Windows Domain Setup - FSMO Roles and DNS - Best, secure setup

Discussion in 'Active Directory' started by flash, Feb 27, 2007.

  1. flash

    flash Guest

    FSMO roles
    http://support.microsoft.com/kb/324801

    and a DNS Active Directory Integrated are the pieces for a Domain.

    Can someone please tell me the best setup for a Domain?

    Right now we have:
    One server with the Infrastructure, Schema and Domain Naming Master Roles
    Two servers for the Global Catalog; one of these servers also performs the
    PDC and RID Roles

    So (3) Servers perform the roles. Additionally we have a separate Active
    Directory Integrated DNS Server - we will be adding an alternate DNS Server.

    Is this a good way to have a Domain and roles if we have the servers to
    perform the tasks?
    I do not want to open any unnecessary security holes by having DNS on
    servers that are part of the Domain.

    I am seeking the best, secure setup model.

    Right now we have no issues.

    Thanks
     
    flash, Feb 27, 2007
    #1
    1. Advertisements

  2. Is this a good way to have a Domain and roles if we have the servers to
    Yes, in your case, based on the info. provied, make all your DCs GCs and
    move all the FSMO roles onto one server. Don't worry about the IM, it's
    defunct:
    -- http://www.msresource.net/content/view/14/46/

    Then you can't have AD-Integrated zones. AD-Integrated zones are only
    available on DCs and are not generally a security risk. They can be more
    secure as each record has a security descriptor. Obviously, you don't want
    to be using AD-I zones for external facing DNS.

    Generally, especially in a smaller environment such as yours, DNS will be
    installed on all DCs and AD-I zones will be used. All DCs will be GCs. It
    doesn't matter too much about the FSMOs then. Ensure they're on a central
    server and consider decreasing the priority and/ or weight of the SRV
    records so that the OM holder doesn't participate in normal authentication
    and LDAP lookups and instead focuses on the role of PDCe.
     
    Paul Williams [MVP], Feb 27, 2007
    #2
    1. Advertisements

  3. flash

    flash Guest

    Paul,

    Just so I understand what you said:

    You are suggesting that I take the 4 servers make them all DNS and GCs; pick
    one and put the rest of the FSMO roles on it?

    What do I need to look out for, "
    Ensure they're on a central
    Not sure what you mean there.

    If my Domain is working correctly now with the FSMO roles on different
    servers - what does your suggested configuration provide me? Am I losing any
    redundancy anywhere or how can I gain any redundancy?

    As a note - we point to a firewall for our outside DNS - so any non Domain
    address is forwarded to the firewall for resolution right now.

    Thanks
     
    flash, Feb 27, 2007
    #3
  4. You are suggesting that I take the 4 servers make them all DNS and GCs;
    Yeah, that's a common setup. Nothing wrong with housing all OMs on one DC.
    Making all of them GCs is important though. DNS is worthwhile. Having all
    DCs setup in the same way also simplifies DR and support.

    You can modify the priority and weight of SRV records so that a given DC
    isn't used by clients -those with preferable priority and weight are used.
    I increase the priority on all DCs and keep it lowest on the PDCe. See:
    --
    http://technet2.microsoft.com/WindowsServer/en/Library/df86810b-9fc5-49b8-a704-d01c042cf4601033.mspx

    My suggestion provides additional redundancy in that there's more GCs and
    DNS servers. It makes no difference with regards the OM roles, but
    simplifies your setup which makes DR easier. There's only one OM holder.
    If it fails, seize the roles and rebuild. That's one option, there are
    others, e.g. restoration.

    In order to get the increased resillience modify your DHCP scope so that all
    four DCs are defined in the client's DNS settings (TCP/IP Properties). GCs
    are needed for UPN logon and things like Exchange, etc. There's no
    additional cost in a single domain so make all DCs GCs. As mentioned
    previously the IM is defunct in a single domain (or a domain where all DCs
    are GCs) so don't worry about.

    Nothing wrong with that as long as your DNS servers forward to the firewall
    and your internal clients point to your DNS servers only.
     
    Paul Williams [MVP], Feb 27, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.