Re: [brlug-general] Offsite DNS hosting for Active Directory
Just make sure AXFR is disabled if you're hosting with a third-party. You don't want anyone doing a transfer of your zone. Otherwise I can't think of any huge security implications??? I'd also make sure to restrict access to a specific range. On Sun, Oct 3, 2010 at 4:17 AM, Edmund Cramp wrote: > Ask Jerry at Netshapers (http://www.netshapers.com) - I don't know where > they stand with AD but they've provided us with a BIND slave for about 10 > years with no problems although it's not a service that they advertise. > > Regards, > Edmund Cramp - e...@motion-labs.com > Motion Lab Systems, Inc. - http://www.motion-labs.com > 15045 Old Hammond Highway, Baton Rouge, LA 70816 USA > Tel: 1.225.272.7364 (Central Time Zone, GMT-6) > Fax: 1.225.272.7336 > > > -- > *From:* general-boun...@brlug.net [mailto:general-boun...@brlug.net] *On > Behalf Of *Dustin Puryear > *Sent:* Friday, October 01, 2010 1:15 PM > *To:* general@brlug.net; sage-memb...@sage.org; LOPSA Tech List > *Subject:* [brlug-general] Offsite DNS hosting for Active Directory > > We have a [common] situation where a company has a single site, has > Active Directory, and only has one Domain Controller (DC). We could bring up > a second DC, but there are hardware and licensing costs. That, and most AD > networks that are workstation-heavy can survive quite well after a DC goes > down for a good bit of time. If you exclude the fact that the DC is also the > DNS primary for that network. > > > > Anyone know of a DNS hosting service that is known to play well with > hosting secondary DNS for AD DNS? > > > > And what are your thoughts on this in terms of security? Anyone using a > hosting service to provide secondary DNS capabilities for internal DNS? > > > > --- > > Puryear IT, LLC - We see IT differently. > > Baton Rouge, LA - 225-706-8414 > > http://www.puryear-it.com/ > > > > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > -- "The world's my oyster, a hotel room's my prison cell..." ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
Ask Jerry at Netshapers (http://www.netshapers.com) - I don't know where they stand with AD but they've provided us with a BIND slave for about 10 years with no problems although it's not a service that they advertise. Regards, Edmund Cramp - e...@motion-labs.com Motion Lab Systems, Inc. - http://www.motion-labs.com 15045 Old Hammond Highway, Baton Rouge, LA 70816 USA Tel: 1.225.272.7364 (Central Time Zone, GMT-6) Fax: 1.225.272.7336 From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On Behalf Of Dustin Puryear Sent: Friday, October 01, 2010 1:15 PM To: general@brlug.net; sage-memb...@sage.org; LOPSA Tech List Subject: [brlug-general] Offsite DNS hosting for Active Directory We have a [common] situation where a company has a single site, has Active Directory, and only has one Domain Controller (DC). We could bring up a second DC, but there are hardware and licensing costs. That, and most AD networks that are workstation-heavy can survive quite well after a DC goes down for a good bit of time. If you exclude the fact that the DC is also the DNS primary for that network. Anyone know of a DNS hosting service that is known to play well with hosting secondary DNS for AD DNS? And what are your thoughts on this in terms of security? Anyone using a hosting service to provide secondary DNS capabilities for internal DNS? --- Puryear IT, LLC - We see IT differently. Baton Rouge, LA - 225-706-8414 http://www.puryear-it.com/ ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
It's going depend on how much you need AD for in the environment. Chances are, if you're a small enough AD to have one DC, that DC is going to have everything on it that AD needs and probably, anything that is going to actually require AD to function. Clients can/will use cached logon credentials for user login, although shared resources on other workstations may become unavailable unless the credential was cached before AD went down (assuming you're allowing workstations to cache X number of local logon credentials]. Assume you're pointing your clients to an off site DNS as well otherwise they'll be SOL waiting for something to be done.Services which need the GC are going to be hosed even if DNS is working if your only DC is down. Mark A. Lappin, CCNA, MCITP: Enterprise Administrator | Lee Michaels Fine Jewelry Director of Information Technology 11314 Cloverland Ave | Baton Rouge, LA 70809 Ph: 225.291.9094 ext 245 | Fax: 225.368.3675 | Mobile: 225-362-2770 www.lmfj.com <http://www.lmfj.com/> [http://www.lmfj.com/images/lmfjsig.gif] This communication is privileged and confidential. If you are not the intended recipient, please notify the sender by reply e-mail and destroy all copies of this communication . From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On Behalf Of Dustin Puryear Sent: Friday, October 01, 2010 4:24 PM To: general@brlug.net Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory Actually, that's not true. From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On Behalf Of Tim Fournet Sent: Friday, October 01, 2010 2:29 PM To: general@brlug.net Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory Even if you've got the DNS portion of Active Directory replicated, when the rest of AD comes crashing down, you're going to have major work-stopping outages happening pretty quickly. Why not just bring up offsite hosted full domain controllers? ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
