Proper ad dns setup

For example, you must configure the DNS client settings to point to itself. During the DCPromo process, you must configure additional domain controllers to point to another domain controller that is running DNS in their domain and site, and that hosts the namespace of the domain in which the new domain controller is installed.

Do not configure the domain controller to utilize its own DNS service for name resolution until you have verified that both inbound and outbound Active Directory replication is functioning and up to date. Failure to do so may result in DNS "Islands".

For more information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:. ForestDnsName domain. After you've verified that replication has completed successfully, DNS may be configured on each Domain Controller in either of two ways, depending on the requirements of the environment. The configuration options are:. While this strategy has many advantages, there are factors that should be considered before making this configuration change:.

Only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server.

Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Asked 7 years, 10 months ago. Active 7 years, 10 months ago. Viewed 50k times. Improve this question. Add a comment. Active Oldest Votes. Conditional forwarding is different though Improve this answer.

TheCleaner TheCleaner I agree. Conditional forwarding would be the typical way to do that. So I should remove to forwording from all my servers? And instead add the other server in root hits? If you are, and DNS replication is working fine check eventvwr , then yes, I would remove the forwarding and replace it with the proper external forwarder. But you need to be aware of what you are doing here. The Active Directory portions only need to be seen from within the network, nothing of that needs to be exposed externally.

Our systems only have internal IP space, even our external resources, IP translation is done at the Universities border router to external IPs only for resources that have been granted them. They can then only talk to the outside via DNS ports and internally to our internal only DNS servers to get zone updates when we add items.

For internal AD infrastructure support, AD integrated zones is the proper solution. For external name servers to host public records, no. I'm still confused a bit. Part of the point we were trying to make earlier is you don't want public records internally, because in some cases, they may conflict, meaning that say, mail. Unless I am misunderstanding your intentions? Are you a web services provider that hosts hundreds of zones that you need to do this? We're a small group that is part of a University so they're our ISP.

We host various websites for various University groups that we've developed and maintain for them, we're not a big group so we only have our limited resources. When that same URL is called from outside of the University network their border router translates the external IP they've assigned to the internal IP that the machine has. We have no control over this process so all resources no matter what have internal IPs. Because of our limited resources we've had to work with the configuration I mentioned above.

We finally have the resources now to do something better so that's what I'm trying to figure out what to do. We do have several DNS domains, one is our AD Domain all our internal resources are on and then the rest are just DNS domain names that are for the websites we're hosting. The AD Domain records would not be shared externally but the rest need to be external and internal and they both point to the same internal IP space.

It allows me to shut of recursion externally, AD services are not externally exposed, since the external is read only it'll help protect against DNS poisoning, and it should provide better performance since internal only hits internal and external only hits external,.

Office Office Exchange Server. Not an IT pro? Windows Client.