Split DNS Configuration -- Microsoft Certified Professional Magazine Online

Boswell's Q&A

Split DNS Configuration

By Bill Boswell
07/20/2004

Bill: Recently we have implemented Windows 2003 Active Directory from NT 4.0 in which my NT DNS servers forwarded to our ISP's DNS servers for external name resolution. I still do that with our AD DNS servers and am starting to see problems.

My proposed solution is to implement DNS servers on the DMZ that do the forwarding to the ISP. However, for internal name resolution, I was going to use a split DNS configuration on the TCP/IP properties of the clients, with the first DNS server as the internal AD server, and the secondary and tertiary DNS as the DNS forwarding servers in the DMZ. Would this be an optimal configuration or would it pose performance and security problems?

Also, should the DMZ caching servers forward to my ISP's DNS servers, let them cache from the root servers, or both?
—A.J.

A.J.: Here's the problem I see with your proposed configuration. If the clients can't get access to the primary server (which hosts the SRV records for Active Directory), they'll fall back on a public server that doesn't have these records. This can cause authentication and other problems that would be difficult to diagnose.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

A better solution would be to maintain two DNS servers in the private network, both of which forward to the caching server in the DMZ. If you use AD-integrated DNS zones, you can use the second domain controller as the second DNS server.

The caching server in the DMZ should only forward to your ISP. It should not have root hints and should not be authoritative for your public DNS domain.

Hope this helps...

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Printable Format

E-Mail this page

Register! Top 5 Hybrid AD Management Mistakes and How to Avoid Them

comments powered by Disqus

Most Popular

Most Popular Articles

Most Emailed Articles

SharePoint Watch

Sign up for our newsletter.

Email Address***Country**

I agree to this site's Privacy Policy

Please type the letters/numbers you see above.

Most Popular Articles

Most Emailed Articles

Upcoming Training Events

0 AM

TechMentor Virtual Training: Migrating to Server 2022 and Azure
May 21-22, 2024

TechMentor Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

Live! 360 Orlando
November 17-22, 2024

Free Whitepapers

Blending AI with Human Collaboration in Microsoft Teams

5 Database Migration Traps to Avoid

How finova saved 70% on Azure cloud spend by optimizing their infrastructure

Long-Term Access to Actionable Data as a Competitive Advantage

More TechLibrary

Free Webcasts

Tech Talk | Navigating Cloud Migration Post-VMware Acquisition: Challenges and Strategies for IT Managers

AI vs. Security Summit

Coffee Talk: Rebounding from Ransomware: An Expert Guide

Threat Monitoring for SMBs and Enterprises Summit: The Hows, Whys and Gotchas

More Webcasts