W2K multi-master features

Thu Aug 15 23:07:34 UTC 2002

> Our company is wondering whether or not use Microsoft DNS (a W2K/AD
> architecture is going to be implemented soon).
>
> Does W2K multi-master capacity really avoid the 'single point of
> failure caused if the primary dns server fails' (and so prevent any
> dynamic update) in a primary/secondary dns architecture ?

Yes, assuming you configure more than one DNS server and you have set it up
with AD Integrated Zones

> Or is there any characteristic offering absolute advantages for using
> Microsoft DNS ?

With Win2K AD, DNS becomes the primary name/address resolution method (in
the past it was NetBIOS/WINS), making your DNS a critical component of your
AD structure.  Depending on the complexity of your AD structure, the number
and complexity of the DNS entries can be incredible.  While its possible to
implement everything that's required using BIND 8.2.1 or later (9.2.1 is the
recommended version currently I believe), it can get very difficult,
especially when you have configured AD Sites.

In addition, if you have AD integrated zones for your network, and you DO
happen to lose a DNS server, all you have to do is install the DNS service
on another AD Domain Controller and it will pick up the ENTIRE DSN
configuration from AD, eliminating the need to restore config files. This
assumes, of course, that you've maintained redundancy in your Domain
Controllers.

> We are currently using Bind and Lucent (VitalQIP) DNS servers.
What Versions?  If you're going to use them with Win2K AD, they need to
support SRV records at a minimum, and you'll really want them to support
dynamic updates and incremental zone transfers.

Another alternative, and one that I usually recommend if the client is
willing, is to continue to use BIND to support your Public Namespace (e.g.,
MyCompany.com), and place these servers in your DMZ or at off site locations
(like your ISP).  Delegate a subdomain (e.g., Corp.MyCompany.com) to your
Win2K DNS, and place this inside your private network.  Make your internal
DNS a Win2k AD Integrated Zone, and configure it with a "forwarder" to the
external DNS for public/internet addresses.  You get the benefits of the
Win2K AD Integrated DNS for your Win2k AD structure, and the continued
simplicity/reliability/stability of BIND for your Public Namespace.

Also consider using Win2K DHCP to assign all your internal workstation
addresses, regardless of client O/S, and configure it to perform both the
forward and reverse lookup zone updates in DNS.  Greatly simplifies
workstation and DNS maintenance.  It also means you can turn off the
automatic DNS updating in your Win2K Professional and Win XP Professional
clients (cutting down on network traffic) and you can configure Win2K DNS to
only accept updates from the DHCP server, making your DNS database more
secure.

_______________
Michael E. Hanson
President, Gryphon Consulting  Services
(http://www.GryphonsGate.com)
P.O. Box 1151
Bellevue, NE  68005-1151
(402) 871-9622

MEHanson at GryphonsGate.com (primary)
Gryphons_Master at yahoo.com
----- Original Message -----
From: "Lionel Deruaz" <lderuaz at free.fr>
Newsgroups: comp.protocols.dns.bind
To: <comp-protocols-dns-bind at isc.org>
Sent: Tuesday, August 13, 2002 2:56 AM
Subject: W2K multi-master features

>
> Hello,
>
> Our company is wondering wether or not use Microsoft DNS (a W2K/AD
> architecture is going to be implemented soon).
>
> Does W2K multi-master capacity really avoid the 'single point of
> failure caused if the primary dns server fails' (and so prevent any
> dynamic update) in a primary/secondary dns architecture ?
> Or is there any characteristic offering absolute advantages for using
> Microsoft DNS ?
> We are currently using Bind and Lucent (VitalQIP) DNS servers.
>
> Thanks,
>
> Lionel
>
>