Hi I have been lurking for about a year and have pulled a lot of knowledge and information from the list - thank you all. I do have a specific issue I wanted some opinions on regarding DNS. Our current configuration is a 10 domain AD 2003 functional forest, with 1 empty root and 9 child domains. We have about 100 domain controllers between the domains that are in about 85 sites (in other words, except for a few hub sites most locations have only 1 DC). The majority of the sites have 50 or more users with link speeds below 256kbs. There are 3 DCs in the empty root. Currently we have DNS on every domain controller - partly due to the slow link speeds and partly due to the unreliability of a lot of the links. Every server has a primary zone that is AD integrated for it's own domain, and a secondary zone for the root domain. The zone transfers were left at the default - every 15 minutes. This has led to 3 issues that have just started cropping up. 1) The root DC DNS servers are starting to be overwhelmed with requests, and some of the zone transfers are failing due to lack of resources. 2) Occasionally we will have a link go down for long enough to make the secondary zone stale. The DC then has problems getting a new copy of the zone, and cannot replicate properly until it gets the updated zone. This issue seems to have gone away since we went to 2K3 3) We have a security issue at the root. Our 3 root DCs are set to allow transfers to anybody - a relatively insecure setup. We have looked at only allowing transfers to specific partners but with over 100 DCs now, and another 400 to come online in the next 2 years the management of this list would become a full time position. The solution we are looking at is a forest integrated root zone. Microsoft does suggest making the msdcs zone forest integrated - which would help some. We also have a number of users that log in cross domain, and they need to lookup the delegation records to find the name servers for the other domains to either authenticate, or to access resources cross domain (ie. we have a number of sharepoint sites in different resources that are accessible by users in all domains). With a full forest integrated root zone we should be able to solve the zone transfer problem, the unreliable link problem, and the security issue. It also should allow users to make a cross domain request on their local DC without the query going to the root to find the delegation records - decreasing network traffic. We have run our test forest this way (20 DCs in 10 domains with 2 in the root) for 3 months with no problems. Anybody have any comments? Is anybody else doing this? Can anybody see a potential flaw in the plan? Thank you in advance; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
