DNS Namespace Design (MCP Series)

When designing your DNS name space you don't want your internal DNS communicating with your external DNS. You also don't want external users to access resources, but internal staff should be able to access both internal and external resources. There are three options for internal and external DNS:
  1. Same DNS name internally and externally
    Do not allow zone transfers between the server. The external server will be company.com and so will the internal server. Both servers assume they are authoritative over the domain. This method is good for users because the internal system is called company.com and the external system is also called company.com. There is some administrative overhead with this method as you have to manually copy the resource records from the external server to the internal server, but your external records won't change that often so it shouldn't be that big of a problem.

  2. Different DNS internally and externally
    For example company.local internally and company.com externally. Users might not like this setup as the internal name will be quite different from the external name. This is a safe and easy to setup option.

  3. Internal DNS as a sub domain of your external DNS
    For example company.com externally and internal.company.com. This system is beneficial as the external server need not be Windows 2003 Server. Setup zone delegation on the external server and block DNS forwarding traffic at the firewall so external users cannot access internal resources.
Having used option 2 for some time, I think I will attempt option 3 in the next few months. I will report back with the results.

Popular posts from this blog

Get local computer UUID/GUID using Windows Powershell

Use the following syntax to get the local computer's UUID/GUID using Windows Powershell: get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID Add -computername after the WMI class to find a remote computer's UUID, example: get-wmiobject Win32_ComputerSystemProduct -computername RANTPC | Select-Object -ExpandProperty UUID
Read more

gPLink and gPOptions

gPLink is a property for sites, domains and organisational units that contains a prioritised list of GPOs linked to the node. gPOptions is a property that contains all Block Policy Inheritance settings for the node. To manage GPO links on a node, you must have read and write access to the gPLink and gPOptions properties.
Read more

PSLoggedOn Getting Started on Windows Server 2008 R2

Image
PSLoggedOn is a tool I downloaded to allow me to find out which computers a user is currently logged on to. Getting it up and running wasn’t exactly easy. I’m running a Windows Server 2008 R2 test environment. The first error I encountered was: Error browing network: The list of servers for this workgroup is not currently available. Note: I kept the spelling mistake from the error message to make it easier to find via search engines. To get past this error, you have to enable and start the “Computer Browser” service. Then I started getting the error telling me that the Administrator is not logged on. That’s simply not true because I am logged onto another server (Name: ELARA): I turned the firewall OFF OFF OFF (It is a test network after all). I enabled Network Discovery and to do that I went on a service starting frenzy: DNS Client, Function Discovery Resource Publication, SSDP Discovery, and UPnP Device Host, Computer Browser After all that, I ran the script against the se
Read more