Cynthia, Firstly, because I have to ask, are you aware that creating separate domains in a forest does not guarantee security and autonomy? Domains in Win2k are not the same as domains in NT 4.0. Synonomous to the domain in NT 4.0 is the Forest in Windows 2000.
With that said, and moving forward with your question - You COULD use a single DNS server in the empty root. Each domain that you create CAN register its domain in the single server, but - by all means - have a minimum of two DCs in that domain and AD integrate the DNS data. Or, it is entirely feasible to have an AD integrated DNS for EACH domain. Letting each domain control it's own DNS is not a bad move either. It's not like DNS is a hugely taxing process. Choose to forward the two 'user' domains to the empty root DNS, then forward out from there to the Internet, thereby controlling your points of access. Feel free to e-mail directly if you have more pointed questions. Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] mailto:[EMAIL PROTECTED] "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rittenhouse, Cindy Sent: Monday, January 14, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS design in multidomain forest My question is a little basic for this site, but I am hoping all your expertise will help me design the most efficient active directory structure. I currently have 2 NT domains, one for county government, the other for county police agencies. We plan to create a single forest with 3 trees; an empty root and the 2 existing NT domains. Certain county agencies need access to police servers, and the police need access to certain county servers. All users require intranet access, but only select workstations and users are to have internet access. My quandary is the placement of DNS servers. Do I create one primary DNS server in the null root and secondary DNS servers in the other domains, or do I create a DNS server for each domain and make it active directory integrated? If DNS is active directory integrated, how do users in domain 2 locate resources in domains 3. How will I differentiate users that need internet access from those who do not. We still have hundreds of NT and 98 clients? I'd like to examine all possible scenarios and the pros and cons of each. After reading all your entries over the past several months, I know that if I don't get the DNS setup correct, my active directory will be a disaster. Currently, workstations from each domain that need internet get a DNS server that forwards requests hard coded in the TCP/IP configuration. All others get a local DNS server that does not forward requests. Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
