>>Why is it not a good idea to store zone data in AD? For the simple fact that I can use it as a vector to introduce malicious contents into the secondarying AD. >>Why not exploit a modern replication engine? modern, legacy. Does it really matter which one we go through? >>The admin. overhead to your approach seems high I don't see the overhead, especially since I have now learnt that you could AD-intg this and have it replicate to all participating servers. Everything after that is simply normal DNS install/config. Even if I grant you that, I still think that the fact that Cond-fwd (I made that up. tired of typing) makes the server less overloaded (and therefore more responsive) than when using Stubs balances this out. I know I do not have to list all the advantages of cond-fwd for you - you prolly wrote the specs on that, for all I know. However, in this disjointed namespace scenario under discussion, I do not see how Stubs can achieve superior results compared to cond-fwd. >>thus stubs self-learning, fault-tolerant replication, granular replication, appreciative of rules (Sites, Subnets, Site-links etc.) Yeah, stubs are cool and beautiful and all that. So, why are we still asking for AD-intg secondaries if Stubs are good enough? And, yeah, I meant to say keys, not hives. As for exporting it instead of AD-intg, my blinkers were foggy. I got used to the regular way of doing it, and I've never had the need to do it another way. Now I know :( Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Fri 11/19/2004 10:13 AM To: Send - AD mailing list Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Much of your reply surprises me and reminds of past dealings with those blinkered by the limitations of BIND ;-) I really don't know where to begin ... conditional forwarding is a Q&D solution in my opinion (what does it offer that stubs don't, there are some features but are they what motivate your recommendation?). In addition, why export the conditional forwarders, why not AD integrate those as well (you also said "hive", I hope you mean key:-)? The admin. overhead to your approach seems high, look for ways of allowing the system to maintain these things for you ... thus stubs self-learning, fault-tolerant replication, granular replication, appreciative of rules (Sites, Subnets, Site-links etc.) Why is it not a good idea to store zone data in AD? Why not exploit a modern replication engine? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? How many new DCs are you adding per day/week/month? :) If I were doing this, Stub or Secondaries would take a back-seat. I would be investing in Conditional Forwarding. I would have all my other DNS servers forward unresolved queries to one or (ideally) 2 of MY DNS servers. On those 2 designated DNS servers, I will configure Conditional Forwarders for all the foreign zones hosted on the Unix boxen and specify the Unix boxes as the DNS servers to forward the queries to. QED. No messing with secondaries or notify or such any more from then on. When I introduce a new DC/DNS server into my environment, all I will need to do is configure it to forward to MY designated DNS servers. When I want to add more designated servers, I don't have to recreate the conditionally-forwarded zones. They are stored in the registry of the existing designated servers, so I will just go export and import the hive as necessary. Of course, all my rants above is predicated on your designated DNS servers being W2K3 servers. I don't think the problem of AD-intg secondaries is simply technical feasibility. I think (shut up, Al :)) it is more of practicality. Post-NT, you typically create secondaries for foreign zones [1]. Since the zones you are secondarying are "foreign", I think storing those foreign information in your AD is not a good idea. [1] I disagree with Minasi's recommendation of creating secondaries of every zones on every DNS server in a parent-child environment, but that's out of the scope of this discussion. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 8:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because I have a couple of dozen remote DCs that serve DNS for their locations. Our unix boxes are in a DNS zone that is handled by bind/unix server. All of my DCs carry this zone as a secondary. This works fine, but it is a bit of a pain to maintain. I have to remember to configure the zone on any new DCs, and I have to have the unix guys add a "notify" line on the bind server for the new DCs (OK, I don't HAVE to do the notify part...). Plus, replication of the zone is handled by DNS instead of the much more efficient AD replication. Ever since laying eyes on w2k3 DNS server, I've always wondered why the developers didn't allow for integrated secondaries. Don't get me wrong, integrated stubs are great, but between the two, I'd have thought integrated secondaries would have been the more desirable. I just assumed I was missing some technical reason that made it unfeasible. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because when it's integrated, there is no concept of "secondaries" as we understood it to be in pre-2Kx world. It's there in AD, and any DC can see and write to it. Now, if you are secondarying the zones on another server located in another forest/network, why would you want to store that info in your own AD. You will not be modifying that zone locally on the secondary anyway. Or, are you intending to? Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones? OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
