AD integrated zones in the real world

I am wondering how common these are. In my opinion, I would never design a network that didn't use these. There are just too many benefits.

But is that how the general population sees it too? Not every company uses AD, so what do they do? The secure dynamic updates alone is a killer. I'm not leaving a gaping hole in my network, nor am I going to manually enter everything.

Find more posts tagged with

Comments

dynamik

I always use it when I'm configuring AD/DNS. I'm not sure if I've ever been on a production network when it wasn't in use. I think the only times I think I've seen it is what they've upgraded/migrated over from something else and just transferred the records over. It's usually been an oversight on their part rather than an intentional design decision.

undomiel

I can concur with what dynamik has seen. None of the environments I have operated in had anything but AD integrated zones.

bertieb

undomiel wrote: »

None of the environments I have operated in had anything but AD integrated zones.

I have, but for non-valid reasons including a Sys Admin who thought he knew best because that's how he had always done it and wouldn't consider change ( not a good trait for a person working in IT......)

For me, the multimaster update and security features of AD Integrated Zones make them a winner in my book.

Mojo_666

Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.

Unless you have a very good reason not to of course.

Devilsbane

Mojo_666 wrote: »

Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.

Unless you have a very good reason not to of course.

So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?

sidsanders

due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.

they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.

Mojo_666

Devilsbane wrote: »

So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?

Most would go with BIND I would imagine, NON MS Shops would be unlikely to choose an MS solution for DNS. Afaik Bind supports secure updates but it has had some issues, but I am no Bind expert.

Mojo_666

sidsanders wrote: »

due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.

they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.

Yet so many companies still give domain admin rights to anyone working in IT, even if they have only just started.

There is only one Chief in my Domain and that is me, I delegate admin rights and use the admin groups for what they were designed for.

ssampier

AD-Integrated zones are pretty cool.

I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.

What do you guys do for outside DNS requests so the world can find your web and email services?

I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.

sidsanders

ssampier wrote: »

AD-Integrated zones are pretty cool.

I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.

What do you guys do for outside DNS requests so the world can find your web and email services?

I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.

bind 9 on freebsd... totally sep zones for internal vs external.

Devilsbane

Your external DNS probably wouldn't need to use dynamic updates anyways. Your web and mail servers are either going to have static or reserved addresses. So it shouldn't be a huge administrative burden to disable dynamic updates.

You lose some other features, but it should certainly work.

ssampier

I forgot to mention I actually did run a non AD network. Since it was a small network I didn't care too much if DHCP clients updated their DNS.

sidsanders wrote: »

bind 9 on freebsd... totally sep zones for internal vs external.

Oh yeah, I forgot about that feature - Split-horizon DNS

Easy as pie.

I still shudder about those that open port 53 on their firewall to their Active Directory controllers.

sschmidlap

That's more like it! Ha ha. I was wondering why you were worried about exposing your AD and DNS infrastructure to the outside world. You don't, and it just doesn't work that way. And split DNS is your answer and your friend. Who would have to open port 53 to their domain controllers on a firewall? You let port 53 outbound from the domain controllers to a forwarder, there is nothing wrong with that. And if you have a real firewall like ISA / Forefront you have so much granular control there is nothing to worry about. For example I open up port 53 to the domain controller for some machines in my DMZ network but I can specify just those machines so any thing else is blocked no matter what. I have a back to back ISA perimeter network which is why I allow 53 to the domain controller on the internal network behind the back end firewall. There is just absolutely no risk or anything to fear with this configuration and it's very easy to implement. In fact, (Gasp!) I use .com for my internal AND external DNS zones! That's another myth about DNS and Active Directory that somehow you are more "secure" using .local. That's total hogwash as Dr. Shinder has proven.