DNS non secure and secure updates, ISP DNS servers

Discussion in 'DNS Server' started by oz, Sep 20, 2005.

  1. oz

    oz Guest

    I have 10 servers, and only one DNS server. My DNS server is configured to
    accept secure and unsecure updates.

    I need you guys give me some insight, so I can make the correct
    configuration, on my DNS servers.

    I am using almost 70 public IP address behind the firewall.My internal DNS
    server has forwarders enabled to ISP DNS servers,

    I read about Microsoft article, Article ID : 291382., and I do understand,
    DNS is the backbone of Active Directory and the primary name resolution
    mechanism.



    What is the correct DNS configuration for a small company?



    Internal DNS has forwarders enabled to ISP DNS servers?

    Is it a good idea to allow only secure updates?

    Is it a good idea to have second DNS server,









    IF I change the updates to secure updates only, would that screw things up?

    I am also planning to have the second DNS server internally for redundancy
    purpose; I will configure this server as second global catalog server as
    well. IF primary fails for some reason I still want my clients and mail
    server to be able to work properly.



    My second question is, if I implement NAT, on the firewall, and change the
    whole IP structure, after I redesign the network,

    Will active directory and DNS work properly ;( I am currently using public
    IP addresses, for my clients, which are behind the Firewall)) I have never
    done IP address schema changes, on the big production environment.









    I am thinking updating all the hosts' files to correct Ip addresses, on the
    each PC, and the server on the network.



    Please give me some advices, which things I need to consider most, before I
    do the changes



    Thanks a lot for every single reply in advance

    Cheers,



    oz



     
    oz, Sep 20, 2005
    #1
    1. Advertisements

  2. In
    Good. Make sure all the internal machines are ONLYusing the internal DNS.

    No. Only machines joined to the domain will be allowed to register after
    they authenticate during the reg process.

    If you only have one domain in the forest, then you can make the two DCs
    GCs. If more than one domain, then the GC can't be on the IM. In the forest
    root domain, the GC must be on the DNM.

    An IP change will be required. Inventory any static IPs, such as on
    printers, etc. Figure out what range you want servers in, printers in, etc.
    Then change the DC/DNS first. Make sure that the correct new entries get
    registered in DNS, including the LdapIpADdress and the GcIpAddress. Then
    change the DHCP Scope to reflect the new range. Then change your printers.
    Then got to each machine and get a new address or instruct your users to
    restart them, or you can create a script to force a restart on all of them.
    Do it methodically and logically. Think it through first.

    Why are you using hosts files? If using DNS, there's no need and it becomes
    administrative overhead.


    I hope that helps.


    --
    Regards,
    Ace

    If this post is viewed at a non-Microsoft community website, and you were to
    respond to it through that community's website, I may not see your reply.
    Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    this thread originated in so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Sep 20, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.