bad-idea

By aaron.axvig, 23 August, 2007

I know, I know, this may seem painfully obvious to some people, but it is something I hadn't thought of doing before.  Say you have a domain controller on one network, and you have your laptop on another network across the WAN.  As long as your domain controller is open to the Internet (DMZ or on a routable address or something) just set your primary DNS server to the IP address of your domain's DNS server.  I suppose your domain controller has to be on a routable address then too (meaning you can directly ping it from anywhere in the world).

Now you should be able to open up any MMC tool, like AD Users & Computers, and use it to remotely administer your domain.  It would make sense that you could even set a computer's DNS entry and even join it to a domain from a remote location.

One implication of doing this is that now all your name resolution (converting google.com into an IP address, etc.) is now relying on your DNS server staying up.  Which makes me wonder how Windows uses the secondary DNS server entry.  Does it wait for the first one to time out?  How long would it wait?

Tags