I think your solution is unnecessarily complex. What are your goals? What does your network look like? Do you require public access? Questions I'd ask.
In general I'd recommend: Use AD integrated zones for internal as you get the replication topology and active/active benefits of AD. However, if clients will query these from both the internet and the internal net then you have some security considerations re having AD exposed to/on a bastion (perimeter) host. The above said, why not use split dns? Run standard zone on the internet and maybe have your isp provide redundancy - a secondary name server (or host your own if you have another old pc). Use AD integrated zones (same zones) internal behind the firewall. Set these name servers to forward requests to the public primary and secondary, don't disable recursion. Create copies of any public dns records in the zones on the internal name server(s). Set all internal clients to point to the internal AD integrated name servers. Then the only traffic traversing the firewall (relative to this discussion) is DNS from internal DNS to the public DNS. In my experience this works well. Separate is more secure and traffic flow is predictable. hope this helps- byron -----Original Message----- From: Pham, Tuan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 9:29 AM To: MSWinNT Discussions Subject: DNS ideas ? I know I'm hitting this list with a lot of DNS question lately, but I want to find the best scenarios for my network. This is one of my scenario: I want two W2K DNS, one is AD-Intergrated DNS server(141.106.10.10) and the other is Standard Primary DNS server(141.106.10.11). AD-Intergrated DNS server is only open up for Secure Update only and Standard Primary is normal Dynamic Update. For internal network, Windows 2K clients and down-level clients will use Standard Primary (141.106.10.11) as their prefer DNS server and AD-Intergrated DNS server(141.106.10.10) as their Alternate DNS server. When any of the client logon to the domain will register itself to the Standard Primary DNS, from here I have to configure the Standard Primary to forward the information to the AD-Intergrated DNS server to update its dynamic DNS zone database (only authenticated client). I thoght this would give me fault tolerance. Does anyone out there using this method? Can you give me some inside tips? Thxs! TP ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
