See inline below..... (I'm cutting out a bunch of the setup iinfo)
At TechEd 2001, I sat in a DNS Deployment session that cleared this whole topic up for me. The talk was by Levon Esibov of Microsoft. If you'd like, I can send the slide set to you, Tom. Honestly, it has only 3 slides on this topic. Note to list: I'm not making this an open offer.... :-) > The Problem > In Chapter 2 of Structural Planning for Branch Office > Environments (a Microsoft White Paper), the question of how > to deal with Forwarding to the root domain for Forest-wide > record lookups in a branch-office environment is mentioned > but it doesn't quite make sense to me. It says: > It is vital And, yes it IS vital! Especially in sites in child domains! > that forest-wide locator records be available to every DNS > server in every site. If the DNS servers have persistent fast > connections to the DNS servers authoritative for the > _msdcs.<DNS forest-name> domain, then no special > configuration is needed. If not, you have two options. > 1. You can create a separate zone for _msdcs.<DNS > forest-name> DNS domain, and replicate it to all DNS servers > in the enterprise using standard zone transfer or 2. You can > create a separate zone called _msdcs.<DNS forest-name> , and > replicate that zone to every DNS server. > > -- Not sure I see any difference between these two > approaches. I don't see the big difference between the two either. > The paper continues: If you are using Active > Directory integrated DNS, you can place the primary copy of > this zone in the forest root domain along with the > <DNS-forest-name> zone. You can then replicate the zone to > secondary DNS servers outside the domain using standard DNS > replication. The domain controllers or DNS servers in > non-root domains will host read-only copies of the source zone. > > -- How do you do that? > How do you take a sub-zone of an > AD-Integrated zone and turn it into a Standard DNS zone? Allow the AD-integrated ACT AS the primary zone and create a secondary standard DNS server that will have delegate to it the _msdcs zone. Create the domain as _msdcs.<forest name> > Recall that the _msdcs zone is a sub-zone. Am I mis-reading > this? This is what we could use some help with. Does this all > boil down to the fact that if we want copies of the > Forest-wide DNS records in other domains we just simply need > to transform those root domain AD-DNS servers into > traditional DNS servers and then do a standard transfer of > the records to secondary zones? Don't (lack of a better term) 'downgrade' your AD domains to Standard domains. Just create a secondary zone on the DNS server (let's make no mistake - a Windows 2000 DNS server can host a primary, secondary AND an AD domain - all concurrently!) and allow the zone to be hosted as a secondary, set up the notify, etc. and let it work. BTW, I don't remember if the Branch Office Deployment Guide tells you WHY you should do this. If the remotes in the other domains should become cut off from the forest DNS, then it makes it kind of hard for the locals to locate the GC and, in some cases, other DC replication partners. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > Thank you, > Tom Kasmir > (I have a Visio drawing of our network.) > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
