When a DNS server is deployed in an organization that has only one DNS domain, the configuration of the DNS server is not quite complicated. The DNS administrators can simply install the DNS server, create a primary DNS zone, and can configure the DNS server to update the DNS records in its database either automatically or manually.
The DNS administrators can restrict the DNS client computers from automatically registering their records to the DNS database if the network infrastructure has active directory domain controller, and uses client/server architecture. On the other hand, if the DNS server is installed in a workgroup network environment, no such option is available.
In E-Commerce or Online Shopping Organization
In an organization that has multiple external users subscribed with it, such as an online shopping store or any such e-commerce website, it is important that the DNS administrators should create a secondary DNS zone and place it in the perimeter network. Since the secondary DNS zone is a read-only copy of the primary DNS zone and receives its updates only from the primary zone, and the perimeter network is considered less secure as compared to the network that is behind the firewall, the chances of the DNS records getting corrupted are almost null. Also, since the secondary DNS zone is not a read/write copy of the DNS database, the hackers are unable to add the fake DNS records to the DNS server.
In Multi-Domain Organization
The DNS implementation described in the above scenarios is standard. No matter what type of organization you are working with, or which type of network infrastructure the organization has, you are required to place the DNS server and configure it accordingly in order to get the best out of it.
In a multi-domain organization, the above discussed DNS implementation can be integrated (or should be integrated as per the recommendations). Along with the above, another instance of secondary DNS zone must also be placed in the other domains that the entire forest may have.
For example, if a forest named Microsoft.com has two domains namely Microsoft.com and Passport.com, a secondary DNS zone of the Microsoft.com must be placed within the Passport.com domain, and the secondary DNS zone of the Passport.com domain must be placed within the Microsoft.com domain in order to have a proper name resolution system.
Nonetheless, one instance of the secondary DNS zone from each domain must be placed in the perimeter network in case the organization allows external users to communicate with the e-commerce website that the organization may have.