AD integrated zones in the real world
Devilsbane
Member Posts: 4,214 ■■■■■■■■□□
I am wondering how common these are. In my opinion, I would never design a network that didn't use these. There are just too many benefits.
But is that how the general population sees it too? Not every company uses AD, so what do they do? The secure dynamic updates alone is a killer. I'm not leaving a gaping hole in my network, nor am I going to manually enter everything.
But is that how the general population sees it too? Not every company uses AD, so what do they do? The secure dynamic updates alone is a killer. I'm not leaving a gaping hole in my network, nor am I going to manually enter everything.
Decide what to be and go be it.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□I always use it when I'm configuring AD/DNS. I'm not sure if I've ever been on a production network when it wasn't in use. I think the only times I think I've seen it is what they've upgraded/migrated over from something else and just transferred the records over. It's usually been an oversight on their part rather than an intentional design decision.
-
undomiel Member Posts: 2,818I can concur with what dynamik has seen. None of the environments I have operated in had anything but AD integrated zones.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
bertieb Member Posts: 1,031 ■■■■■■□□□□None of the environments I have operated in had anything but AD integrated zones.
I have, but for non-valid reasons including a Sys Admin who thought he knew best because that's how he had always done it and wouldn't consider change ( not a good trait for a person working in IT......)
For me, the multimaster update and security features of AD Integrated Zones make them a winner in my book.The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln -
Mojo_666 Member Posts: 438Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.
Unless you have a very good reason not to of course. -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.
Unless you have a very good reason not to of course.
So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?Decide what to be and go be it. -
sidsanders Member Posts: 217 ■■■□□□□□□□due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.
they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.GO TEAM VENTURE!!!! -
Mojo_666 Member Posts: 438Devilsbane wrote: »So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?
Most would go with BIND I would imagine, NON MS Shops would be unlikely to choose an MS solution for DNS. Afaik Bind supports secure updates but it has had some issues, but I am no Bind expert. -
Mojo_666 Member Posts: 438sidsanders wrote: »due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.
they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.
Yet so many companies still give domain admin rights to anyone working in IT, even if they have only just started.
There is only one Chief in my Domain and that is me, I delegate admin rights and use the admin groups for what they were designed for. -
ssampier Member Posts: 224AD-Integrated zones are pretty cool.
I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.
What do you guys do for outside DNS requests so the world can find your web and email services?
I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.Future Plans:
JNCIA Firewall
CCNA:Security
CCNP
More security exams and then the world. -
sidsanders Member Posts: 217 ■■■□□□□□□□AD-Integrated zones are pretty cool.
I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.
What do you guys do for outside DNS requests so the world can find your web and email services?
I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.
bind 9 on freebsd... totally sep zones for internal vs external.GO TEAM VENTURE!!!! -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□Your external DNS probably wouldn't need to use dynamic updates anyways. Your web and mail servers are either going to have static or reserved addresses. So it shouldn't be a huge administrative burden to disable dynamic updates.
You lose some other features, but it should certainly work.Decide what to be and go be it. -
ssampier Member Posts: 224I forgot to mention I actually did run a non AD network. Since it was a small network I didn't care too much if DHCP clients updated their DNS.sidsanders wrote: »bind 9 on freebsd... totally sep zones for internal vs external.
Oh yeah, I forgot about that feature - Split-horizon DNS
Easy as pie.
I still shudder about those that open port 53 on their firewall to their Active Directory controllers.Future Plans:
JNCIA Firewall
CCNA:Security
CCNP
More security exams and then the world. -
sschmidlap Member Posts: 45 ■■□□□□□□□□That's more like it! Ha ha. I was wondering why you were worried about exposing your AD and DNS infrastructure to the outside world. You don't, and it just doesn't work that way. And split DNS is your answer and your friend. Who would have to open port 53 to their domain controllers on a firewall? You let port 53 outbound from the domain controllers to a forwarder, there is nothing wrong with that. And if you have a real firewall like ISA / Forefront you have so much granular control there is nothing to worry about. For example I open up port 53 to the domain controller for some machines in my DMZ network but I can specify just those machines so any thing else is blocked no matter what. I have a back to back ISA perimeter network which is why I allow 53 to the domain controller on the internal network behind the back end firewall. There is just absolutely no risk or anything to fear with this configuration and it's very easy to implement. In fact, (Gasp!) I use .com for my internal AND external DNS zones! That's another myth about DNS and Active Directory that somehow you are more "secure" using .local. That's total hogwash as Dr. Shinder has proven.