DNS NS record

bighornsheep

hi...I wanted to make sure...

say I have domain controller for domain1.com, FQDN is win2k3.domain1.com

the NS record for this domain can not be win2k3.domain1.com right?

it has to be another DNS server on a seperate domain.
So if I want to setup Win2k3 to use as a HTTP server for domain1.com, the DNS must be foreign, is this correct?

eurotrash

The name server (or DNS server) for your domain can be win2k3.domain1.com, if it is also a DNS server.
To quote somewhere on the webernet,

NS-records identify the DNS servers responsible (authoritative) for a zone.

So if your DC is also a DNS server holding the zone for its domain, it will (can) be a name server for its domain.

Just look at the NS record in dnsmgmt.msc

justin42279

if you have a domain controller called win2k3 and you set dns up, then the ns record and host a record will both be win2k3.domain1.com. both records have to exist within the zone.

the ns record signifys that win2k3 is a name server.

if you setup win2k3 as a http server and all of your clients are configured to make requests to win2k3, win2k3 will use the host a record to resolve the ip address.

now, one thing that is not recommend is for a dc to point to itself to resolve dns requests.

there is no need for multiple domains.

royal

justin42279 wrote:

one thing that is not recommend is for a dc to point to itself to resolve dns requests.

This is mostly true. In a multi DNS Server enviornment, it is a good practice to have all DNS Servers point to one Master DNS Server; this includes the Master DNS Server itself. From there, you can strategically configure secondary ips to how you see fit. This ensures that dns updates are consistent across the infrastructure.

Danman32

I disagree with that completely for an AD integrated zone. It IS common practice to have the DC point to itself for DNS if it has the zone for its domain, and it can resolve other domains that it might need, since it would be the fastest DNS server to respond. It would also reduce network load. Besides, if the DNS service it holds itself doesn't respond, it is unlikely it will be in a position to make a DNS client query either.

However, if you have a tiered DNS name structure, then you may indeed want to point to the servers with the parent records.

But if you don't have AD integrated zones, then only one server can be primary, and only primary will accept DNS updates, so it is best to only point to the server with the primary zone so that the hosts can register themselves.

justin42279

Yah, i was totally off on that. i believe that only pertains to windows 2000 server

whoops. haha

Danman32

Nope, same thing on W2K, unless you have a tiered namespace, but even then there's ways to fix things.

justin42279

i thought i read that somewhere a long time ago in a microsoft article but anyway.

royal

Danman32 wrote:

I disagree with that completely for an AD integrated zone. It IS common practice to have the DC point to itself for DNS if it has the zone for its domain.

While I haven't actually done any DNS Architect-Level Design, my statement was based off of several things.

1. In Windows 2000 it is common practice NOT to point to itself due to island dns reasons.

2. My statement of pointing to master servers is a recommended practice by my company's Network Architects, which is also recommended in my Syngress 70-293 book, as well as by Mark Minasi in one of his newsletters in which I read which discussed about how to configure DCs to point to a master DNS.

When I stated to do this to make updates more consistent, the actual consistency wording was actually stated in the Syngress book. As for Mark Minasi's newsletter where he talks about having all DCs point to a master DNS server for their primary, i'll try to find the archived newsletter when I get home.


Obviously we all have our different design methods and I have been reading a lot about dns design lately. I've been looking at newsletters, reading a couple books about dns design, as well as talking with several different architects. Every source of information I have looked at have said always point dns to other servers to prevent island dns (which isn't an issue really in 2k3 anymore) and to have consistent dns updates by using a master dns ip.

Like I said though, we all have our different methods so don't take this post as a "no you're wrong" but just my experiences from what I have learned from my own research and experiences.


Edit: Btw, here's the link to the newsletter - newsletter #31 (you have to register though which is free).
http://www.minasi.com/query.asp

From his newsletter:

* Choose one DC/DNS server in the forest root domain; any one will do. Let's call it the "DNS master." Point it to itself.
* For all other DC/DNS servers, first point them to the DNS master. Then point them to another DNS server. But never point them to themselves.

blargoe

Back to the original question, for any given DNS domain there is no restriction on what can be in an NS record, just that the host specified in that record needs to be running a DNS server of some kind.