Configuring DNS for name resolution and registration

As in all Active Directory deployments, Domain Name System (DNS) is a key part of the design. Domain controllers and client computers must be able to register, update, and resolve host names and service records. Best practices for DNS configurations on client computers and servers are still applicable for RODC deployments in perimeter networks. For more information, see the AD DS Deployment Guide (https://go.microsoft.com/fwlink/? LinkId=135996).

Considerations

The main difference in DNS configuration between a writable domain controller and an RODC is that the RODC will not be authoritative for any integrated zone; that is, it will not accept updates for any Active Directory–integrated DNS zone. Therefore, any dynamic update requests for an Active Directory–integrated zone will result in the requester being provided with the start of authority (SOA) resource record of the zone. This resource record will provide a reference to a server that is authoritative and writeable for the zone.

The read-only nature of Active Directory–integrated DNS on RODCs has the following implications in a perimeter network environment:

· It permits Active Directory–integrated zones to be available in the perimeter network without the risk of them being updated directly.

· However, it poses a problem of how secure dynamic updates can be established if they are required.

This leads to the following considerations for the design of a name resolution solution for the perimeter network:

· You must determine which namespaces must be visible.

· You must determine how those namespaces are to be updated: manually or dynamically.

· You must decide that, if dynamic updates are desired, how you can achieve this functionality within the constraints of communication inside the perimeter network and between the perimeter network and the corporate network.

The namespaces that are visible depend on whether domain controllers are deployed in the perimeter network and for which domain or forest. In some scenarios it may not be appropriate to make an entire namespace or part of a namespace visible in the perimeter network or for there to be any mechanism to allow servers or client computers to automatically update records. In other scenarios, these factors may not be a significant concern.

Approaches and configuration options

This section describes the approaches and options for configuring DNS for name resolution in the perimeter network.

No DNS

This highly restrictive approach avoids the need for hosting DNS namespaces in the perimeter network. With this approach, client computers in the perimeter network resolve names through HOST files or NetBIOS broadcasts. Any RODC in the perimeter network resolves names against a writable domain controller in the internal network and registers its DNS records against the writable domain controller through the firewall that separates the internal network from the perimeter network. This approach avoids exposure of any corporate DNS zones in the perimeter network.

Although this approach is possible, it is not practical. It does not scale well, and it incurs a high administrative cost when records must be kept up to date and consistent across more than a handful of computers.