Announcement

Collapse
No announcement yet.

Dns & Active directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dns & Active directory

    Hi,
    I am planning to install a Server 2012 Active directory. But i want to avoid to install Dns on that server. Is it possible? The reason is that the requirement is that each server should only have 1 primary function. I wish to have Dns installed on another server.
    /R

  • #2
    Re: Dns & Active directory

    You can, as long as the DNS server supports the appropriate record types (BIND 8.2.4 springs to mind from somewhere)

    However, AD and DNS are so tightly integrated that it is a definite exception to the "one role per server" rule and you will find that your job is made much easier by integrating the two.

    There are (AFAIK) no major risks in putting the DNS role on a DC.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Dns & Active directory

      you could setup a separete Windows server running just the DNS role.
      however, for DNs to function correctly and problem free, it hsould be integrated with AD.
      i've never heard of an AD integrated DNS not being on the same host as the DC.

      the load on both of them is low enough that it won't matter. (Unless you have a stupidly large environment, in which case you'd have multiple multi-master replicas anyway)


      You can argue the case that DNS is critical to Active Directory, so it IS just the one primary function.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Dns & Active directory

        Installing a separate DNS server would definitely be the exception to the rule for every AD implementation I've ever seen. It's just easier and less prone to problems installing DNS on the DC during the DCPROMO process. Again as others have said, the workload on a combined DC/DNS server is pretty low. I regularly run one single CPU DC/DNS server with 512MB to 1GB of RAM for hundreds of users.

        Comment


        • #5
          Re: Dns & Active directory

          Hi,
          The problem is that according to PCI DSS Requirement 2.2.1 it says:
          Implement only one primary function per server to prevent
          functions that require different security levels from co-existing
          on the same server. (For example, web servers, database
          servers, and DNS should be implemented on separate servers.)

          This makes things more complicated.
          /R

          Comment


          • #6
            Re: Dns & Active directory

            But it doesn't mention Active Directory. Really there are no different security requirements between the two and separating them will make your life harder. AD needs to read/write DNS all the time.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Dns & Active directory

              I've never done this (and have limited knowledge about it), but...

              Why can't he install AD with DNS, then setup DNS on two member servers, point his DC at those two servers for DNS and then remove the DNS role from the DC? Or, better, test it in a lab setup?

              :

              DCPROMO + DNS installed
              Secondary DNS installed on member servers
              Point DC at secondary DNS servers
              Remove DNS role from DC and shut down
              Convert one of the Secondary DNS servers to a primary zone
              Start the DC
              Pray... ?



              I don't know - can this be done? So long as the DNS servers are compatible with AD should there be an issue?
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: Dns & Active directory

                setting dns and AD up on the same server should not break PCI/DSS.

                PCI/DSS should relate to any system that is used to store credit card details so primarily your application/web infrastructure.

                Your application/web infrastructure shouldn't be able to reach your AD infrastructure, that's the bigger issue here.
                (Unless this is only for internal use?)

                To use an example:
                You're creating a website that accepts credit card details for purchases and stores that information.
                You need to be PCI compliant.
                Your website runs on MSSQL and IIS.
                Your internal network infrastructure runs in Windows 2008 Active Directory.

                Ideally, you would have infrastructure that consists of:

                A "Public" or DMZ network. You will have a Web server in this DMZ. You will have a separate SQL Server in this DMZ. You will have sepcific firewall rules that only allow the specific traffic you require, from specific ports to specific target ports.
                You will prevent access from your SQL and Web Server to your Active Directory server through firewalling.
                You probably do not need a DNS server in this instance. Although if you did have a public DNS server, it would be in your DMZ and it would be on a separate server to your web or SQL server.
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: Dns & Active directory

                  Hi,
                  I have tried this several times but run out of some issues with group policies problems. I also noticed that when i was trying to demote a domain controller this failed because of dns misconfiguration.

                  Originally posted by Blood View Post
                  I've never done this (and have limited knowledge about it), but...

                  Why can't he install AD with DNS, then setup DNS on two member servers, point his DC at those two servers for DNS and then remove the DNS role from the DC? Or, better, test it in a lab setup?

                  :

                  DCPROMO + DNS installed
                  Secondary DNS installed on member servers
                  Point DC at secondary DNS servers
                  Remove DNS role from DC and shut down
                  Convert one of the Secondary DNS servers to a primary zone
                  Start the DC
                  Pray... ?



                  I don't know - can this be done? So long as the DNS servers are compatible with AD should there be an issue?

                  Comment


                  • #10
                    Re: Dns & Active directory

                    Well, that answers your question, doesn't it.

                    If a DC will fail a demotion when running DCPROMO because of DNS misconfiguration, DNS can, as noted above, be safely left in place because it is an essential part of the AD installation.

                    Thanks a lot for posting back. Because I have never done this I had not considered the implications of a demotion. However, out of interest, is there a reason why you can't install the DNS role on the DC before demoting it?
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment

                    Working...
                    X