Windows Domain Setup - FSMO Roles and DNS - Best, secure setup

FSMO roles
http://support.microsoft.com/kb/324801

and a DNS Active Directory Integrated are the pieces for a Domain.

Can someone please tell me the best setup for a Domain?

Right now we have:
One server with the Infrastructure, Schema and Domain Naming Master Roles
Two servers for the Global Catalog; one of these servers also performs the
PDC and RID Roles

So (3) Servers perform the roles. Additionally we have a separate Active
Directory Integrated DNS Server - we will be adding an alternate DNS Server.

Is this a good way to have a Domain and roles if we have the servers to
perform the tasks?
I do not want to open any unnecessary security holes by having DNS on
servers that are part of the Domain.

I am seeking the best, secure setup model.

Right now we have no issues.

Thanks

 

Is this a good way to have a Domain and roles if we have the servers to

Yes, in your case, based on the info. provied, make all your DCs GCs and
move all the FSMO roles onto one server. Don't worry about the IM, it's
defunct:
-- http://www.msresource.net/content/view/14/46/

Then you can't have AD-Integrated zones. AD-Integrated zones are only
available on DCs and are not generally a security risk. They can be more
secure as each record has a security descriptor. Obviously, you don't want
to be using AD-I zones for external facing DNS.

Generally, especially in a smaller environment such as yours, DNS will be
installed on all DCs and AD-I zones will be used. All DCs will be GCs. It
doesn't matter too much about the FSMOs then. Ensure they're on a central
server and consider decreasing the priority and/ or weight of the SRV
records so that the OM holder doesn't participate in normal authentication
and LDAP lookups and instead focuses on the role of PDCe.

 

Paul,

Just so I understand what you said:

You are suggesting that I take the 4 servers make them all DNS and GCs; pick
one and put the rest of the FSMO roles on it?

What do I need to look out for, "
Ensure they're on a central

Not sure what you mean there.

If my Domain is working correctly now with the FSMO roles on different
servers - what does your suggested configuration provide me? Am I losing any
redundancy anywhere or how can I gain any redundancy?

As a note - we point to a firewall for our outside DNS - so any non Domain
address is forwarded to the firewall for resolution right now.

Thanks

 

You are suggesting that I take the 4 servers make them all DNS and GCs;

Yeah, that's a common setup. Nothing wrong with housing all OMs on one DC.
Making all of them GCs is important though. DNS is worthwhile. Having all
DCs setup in the same way also simplifies DR and support.

You can modify the priority and weight of SRV records so that a given DC
isn't used by clients -those with preferable priority and weight are used.
I increase the priority on all DCs and keep it lowest on the PDCe. See:
--
http://technet2.microsoft.com/WindowsServer/en/Library/df86810b-9fc5-49b8-a704-d01c042cf4601033.mspx

My suggestion provides additional redundancy in that there's more GCs and
DNS servers. It makes no difference with regards the OM roles, but
simplifies your setup which makes DR easier. There's only one OM holder.
If it fails, seize the roles and rebuild. That's one option, there are
others, e.g. restoration.

In order to get the increased resillience modify your DHCP scope so that all
four DCs are defined in the client's DNS settings (TCP/IP Properties). GCs
are needed for UPN logon and things like Exchange, etc. There's no
additional cost in a single domain so make all DCs GCs. As mentioned
previously the IM is defunct in a single domain (or a domain where all DCs
are GCs) so don't worry about.

Nothing wrong with that as long as your DNS servers forward to the firewall
and your internal clients point to your DNS servers only.