Without DNS, there is no Active Directory. Many organizations are aware that it is not a secure policy to expose your internal Active Directory and DNS infrastructure to external entities, especially the Internet. So there should be some means by which you can have a private Active Directory network space that is, nevertheless, tied to publicly accessible Internet servers while maintaining DNS and Active Directory security and segregation. Indeed, there is, and it's called split-brain DNS.
You construct split brain DNS by deploying two sets of DNS servers. One set is exposed to the Internet, while the other is protected from the Internet and used only on the internal private network. The external DNS server set is authoritative for the zone containing the publicly accessible systems. The internal DNS server set is authoritative over the zone(s) containing the internal private systems. However, the internal DNS server also maintains a record of all items in the overall namespace. Thus, the internal DNS server can forward requests to the external DNS servers as needed.
This is a configuration often used by ISPs, but it can also be employed in numerous situations where you need to isolate one Active Directory and DNS infrastructure from another. Whether you are maintaining isolation from the Internet, another organization or another department within your own organization, split-brain DNS may offer the division and security you need.
For more info on
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in June 2003