Hi, We presently have 2 domains, one empty root named root.sym and a peer domain called sym.org We have W2K AD-enabled DNS running on the 2 Domain Controllers in the root domain, as well as W2K AD-enabled DNS running on 4 DCs in the production domain (because it has 2 Sites.).
DNS Forwarding in the Root On only one of the DC/DNS servers in the root domain, called DR1, we Forward to our ISP DNS. There is no second Forwarder listed. DNS Forwarding in the Production Domain On all of the production domain DC/DNS servers we Forward first to DR1 in the root domain. At the time we created the Forest we found this Forwarding architecture the only one that worked for us insofar as being able to resolve the Forest-wide _msdcs records (hosted only on the root domain DNS servers) from the production domain DCs. And as we discovered early on, those DNS Forest-wide records are not part of any AD Forest-wide naming contexts and thus never get replicated via normal AD replication. So you have to get DNS architecture right. Listed as a 2nd Forwarder on all of these production domain DNS servers is the ISP DNS address. It's my guess that all Internet lookups coming from the production domain are being resolved by the root domain DNS servers. While this is working for now I'm really concerned about what will happen when our organization becomes geographically split up. Right now resolving those Forest-wide _msdcs records from anywhere in the production domain is no problem because bandwidth is not an issue. The Problem In Chapter 2 of Structural Planning for Branch Office Environments (a Microsoft White Paper), the question of how to deal with Forwarding to the root domain for Forest-wide record lookups in a branch-office environment is mentioned but it doesn't quite make sense to me. It says: It is vital that forest-wide locator records be available to every DNS server in every site. If the DNS servers have persistent fast connections to the DNS servers authoritative for the _msdcs.<DNS forest-name> domain, then no special configuration is needed. If not, you have two options. 1. You can create a separate zone for _msdcs.<DNS forest-name> DNS domain, and replicate it to all DNS servers in the enterprise using standard zone transfer or 2. You can create a separate zone called _msdcs.<DNS forest-name> , and replicate that zone to every DNS server. -- Not sure I see any difference between these two approaches. The paper continues: If you are using Active Directory integrated DNS, you can place the primary copy of this zone in the forest root domain along with the <DNS-forest-name> zone. You can then replicate the zone to secondary DNS servers outside the domain using standard DNS replication. The domain controllers or DNS servers in non-root domains will host read-only copies of the source zone. -- How do you do that? How do you take a sub-zone of an AD-Integrated zone and turn it into a Standard DNS zone? Recall that the _msdcs zone is a sub-zone. Am I mis-reading this? This is what we could use some help with. Does this all boil down to the fact that if we want copies of the Forest-wide DNS records in other domains we just simply need to transform those root domain AD-DNS servers into traditional DNS servers and then do a standard transfer of the records to secondary zones? Thank you, Tom Kasmir (I have a Visio drawing of our network.) List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