Actually, that's not true. From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On Behalf Of Tim Fournet Sent: Friday, October 01, 2010 2:29 PM To: general@brlug.net Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory Even if you've got the DNS portion of Active Directory replicated, when the rest of AD comes crashing down, you're going to have major work-stopping outages happening pretty quickly. Why not just bring up offsite hosted full domain controllers? On Fri, Oct 1, 2010 at 2:23 PM, Dustin Puryear mailto:dpury...@puryear-it.com>> wrote: Well, we're looking for an offsite service that WE DON'T HAVE TO MANAGE. Like an EasyDNS service. Hmm. -Original Message- From: general-boun...@brlug.net<mailto:general-boun...@brlug.net> [mailto:general-boun...@brlug.net<mailto:general-boun...@brlug.net>] On Behalf Of Keith Stokes Sent: Friday, October 01, 2010 1:28 PM To: general@brlug.net<mailto:general@brlug.net> Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory Damn. Brad can type faster than me. On Oct 1, 2010, at 1:25 PM, Brad Bendily wrote: > We don't use a service to do this, but we host AD DC DNS on our > Linux/BIND DNS boxes. > I haven't done the AD side, but apparently there's a tool to extract > the DNS entries and then > they can get imported into BIND. So, it should be fairly easy to do. > You could also setup > a master/slave trust between the zones and the entries can be pulled > that way. > If you had a DNS host, running linux that would open to trying a few > things. > > > bb > > On Fri, Oct 1, 2010 at 1:15 PM, Dustin Puryear > mailto:dpury...@puryear-it.com> > > wrote: >> We have a [common] situation where a company has a single site, has >> Active >> Directory, and only has one Domain Controller (DC). We could bring >> up a >> second DC, but there are hardware and licensing costs. That, and >> most AD >> networks that are workstation-heavy can survive quite well after a >> DC goes >> down for a good bit of time. If you exclude the fact that the DC is >> also the >> DNS primary for that network. >> >> >> >> Anyone know of a DNS hosting service that is known to play well >> with hosting >> secondary DNS for AD DNS? >> >> >> >> And what are your thoughts on this in terms of security? Anyone >> using a >> hosting service to provide secondary DNS capabilities for internal >> DNS? >> >> >> >> --- >> >> Puryear IT, LLC - We see IT differently. >> >> Baton Rouge, LA - 225-706-8414 >> >> http://www.puryear-it.com/ >> >> >> >> ___ >> General mailing list >> General@brlug.net<mailto:General@brlug.net> >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> > > > > -- > Have Mercy & Say Yeah > > ___ > General mailing list > General@brlug.net<mailto:General@brlug.net> > http://mail.brlug.net/mailman/listinfo/general_brlug.net -- Keith Stokes ___ General mailing list General@brlug.net<mailto:General@brlug.net> http://mail.brlug.net/mailman/listinfo/general_brlug.net ___ General mailing list General@brlug.net<mailto:General@brlug.net> http://mail.brlug.net/mailman/listinfo/general_brlug.net ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
Even if you've got the DNS portion of Active Directory replicated, when the rest of AD comes crashing down, you're going to have major work-stopping outages happening pretty quickly. Why not just bring up offsite hosted full domain controllers? On Fri, Oct 1, 2010 at 2:23 PM, Dustin Puryear wrote: > Well, we're looking for an offsite service that WE DON'T HAVE TO MANAGE. > Like an EasyDNS service. Hmm. > > -Original Message- > From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On > Behalf Of Keith Stokes > Sent: Friday, October 01, 2010 1:28 PM > To: general@brlug.net > Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory > > Damn. Brad can type faster than me. > > On Oct 1, 2010, at 1:25 PM, Brad Bendily wrote: > > > We don't use a service to do this, but we host AD DC DNS on our > > Linux/BIND DNS boxes. > > I haven't done the AD side, but apparently there's a tool to extract > > the DNS entries and then > > they can get imported into BIND. So, it should be fairly easy to do. > > You could also setup > > a master/slave trust between the zones and the entries can be pulled > > that way. > > If you had a DNS host, running linux that would open to trying a few > > things. > > > > > > bb > > > > On Fri, Oct 1, 2010 at 1:15 PM, Dustin Puryear > > wrote: > >> We have a [common] situation where a company has a single site, has > >> Active > >> Directory, and only has one Domain Controller (DC). We could bring > >> up a > >> second DC, but there are hardware and licensing costs. That, and > >> most AD > >> networks that are workstation-heavy can survive quite well after a > >> DC goes > >> down for a good bit of time. If you exclude the fact that the DC is > >> also the > >> DNS primary for that network. > >> > >> > >> > >> Anyone know of a DNS hosting service that is known to play well > >> with hosting > >> secondary DNS for AD DNS? > >> > >> > >> > >> And what are your thoughts on this in terms of security? Anyone > >> using a > >> hosting service to provide secondary DNS capabilities for internal > >> DNS? > >> > >> > >> > >> --- > >> > >> Puryear IT, LLC - We see IT differently. > >> > >> Baton Rouge, LA - 225-706-8414 > >> > >> http://www.puryear-it.com/ > >> > >> > >> > >> ___ > >> General mailing list > >> General@brlug.net > >> http://mail.brlug.net/mailman/listinfo/general_brlug.net > >> > >> > > > > > > > > -- > > Have Mercy & Say Yeah > > > > ___ > > General mailing list > > General@brlug.net > > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > > -- > > Keith Stokes > > > > > > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
Well, we're looking for an offsite service that WE DON'T HAVE TO MANAGE. Like an EasyDNS service. Hmm. -Original Message- From: general-boun...@brlug.net [mailto:general-boun...@brlug.net] On Behalf Of Keith Stokes Sent: Friday, October 01, 2010 1:28 PM To: general@brlug.net Subject: Re: [brlug-general] Offsite DNS hosting for Active Directory Damn. Brad can type faster than me. On Oct 1, 2010, at 1:25 PM, Brad Bendily wrote: > We don't use a service to do this, but we host AD DC DNS on our > Linux/BIND DNS boxes. > I haven't done the AD side, but apparently there's a tool to extract > the DNS entries and then > they can get imported into BIND. So, it should be fairly easy to do. > You could also setup > a master/slave trust between the zones and the entries can be pulled > that way. > If you had a DNS host, running linux that would open to trying a few > things. > > > bb > > On Fri, Oct 1, 2010 at 1:15 PM, Dustin Puryear > wrote: >> We have a [common] situation where a company has a single site, has >> Active >> Directory, and only has one Domain Controller (DC). We could bring >> up a >> second DC, but there are hardware and licensing costs. That, and >> most AD >> networks that are workstation-heavy can survive quite well after a >> DC goes >> down for a good bit of time. If you exclude the fact that the DC is >> also the >> DNS primary for that network. >> >> >> >> Anyone know of a DNS hosting service that is known to play well >> with hosting >> secondary DNS for AD DNS? >> >> >> >> And what are your thoughts on this in terms of security? Anyone >> using a >> hosting service to provide secondary DNS capabilities for internal >> DNS? >> >> >> >> --- >> >> Puryear IT, LLC - We see IT differently. >> >> Baton Rouge, LA - 225-706-8414 >> >> http://www.puryear-it.com/ >> >> >> >> ___ >> General mailing list >> General@brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> > > > > -- > Have Mercy & Say Yeah > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net -- Keith Stokes ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
On Fri October 1 2010 1:15 pm, Dustin Puryear wrote: > We have a [common] situation where a company has a single site, has Active > Directory, and only has one Domain Controller (DC). We could bring up a > second DC, but there are hardware and licensing costs. That, and most AD > networks that are workstation-heavy can survive quite well after a DC goes > down for a good bit of time. If you exclude the fact that the DC is also > the DNS primary for that network. > > Anyone know of a DNS hosting service that is known to play well with > hosting secondary DNS for AD DNS? Wouldn't slaved BIND do the trick? -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
Damn. Brad can type faster than me. On Oct 1, 2010, at 1:25 PM, Brad Bendily wrote: > We don't use a service to do this, but we host AD DC DNS on our > Linux/BIND DNS boxes. > I haven't done the AD side, but apparently there's a tool to extract > the DNS entries and then > they can get imported into BIND. So, it should be fairly easy to do. > You could also setup > a master/slave trust between the zones and the entries can be pulled > that way. > If you had a DNS host, running linux that would open to trying a few > things. > > > bb > > On Fri, Oct 1, 2010 at 1:15 PM, Dustin Puryear > wrote: >> We have a [common] situation where a company has a single site, has >> Active >> Directory, and only has one Domain Controller (DC). We could bring >> up a >> second DC, but there are hardware and licensing costs. That, and >> most AD >> networks that are workstation-heavy can survive quite well after a >> DC goes >> down for a good bit of time. If you exclude the fact that the DC is >> also the >> DNS primary for that network. >> >> >> >> Anyone know of a DNS hosting service that is known to play well >> with hosting >> secondary DNS for AD DNS? >> >> >> >> And what are your thoughts on this in terms of security? Anyone >> using a >> hosting service to provide secondary DNS capabilities for internal >> DNS? >> >> >> >> --- >> >> Puryear IT, LLC - We see IT differently. >> >> Baton Rouge, LA - 225-706-8414 >> >> http://www.puryear-it.com/ >> >> >> >> ___ >> General mailing list >> General@brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> > > > > -- > Have Mercy & Say Yeah > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net -- Keith Stokes ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
