OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding
Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find "itself" then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! <mc> -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. ________________________________ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary <RDS>This generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary <RDS>Again - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible. 4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain <RDS>That's pretty clean - no reason to change that. 5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ <RDS>I find that multiple layers of forwarding gets, well, ugly. I've seen a number of weird issues with that process over the years. You don't mention whether this is a contiguous namespace or not. Some of this also depends on if its an empty root or a domain containing resources and users. Are there any flaws to this design that someone can point out to me? Or is it OK? Thanks, as always... Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
