I have client which has multiple sites all over the world. They have 2 domain controllers in main location and every other location connects thru to main site with vpn tunnel. Currently the network is more or less disaster so I'm trying to fix it. One thing in common for the secondary sites is that their routers in network settings have ISP local DNS servers so their DHCP based computers get "wrong" DNS servers. It's been like that for ages and they use IP address to connect to servers.
So I would like to fix it with proper DNS servers etc. So I was planning to use RODC and DNS server on the only server (with Terminal Services and couple of programs like Visual Studio that people use to work) that is located in the location. The other option was to enter DNS servers from main location but if the tunnel goes down employees will be confused and won't be able to access internet (as they would need to change router settings) so this doesn't seem as reliable solution.
My questions are as follows:
- If VPN Tunnel goes down can people use DNS without problems (they can access internet) and they can authenticate to local servers/workstations?
- Is it safe and recommended (??) or in contrary not advised to put RODC/DNS server on the very same server with users and other programs?
- Any other advices regarding this setup ?
Best Answer
When using a RODC you really have 2 options for DNS
Obviously having a writeable primary zone on a RODC (or in that office) is a security issue.
Assuming you have this, and you have setup cached credentials correctly in your Password Replication Policy then when the network goes down, your users should be able to continue working.
Assuming you have a read only DNS zone to go with your RODC then this should be safe. Obviously if you are caching credentials locally there is a slight risk there, but if you are using your PRP properly then you should be able to revoke these credentials should anything happen.