>Active Directory? These DNS servers will be public
I recommend against W2K as public NS because W2K DNS has recursion either on or off globally. You cannot restrict recursion to your subnets only, as you can with BIND. Turn recursion off to protect your public DNS from being DoS from Internet, and your internal subnets cannot use the DNS for lookups. >and not our internal servers (we will do a classic "split DNS" and keep >our internal systems firewalled and private.) Should we run AD on these >two servers? Nor do you don't want AD on a public DNS because it has the illegal underscore _domains, which you will end up leading to internet. AD is strictly intranet. >A quick look into AD seems to indicate that we if did make these >"integrated" DNS/AD servers, we would get multi-master replication between >them instead of master/slave (meaning the servers would keep each other >updated automatically). Is this right or a really bad idea? It's workable idea, but ONLY for intranet, not for a public DNS. >I'm concerned about the security of running AD updates across the public >Internet The multi-master zone AD replication with zone updates is done over GSS-TSIG, so it is secure. Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
