Split DNS Configuration

Bill: Recently we have implemented Windows 2003 Active Directory from NT 4.0 in which my NT DNS servers forwarded to our ISP's DNS servers for external name resolution.  I still do that with our AD DNS servers and am starting to see problems. 

My proposed solution is to implement DNS servers on the DMZ that do the forwarding to the ISP.  However, for internal name resolution, I was going to use a split DNS configuration on the TCP/IP properties of the clients, with the first DNS server as the internal AD server, and the secondary and tertiary DNS as the DNS forwarding servers in the DMZ.  Would this be an optimal configuration or would it pose performance and security problems?

Also, should the DMZ caching servers forward to my ISP's DNS servers, let them cache from the root servers, or both?
—A.J.

A.J.: Here's the problem I see with your proposed configuration. If the clients can't get access to the primary server (which hosts the SRV records for Active Directory), they'll fall back on a public server that doesn't have these records. This can cause authentication and other problems that would be difficult to diagnose.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)



A better solution would be to maintain two DNS servers in the private network, both of which forward to the caching server in the DMZ. If you use AD-integrated DNS zones, you can use the second domain controller as the second DNS server.

The caching server in the DMZ should only forward to your ISP. It should not have root hints and should not be authoritative for your public DNS domain.

Hope this helps...

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.