We're going to be transitioning our domain(s) to Server 2012 (from 2003 and 2008). We'll have 2 servers running Server 2012.
1: A file server and primary domain controller.
2: A WSUS server, remote desktop services server, and domain controller. (I know it's not recommended to run WSUS on a domain controller - we may move WSUS to a different server.)
Both servers will be running DNS, but only to resolve names in our own domain. We use an external DNS to resolve stuff on the internet. The domain controllers are generally firewalled off from incoming connections from the internet, but they
must be able to reach out (such as to grab Windows Updates, since we don't store them on the WSUS server), so they need to have the external DNS servers added to their network adapters' settings.
To make things a bit clearer, assume the following:
Our first server has an IP of A.B.C.X
Our second server has an IP of A.B.C.Y
Our first external DNS is A.B.Z.X
Our external DNS is A.B.Z.Y
We disable recursion (which also disables forwarders) in the DNS (server) config. Our domain is running on the A.B.C subnet (/24). When we configure the DNS servers on the network adapters of the domain controllers, we use currently use (for the first server):
1: A.B.C.Y (the second server's IP)
2: A.B.Z.X (the first DNS that resolves external names)
3: 127.0.0.1 (loopback)
4: A.B.Z.Y (the second DNS that resolves external names)
The second server is the same, except its first entry is A.B.C.X (the first server's IP).
This all seems to work, but the Best Practices Analyzers throws warning about the external DNS entries not being able to resolves things in the local namespace (stuff on our domain), listing the potential impact as directory resources being unavailable. There are corresponding compliant entries in the BPA results showing that the first and second domain controllers are able to resolve those names.
Should we ignore the BPA warnings? We don't want the external DNS to be able to resolve our local names. Only our domain controllers should do that. Client machines will resolve our stuff via the domain controllers (set on their network adapters as the primary and secondary DNS servers), and resolve external stuff via the external DNS servers (A.B.Z.X and A.B.Z.Y, set on their network adapters as the 3rd and 4th DNS servers).
This is basically our setup now (2003 and 2008), but the BPA warnings in 2012 have left me confused.
Any advice?