+ Reply to Thread
Results 1 to 14 of 14
  1. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #1

    Default AD integrated zones in the real world

    I am wondering how common these are. In my opinion, I would never design a network that didn't use these. There are just too many benefits.

    But is that how the general population sees it too? Not every company uses AD, so what do they do? The secure dynamic updates alone is a killer. I'm not leaving a gaping hole in my network, nor am I going to manually enter everything.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    I always use it when I'm configuring AD/DNS. I'm not sure if I've ever been on a production network when it wasn't in use. I think the only times I think I've seen it is what they've upgraded/migrated over from something else and just transferred the records over. It's usually been an oversight on their part rather than an intentional design decision.
    Reply With Quote Quote  

  4. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #3
    I can concur with what dynamik has seen. None of the environments I have operated in had anything but AD integrated zones.
    Reply With Quote Quote  

  5. wibble! bertieb's Avatar
    Join Date
    Jun 2007
    Location
    Up and down the UK
    Posts
    1,029

    Certifications
    MCSE:CP&I, SI, MCITPx2, MCSAx2, MCTSx7, VCP6/5/4/3(DCV), EMCISA, Sec+, ITILv3F, legacy MS
    #4
    Quote Originally Posted by undomiel View Post
    None of the environments I have operated in had anything but AD integrated zones.
    I have, but for non-valid reasons including a Sys Admin who thought he knew best because that's how he had always done it and wouldn't consider change ( not a good trait for a person working in IT......)

    For me, the multimaster update and security features of AD Integrated Zones make them a winner in my book.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
    Reply With Quote Quote  

  6. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #5
    Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.

    Unless you have a very good reason not to of course.
    Reply With Quote Quote  

  7. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #6
    Quote Originally Posted by Mojo_666 View Post
    Real World = Windows AD domains should always have AD intergrated DNS for zones for which it is authorative (it's own domain and any child domain) and most are configured this way.

    Unless you have a very good reason not to of course.
    So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?
    Reply With Quote Quote  

  8. Senior Member sidsanders's Avatar
    Join Date
    Nov 2008
    Posts
    214

    Certifications
    cne, mcse, scna, scsa, a+, net+, sec+
    #7
    due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.

    they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.
    Reply With Quote Quote  

  9. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #8
    Quote Originally Posted by Devilsbane View Post
    So what do non AD networks do? For example, the college I go to now uses Novell Directory services. How do they keep their DNS servers secure?
    Most would go with BIND I would imagine, NON MS Shops would be unlikely to choose an MS solution for DNS. Afaik Bind supports secure updates but it has had some issues, but I am no Bind expert.
    Reply With Quote Quote  

  10. I "HEART" M$ Mojo_666's Avatar
    Join Date
    Jun 2010
    Location
    Cardiff, Wales UK
    Posts
    438

    Certifications
    MCSE+M, MCSE+S, MCITP:SA, MCITP:EA, MCSA:2008, MCSA:2012
    #9
    Quote Originally Posted by sidsanders View Post
    due to having certain folks with too much authority, we had folks ***delete*** entire zones... luckily i caught the delete before it replicated world wide and saved the zone.

    they thought they highlighted the host to remove and, got it wrong... was unable to convince folks that having too many domain admin users was not good.
    Yet so many companies still give domain admin rights to anyone working in IT, even if they have only just started.

    There is only one Chief in my Domain and that is me, I delegate admin rights and use the admin groups for what they were designed for.
    Reply With Quote Quote  

  11. Senior Member ssampier's Avatar
    Join Date
    Jul 2010
    Location
    Sierra Vista, AZ
    Posts
    224

    Certifications
    MCSA, Security+, EC-Council CEH, CCNA
    #10
    AD-Integrated zones are pretty cool.

    I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.

    What do you guys do for outside DNS requests so the world can find your web and email services?

    I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.
    Reply With Quote Quote  

  12. Senior Member sidsanders's Avatar
    Join Date
    Nov 2008
    Posts
    214

    Certifications
    cne, mcse, scna, scsa, a+, net+, sec+
    #11
    Quote Originally Posted by ssampier View Post
    AD-Integrated zones are pretty cool.

    I twitch at the concept of exposing my DNS (and AD) infrastructure to the outside world, though.

    What do you guys do for outside DNS requests so the world can find your web and email services?

    I was imagining setting up a Bind server as a secondary on the outside via IPSec, but I wondered if there are easier ways.
    bind 9 on freebsd... totally sep zones for internal vs external.
    Reply With Quote Quote  

  13. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #12
    Your external DNS probably wouldn't need to use dynamic updates anyways. Your web and mail servers are either going to have static or reserved addresses. So it shouldn't be a huge administrative burden to disable dynamic updates.

    You lose some other features, but it should certainly work.
    Reply With Quote Quote  

  14. Senior Member ssampier's Avatar
    Join Date
    Jul 2010
    Location
    Sierra Vista, AZ
    Posts
    224

    Certifications
    MCSA, Security+, EC-Council CEH, CCNA
    #13
    I forgot to mention I actually did run a non AD network. Since it was a small network I didn't care too much if DHCP clients updated their DNS.

    Quote Originally Posted by sidsanders View Post
    bind 9 on freebsd... totally sep zones for internal vs external.
    Oh yeah, I forgot about that feature - Split-horizon DNS

    Easy as pie.

    I still shudder about those that open port 53 on their firewall to their Active Directory controllers.
    Reply With Quote Quote  

  15. Member
    Join Date
    Aug 2009
    Location
    Phoenix, AZ
    Posts
    45

    Certifications
    A+ Network+ MCSA 2003: Messaging MCSE 2003
    #14
    That's more like it! Ha ha. I was wondering why you were worried about exposing your AD and DNS infrastructure to the outside world. You don't, and it just doesn't work that way. And split DNS is your answer and your friend. Who would have to open port 53 to their domain controllers on a firewall? You let port 53 outbound from the domain controllers to a forwarder, there is nothing wrong with that. And if you have a real firewall like ISA / Forefront you have so much granular control there is nothing to worry about. For example I open up port 53 to the domain controller for some machines in my DMZ network but I can specify just those machines so any thing else is blocked no matter what. I have a back to back ISA perimeter network which is why I allow 53 to the domain controller on the internal network behind the back end firewall. There is just absolutely no risk or anything to fear with this configuration and it's very easy to implement. In fact, (Gasp!) I use .com for my internal AND external DNS zones! That's another myth about DNS and Active Directory that somehow you are more "secure" using .local. That's total hogwash as Dr. Shinder has proven.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks