I am working at two branch offices and have been tasked with where to place active-directory integrated DNS severs and what type to use.
one of the branch offices is very small (5 users) and has very slow network connectivity. do I need a DNS server and, if so, what type of zone should it host?
the second branch office is much larger (about 30 users) and has a better network connectivity. does this office need a DNS Server and , if so, what type of zone Would you recommend?
Best Answer
Active Directory integrated zones must be hosted by Domain Controllers (DCs), and all Active Directory integrated zones are primary zones. Given this, we’re really talking about where to place Domain Controllers servicing the additional role of DNS server.
Determining where to place DCs/DNS servers isn’t always straight-forward. However, as a rule of thumb, I take the view that any branch location that’s going to be utilize Active Directory services (authentication, file services, etc), benefits from having a local DC and domain-integrated DNS services.
You might already know much of this, so bear with me…
When deciding where to place DC/DNS Servers, keep the following things in mind:
Domain members rely heavily on DNS services to locate domain resources. For example, when a domain-joined computer boots, it queries domain Service Locator records (SRV) in DNS to locate a Domain Controller against which to authenticate. Without a local DNS instance, this process has to take place over a potentially slow site link. Of course, once a computer has located a Domain Controller, it will continue to authenticate against that server until it something forces the client to find another DC.
Over a slow link, the regular activities of authenticating against remote DCs, querying domain resources, and performing other standard DNS lookups can create a sluggish and somewhat irksome user experience. A local DC/DNS server can greatly improve the user experience (I’m all about user experience) by eliminating delays.
If the link between sites goes down and there is no local DNS service, your users won’t be able to browse the Internet unless you’ve configured secondary DNS servers. The problem I’ve had with secondary DNS servers is that each query first attempts to contact the primary DNS server before attempting the secondary DNS server. This really wrecks the user experience.
For a small branch office with 5 users and a slow link, you might be able to get away without a local DC/DNS server as long as:
Users aren’t dependent on the ability to authenticate against the domain (if a remote DC isn’t available to service authentication requests, users should still be able to log on to their local systems using cached credentials).
Non-domain DNS servers are available to service queries in the event your site link goes down. Some DNS-enabled routers can selectively forward requests for select domains to specific DNS servers. For example, normal DNS queries can be forwarded to publicly available DNS servers (such as the DNS servers provided by your ISP), while queries to mydomain.local can be forwarded over a secure site link to your internal DNS server. This method eliminates the delay of failing over from a primary to secondary DNS servers per client.
That said, I think you would still be better off with a local DC/DNS server even though you only have 5 users. Have you looked into Read Only Domain Controllers?
For your larger branch office, I would definitely recommend provision the site a local DC/DNS server.