DNS non secure and secure updates, ISP DNS servers

I have 10 servers, and only one DNS server. My DNS server is configured to
accept secure and unsecure updates.

I need you guys give me some insight, so I can make the correct
configuration, on my DNS servers.

I am using almost 70 public IP address behind the firewall.My internal DNS
server has forwarders enabled to ISP DNS servers,

I read about Microsoft article, Article ID : 291382., and I do understand,
DNS is the backbone of Active Directory and the primary name resolution
mechanism.



What is the correct DNS configuration for a small company?



Internal DNS has forwarders enabled to ISP DNS servers?

Is it a good idea to allow only secure updates?

Is it a good idea to have second DNS server,









IF I change the updates to secure updates only, would that screw things up?

I am also planning to have the second DNS server internally for redundancy
purpose; I will configure this server as second global catalog server as
well. IF primary fails for some reason I still want my clients and mail
server to be able to work properly.



My second question is, if I implement NAT, on the firewall, and change the
whole IP structure, after I redesign the network,

Will active directory and DNS work properly ;( I am currently using public
IP addresses, for my clients, which are behind the Firewall)) I have never
done IP address schema changes, on the big production environment.









I am thinking updating all the hosts' files to correct Ip addresses, on the
each PC, and the server on the network.



Please give me some advices, which things I need to consider most, before I
do the changes



Thanks a lot for every single reply in advance

Cheers,



oz

 

In

Good. Make sure all the internal machines are ONLYusing the internal DNS.

No. Only machines joined to the domain will be allowed to register after
they authenticate during the reg process.

If you only have one domain in the forest, then you can make the two DCs
GCs. If more than one domain, then the GC can't be on the IM. In the forest
root domain, the GC must be on the DNM.

An IP change will be required. Inventory any static IPs, such as on
printers, etc. Figure out what range you want servers in, printers in, etc.
Then change the DC/DNS first. Make sure that the correct new entries get
registered in DNS, including the LdapIpADdress and the GcIpAddress. Then
change the DHCP Scope to reflect the new range. Then change your printers.
Then got to each machine and get a new address or instruct your users to
restart them, or you can create a script to force a restart on all of them.
Do it methodically and logically. Think it through first.

Why are you using hosts files? If using DNS, there's no need and it becomes
administrative overhead.

I hope that helps.


--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================