|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Best DNS set up for multiple sitesa VPN cloud. Each site has a 2003 DC, GC, DNS. I have one site that is the main headquarters. It has two DC, GC and DNS servers. All internet traffic comes in and out through the main office (there no split tunneling). I am trying to determine the best DNS setup for my remote sites. Currently they have DNS servers with AD integration. Each remote office is configured to use their local server as primary DNS and the HQ server as secondary DNS. The HQ office is set to use the local HQ server as primary DNS and the secondary HQ server as secondary DNS. My question is how should each remote office be set up with regard to FORWARDERS? (I use forwarders at my HQ but do not see the point of using them at remote site since all internet traffic comes through the main office.) Should I set my HQ (or other offices) as forwarders for each other? In my opinion, I would enable forwarders in the remote sites though this
could and probably will be debated. In a remote site without forwarders a machine is going to ask the local DNS server for the IP of Google.com. The local DNS will not be able to resolve the IP so the workstation will ask the secondary DNS server. Your corporate DNS server will intern forward that request on. If you enable the forwarders in the remote sites you will skip that step and the remote DNS server will forward on that request themselves. Show quoteHide quote "AdminKen" wrote: > I have a single 2003 domain with multiple sites. Each site is connected via > a VPN cloud. Each site has a 2003 DC, GC, DNS. I have one site that is the > main headquarters. It has two DC, GC and DNS servers. All internet traffic > comes in and out through the main office (there no split tunneling). > > I am trying to determine the best DNS setup for my remote sites. Currently > they have DNS servers with AD integration. > > Each remote office is configured to use their local server as primary DNS > and the HQ server as secondary DNS. > > The HQ office is set to use the local HQ server as primary DNS and the > secondary HQ server as secondary DNS. > > My question is how should each remote office be set up with regard to > FORWARDERS? (I use forwarders at my HQ but do not see the point of using > them at remote site since all internet traffic comes through the main > office.) > > Should I set my HQ (or other offices) as forwarders for each other? > > > > In a remote site without forwarders a machine is going to ask the local It doesn't work like that. If the first DNS server answers the request, the > DNS server for the IP of Google.com. The local DNS will not be able to > resolve the IP so the workstation will ask the secondary DNS server. Your > corporate DNS server will intern forward that request on others are never used. The secondary, third, etc. are only used if the first doesn't respond in a timely fashion. Also, don't forget that the OP might have Root hints. Also, consider the traffic. Web traffic is resolved via the proxy server. If using ISA, the same is true for any traffic that uses any of the ISA clients. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net > Should I set my HQ (or other offices) as forwarders for each other? No, there is no need. The setup you describe sounds fine. The only reason I can see for forwarders is that you don't want to use root hints for specific, server traffic and your proxy doesn't perform name resolution. Generally this isn't the case. I've been involved in several branch office deployments, and have never configured forwarders in this way. I let the proxy perform all name resolution. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Paul,
I have a question on how my remote DNS servers resolve. Since I do not use forwarders on the remote DNS servers but they do have root hints listed, how are they resolving requests? Put another way...since my corporate firewall only allows outbound traffic from my HQ DNS servers, it is blocking requests from my remote DNS servers so I am not clear how they (the remote server) are resolving at all. Do my remote DNS servers use my HQ DNS servers for resolution? (That is the part that I am trying to understand.) thanks Ken Show quoteHide quote "Paul Williams [MVP]" <ptw2***@hotmail.com> wrote in message news:OCuB%23YuQGHA.4536@tk2msftngp13.phx.gbl... >> Should I set my HQ (or other offices) as forwarders for each other? > > No, there is no need. The setup you describe sounds fine. The only > reason > I can see for forwarders is that you don't want to use root hints for > specific, server traffic and your proxy doesn't perform name resolution. > Generally this isn't the case. > > I've been involved in several branch office deployments, and have never > configured forwarders in this way. I let the proxy perform all name > resolution. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > Do my remote DNS servers use my HQ DNS servers for resolution? (That is No. They have their own copy of the zone or zones and will always use those > the part that I am trying to understand.) first. If they can't resolve a query locally (via the local zone) they perform an iterative query using one of the servers listed in the root hints. So, if you have systems that are not proxy clients, that are trying to resolve external names this name resolution is failing. You can open the firewall to allow UDP53 out, but that might not be recommended from a security stand-point. If you have ISA server, you just need to deploy the firewall client to the workstations in questions. The ISA client tunnels DNS requests over its secure channel to ISA. ISA then resolve them. If you don't have ISA, and you do want to allow this traffic then you either open DNS or forward to the central DNS servers. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net |
|||||||||||||||||||||||
Other interesting topics