If your only goal is to provide DNS, how about running BIND on a Linux box? I haven't explicitly done it, but Win DNS does support BIND secondaries. There's only 1 drawback with that plan that has bit me in the behind recently. I had a similar site from which my backup DC was removed from the budget. I wasn't happy but figured it would be okay with the cached logins. Last week the DC went down and all of my Terminal Sessions couldn't log in. We have repeatedly tested and it's consistent. Research by one of the guys in my group showed that while you can log onto the console of a server (and a workstation is in fact the console) RDC and all other network sessions are not supported with cached credentials. In other words, you can log onto your workstation, but forget about getting to a network resource. Is that going to work for you? As far as hardware costs go, you can use one of my solutions: I run a virtual DC on a workstation as a backup. This PC happens to be at my house and runs over a VPN, but obviously it would work better on the LAN. I did it at home so that I'd have an offsite AD backup. Of course you still have the server license with which to contend. Now that I'm thinking...has anyone used Samba recently for DC backup? As I remember, version 3 and before only supported NT4 auth, but would that be enough to get to the network resources? Now I'm going to have to try that. Samba 4 is supposed to be fully AD-integrated whenever it comes out. On Oct 1, 2010, at 1:15 PM, Dustin Puryear wrote: We have a [common] situation where a company has a single site, has Active Directory, and only has one Domain Controller (DC). We could bring up a second DC, but there are hardware and licensing costs. That, and most AD networks that are workstation-heavy can survive quite well after a DC goes down for a good bit of time. If you exclude the fact that the DC is also the DNS primary for that network. Anyone know of a DNS hosting service that is known to play well with hosting secondary DNS for AD DNS? And what are your thoughts on this in terms of security? Anyone using a hosting service to provide secondary DNS capabilities for internal DNS? --- Puryear IT, LLC - We see IT differently. Baton Rouge, LA - 225-706-8414 http://www.puryear-it.com/ ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net -- Keith Stokes ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
Re: [brlug-general] Offsite DNS hosting for Active Directory
We don't use a service to do this, but we host AD DC DNS on our Linux/BIND DNS boxes. I haven't done the AD side, but apparently there's a tool to extract the DNS entries and then they can get imported into BIND. So, it should be fairly easy to do. You could also setup a master/slave trust between the zones and the entries can be pulled that way. If you had a DNS host, running linux that would open to trying a few things. bb On Fri, Oct 1, 2010 at 1:15 PM, Dustin Puryear wrote: > We have a [common] situation where a company has a single site, has Active > Directory, and only has one Domain Controller (DC). We could bring up a > second DC, but there are hardware and licensing costs. That, and most AD > networks that are workstation-heavy can survive quite well after a DC goes > down for a good bit of time. If you exclude the fact that the DC is also the > DNS primary for that network. > > > > Anyone know of a DNS hosting service that is known to play well with hosting > secondary DNS for AD DNS? > > > > And what are your thoughts on this in terms of security? Anyone using a > hosting service to provide secondary DNS capabilities for internal DNS? > > > > --- > > Puryear IT, LLC - We see IT differently. > > Baton Rouge, LA - 225-706-8414 > > http://www.puryear-it.com/ > > > > ___ > General mailing list > General@brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > -- Have Mercy & Say Yeah ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net
[brlug-general] Offsite DNS hosting for Active Directory
We have a [common] situation where a company has a single site, has Active Directory, and only has one Domain Controller (DC). We could bring up a second DC, but there are hardware and licensing costs. That, and most AD networks that are workstation-heavy can survive quite well after a DC goes down for a good bit of time. If you exclude the fact that the DC is also the DNS primary for that network. Anyone know of a DNS hosting service that is known to play well with hosting secondary DNS for AD DNS? And what are your thoughts on this in terms of security? Anyone using a hosting service to provide secondary DNS capabilities for internal DNS? --- Puryear IT, LLC - We see IT differently. Baton Rouge, LA - 225-706-8414 http://www.puryear-it.com/ ___ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net