Why don't you just let your child dns serve as a secondary for the root (active directory integrated)dns zone?
Then either you can forward directly from your production domain to your ISP or continue to forward to you root server.
You just need to ensure that your child dns servers are allowed to receive a copy of the root dns zone.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 16 May, 2002 00:34 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Forest-wide DNS records
Hi,
We presently have 2 domains, one empty root named root.sym and a peer domain
called sym.org
We have W2K AD-enabled DNS running on the 2 Domain Controllers in the root
domain, as well as W2K AD-enabled DNS running on 4 DCs in the production
domain (because it has 2 Sites.).
DNS Forwarding in the Root
On only one of the DC/DNS servers in the root domain, called DR1, we Forward
to our ISP DNS.
There is no second Forwarder listed.
DNS Forwarding in the Production Domain
On all of the production domain DC/DNS servers we Forward first to DR1 in
the root domain.
At the time we created the Forest we found this Forwarding architecture the
only one that worked for us insofar as being able to resolve the Forest-wide
_msdcs records (hosted only on the root domain DNS servers) from the
production domain DCs.
And as we discovered early on, those DNS Forest-wide records are not part of
any AD Forest-wide naming contexts and thus never get replicated via normal
AD replication. So you have to get DNS architecture right.
Listed as a 2nd Forwarder on all of these production domain DNS servers is
the ISP DNS address.
It's my guess that all Internet lookups coming from the production domain
are being resolved by the root domain DNS servers.
While this is working for now I'm really concerned about what will happen
when our organization becomes geographically split up.
Right now resolving those Forest-wide _msdcs records from anywhere in the
production domain is no problem because bandwidth is not an issue.
The Problem
In Chapter 2 of Structural Planning for Branch Office Environments (a
Microsoft White Paper), the question of how to deal with Forwarding to the
root domain for Forest-wide record lookups in a branch-office environment is
mentioned but it doesn't quite make sense to me. It says:
It is vital that forest-wide locator records be available to every DNS
server in every site.
If the DNS servers have persistent fast connections to the DNS servers
authoritative for the _msdcs.<DNS forest-name> domain, then no special
configuration is needed. If not, you have two options.
1. You can create a separate zone for _msdcs.<DNS forest-name> DNS domain,
and replicate it to all DNS servers in the enterprise using standard zone
transfer or
2. You can create a separate zone called _msdcs.<DNS forest-name> , and
replicate that zone to every DNS server.
-- Not sure I see any difference between these two approaches.
The paper continues:
If you are using Active Directory integrated DNS, you can place the primary
copy of this zone in the forest root domain along with the <DNS-forest-name>
zone. You can then replicate the zone to secondary DNS servers outside the
domain using standard DNS replication. The domain controllers or DNS servers
in non-root domains will host read-only copies of the source zone.
-- How do you do that? How do you take a sub-zone of an AD-Integrated zone
and turn it into a Standard DNS zone? Recall that the _msdcs zone is a
sub-zone. Am I mis-reading this? This is what we could use some help with.
Does this all boil down to the fact that if we want copies of the
Forest-wide DNS records in other domains we just simply need to transform
those root domain AD-DNS servers into traditional DNS servers and then do a
standard transfer of the records to secondary zones?
Thank you,
Tom Kasmir
(I have a Visio drawing of our network.)
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the official business of Standard Bank Investment Corporation (Stanbic) is proprietary to the company. It is confidential, legally privileged and protected by law. Stanbic does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Stanbic.
The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.
Stanbic can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.
_______________________________________________
