Preferably I would only make secondaries of the _msdcs.forestname.com on the other child domain controllers. No need to replicate the entire forest root domain to the other (child/ secondary) DNS servers especially when these would be forwarding to the root DNS servers....
Now remember to do this, you would have to delete and recreate the subdomains as zones e.g. _msdcs.forestname.com, _tcp.forestname.com etc. and of course one forestname zone. In essence, you would end up with 5 zones under your forest root with all aliases, A, NS records and the other 7 delegations for your forest's zone, underscore zones and child domains....
Of course, some assumptions here are ADI zones, secure updates etc.
However, I would do this at a later date once you have resolved your current setup issues.
----Original Message Follows---- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Date: Mon, 7 Jun 2004 16:26:10 -0400
I would set up a secondary zone for the root on every DC - this simplifies a lot of replication issues. We have recently gone to a forest integrated zone for the root to avoid zone transfer security issues and that seems to be working very well for us.
Regards;
James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED]
|---------+---------------------------------->
| | "Creamer, Mark" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 06/07/2004 04:16 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: <[EMAIL PROTECTED]> |
| cc: (bcc: James Day/Contractor/NPS) |
| Subject: RE: [ActiveDir] Best Practice: DNS settings |
>------------------------------------------------------------------------------------------------------------------------------|
OK, so to make sure I'm understanding you Roger, desired changes would be
Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding
Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find "itself" then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain.
On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding?
Finally, should each domain have secondary zones for the other domains (root and subs)?
Thanks again!
<mc> -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings
Answers are inline:
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
________________________________
From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings
I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right:
1. All DCs are running AD-integrated DNS
2. Each of the 3 root servers uses only itself for a
primary DNS server, and another root DNS server for its secondary<RDS>This generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it.
3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary
<RDS>Again - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible.
4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain
<RDS>That's pretty clean - no reason to change that.
5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ
<RDS>I find that multiple layers of forwarding gets, well, ugly. I've seen a number of weird issues with that process over the years. You don't mention whether this is a contiguous namespace or not. Some of this also depends on if its an empty root or a domain containing resources and users.
Are there any flaws to this design that someone can point out to me? Or is it OK? Thanks, as always...
Mark Creamer
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
