Friday, April 4, 2014

Configuring DNS to support multiple Active Directory Domains


Imagine you have two secure Active Directory domains that need to trust each other. Trust presupposes DNS discovery, and that requires finding the authoritative server for that namespace. For AD domains, there are rarely internet facing DNS servers that are storing the domain controller A and SRV records needed. That means that unlike a local server resolving majorbacon.blogspot.com, you won't be able to use root hints or an ISP as a forwarder. This situation shows up in many MCSA and MCSE exams and is an important configuration step for any Enterprise admin. I call this the "two tree problem"

For example: earthfarm.local and corp.brocadero.com

You have 4 basic options:

  1. Have each DNS server hold a secondary zone of the other domain’s primary zone
  2. Have each DNS server conditionally forward to the other domain’s DNS server
  3. Have each DNS server hold a stub zone of the other domain’s primary zone
  4. If both domains are in the same forest, allow AD-replication of both zones on either the ForestDNS partition or a custom DNS partition.

Method
Pros
Cons
Trade secondaries
  • Complete answer available at the local DNS server.  Fast response time for client queries.
  • Requires allowing zone transfers on Master server.
  • Uses bandwidth for zone transfer
 
Conditionally forward to each other
  • Simple configuration. 
  • Does not require allowing zone transfers on Master server.
  • Uses network bandwidth only on first lookup, then caches.
  • Cannot react to changes in the DNS infrastructure (New DNS servers on other side or old DNS servers removed)
Trade stub zones
  • Can react to changes in the DNS infrastructure (New DNS servers on other side or old DNS servers removed)
  • Does not require allowing zone transfers on Master server.
  • Uses network bandwidth for limited queries to discover SOA, NS, and Glue A records, then all other resource records involve network traffic only on first lookup, then caches.
  • More complex to configure than Conditional Forwarders.
  • Many administrators are unfamiliar with this tool.
AD-Replication
  • Complete answer available at the local DNS server.  Fast response time for client queries.
  • Secure Storage
  • Secure Siteaware Replication
  • Requires membership in the same AD forest
  • Uses bandwidth and could over-replicate if not configured to use the correct partition on a large multi-domain network.

 
It should be noted that of course combinations of these options are possible where it makes sense. For example, if my domain uses your domain's resources frequently, but not the other way around, it might make sense to use AD-replication (if we are in the same forest) of your domain, but you use conditional forwarding to discover the occasional records you need from my domain.

No comments: