Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 78
Reply with quote  #1 
DNS is one of my (many!) weak areas. 

I've read the DNS chapter in Mark's Server 2012 R2 book.  I've also been s-l-o-w-l-y slogging my way through DNS & BIND by Cricket Liu, but at the rate I'm progressing, I'll be dead 942 weeks before I finish it.

I think I'd know the answer to my own question, if I understood DNS better, but then again... if I didn't ask questions, you'd have nothing to do.  <quickly ducks to avoid getting hit with projectile  [wink]~ >


My question:

Let's say I have a wee little network:

  • 1 Windows Server
  • Single subnet
  • ISP provided router to get out to the 'tubes.


Would you enable the DNS server role on that Windows Server and why or why not?      
     
~spamzy


__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 421
Reply with quote  #2 
Well, it depends, as it always does, on the use case.

If AD is to be used, you have no choice than to enable Windows DNS. You can run AD with a full blown BIND, but not with some ISP-provided router.

If you only need name resolution for Internet based resources, you obviously don't need internal DNS at all.

If you do have some internal names for clients to resolve, but those are few and pretty static, you might be able to get away with what the router has to offer, DNS-wise.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 78
Reply with quote  #3 
Quote:
Originally Posted by cj_berlin
Well, it depends, as it always does, on the use case.

If AD is to be used, you have no choice than to enable Windows DNS. You can run AD with a full blown BIND, but not with some ISP-provided router.


Gahhhhhhhhhhhhhhhh!!!

I did not know this - that AD relies on DNS...

Which leads me to....

Quote:
Originally Posted by cj_berlin
If you only need name resolution for Internet based resources, you obviously don't need internal DNS at all.


This is the aspect I was giving consideration to.  But if AD is used, then DNS gets enabled, regardless of this issue, correct?

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 421
Reply with quote  #4 
Quote:
Originally Posted by spam spam bacon spam


But if AD is used, then DNS gets enabled, regardless of this issue, correct?


Almost. As mentioned above, you *can* run AD with a non-Windows DNS but it still has to fulfill various requirements as to the records that need to be created and kept up to date. In a small environment, definitely not worth the hassle.

One word of warning: AD members should point to DNS servers hosting the AD zones and must not point to any DNS servers that cannot resolve said zones.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 78
Reply with quote  #5 
Quote:
Originally Posted by cj_berlin


Almost. As mentioned above, you *can* run AD with a non-Windows DNS but it still has to fulfill various requirements as to the records that need to be created and kept up to date. In a small environment, definitely not worth the hassle.

One word of warning: AD members should point to DNS servers hosting the AD zones and must not point to any DNS servers that cannot resolve said zones.


Whoa.  Lemmee see if I got this.

If I have:

  1. Desktop client is a member of an AD domain.
  2. AD server that's a DNS server, for reason(s) you mentioned.

Then I need to set the client's Primary DNS to that AD/DNS server's IP?

And if that AD/DNS server is the only one (no failover), then the desktop client will have just that one DNS server configured?

So the desktop client will go a' DNS'ing (I just made that up) to the AD/DNS server every time it needs to resolve an address out on the Internets?

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 78
Reply with quote  #6 
Quote:
Originally Posted by cj_berlin


Almost. As mentioned above, you *can* run AD with a non-Windows DNS but it still has to fulfill various requirements as to the records that need to be created and kept up to date. In a small environment, definitely not worth the hassle.


I caught that... I didn't word my reply correctly, so it sounds like "AD needs DNS full stop", but I DID understand you ~ and caught on that it would be possible to a) drink a lot of whiskey, which would then b) provide needed cajones to c) configure this by hand.

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 421
Reply with quote  #7 
Quote:
Originally Posted by spam spam bacon spam


Then I need to set the client's Primary DNS to that AD/DNS server's IP?

And if that AD/DNS server is the only one (no failover), then the desktop client will have just that one DNS server configured?

So the desktop client will go a' DNS'ing (I just made that up) to the AD/DNS server every time it needs to resolve an address out on the Internets?


Correct on all three. And, the DNS server needs a forwarder to a DNS server of your choice for the addresses on the Internet. The easiest way to set this up is to set the desired external DNS servers on the Windows server before promioting it to AD domain controller. This way, after promotion the Windows server now DC will only have 127.0.0.1 set as DNS but in the DNS config, the DNS servers configured previously will be added as unconditional forwarders.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.