0.1 (loopback)
    4: A.B.Z.Y (the second DNS that resolves external names)

    The second server is the same, except its first entry is A.B.C.X (the first server's IP).

    This all seems to work, but the Best Practices Analyzers throws warning about the external DNS entries not being able to resolves things in the local namespace (stuff on our domain), listing the potential impact as directory resources being unavailable.  There are corresponding compliant entries in the BPA results showing that the first and second domain controllers are able to resolve those names.

    Should we ignore the BPA warnings?  We don't want the external DNS to be able to resolve our local names.  Only our domain controllers should do that.  Client machines will resolve our stuff via the domain controllers (set on their network adapters as the primary and secondary DNS servers), and resolve external stuff via the external DNS servers (A.B.Z.X and A.B.Z.Y, set on their network adapters as the 3rd and 4th DNS servers).

    This is basically our setup now (2003 and 2008), but the BPA warnings in 2012 have left me confused.

    Any advice?

    Thursday, July 25, 2013 7:31 PM

Answers

  • Hello,

    "so they need to have the external DNS servers added to their network adapters' settings."

    External DNS servers used internally are resolving in unwanted problems. Configure the FORWARDERS instead with the external DNS servers.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, July 26, 2013 7:22 AM
  • I see. I think you may need a proxy or TMG, which then you can leave recursion disabled and all external requests will go through the TMG or proxy.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, July 30, 2013 2:14 AM
  • We were able to turn on recursion and our network operations center verified that we were not responding to any external DNS requests.  So I removed the external DNS servers from the network adapter configuration and added them as forwarders.

    Thanks for the help.

    Wednesday, July 31, 2013 6:40 PM

All replies

  • Hello,

    "so they need to have the external DNS servers added to their network adapters' settings."

    External DNS servers used internally are resolving in unwanted problems. Configure the FORWARDERS instead with the external DNS servers.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, July 26, 2013 7:22 AM
  • The problem is that we disable recursion, which also disables the forwarders.
    Friday, July 26, 2013 7:34 AM
  • As Meinolf said, you simply can't use external DNS servers with your internal AD machines. It just makes AD go south. Maybe this can explain it better:

    Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
    Published by Ace Fekay, MCT, MVP DS on Aug 17, 2009 at 7:35 PM  1058  2
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

    How DNS Support for Active Directory Works
    Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx

    -

    Ideally, re-enable recursion and use forwarders. If there is a same name scenario (internal and external are the same or split-brain), then you can simply create the zone internally and provide IP addresses for whatever resource you are trying to resolve externally.

    Can't Access Website with Same Name (Split Zone or no Split Brain)
    Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
    Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
    http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

    -

    Otherwise, if you can describe exactly why you believe you need an external DNS, and why you believe disabling recursion will give you what you want, maybe we can come up with a solution for you that will make sure AD works as well as your requirements.

    -

    And yes, with the way you have it setup, I can see why the BPA is burping on you.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, July 27, 2013 2:38 AM
  • Our network operations center recommends disabling recursion whenever possible due to DDoS attacks. (See http://isc.sans.edu/diary/DNS+queries+for+/5713 )

    I guess I'll try it with recursion on, the forwarders set in DNS (but not in the network adapter), and with the firewall locking down DNS traffic to just our subnet, and then and then ask our network operations center to run their external checks again.  (The last time they brought up the issue was 3 years ago, I don't know what the state of our firewalls was back then.)

    Monday, July 29, 2013 11:46 PM
  • I see. I think you may need a proxy or TMG, which then you can leave recursion disabled and all external requests will go through the TMG or proxy.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, July 30, 2013 2:14 AM
  • We were able to turn on recursion and our network operations center verified that we were not responding to any external DNS requests.  So I removed the external DNS servers from the network adapter configuration and added them as forwarders.

    Thanks for the help.

    Wednesday, July 31, 2013 6:40 PM
  • Good to hear!

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, July 31, 2013 7:10 PM