>>thus stubs self-learning, fault-tolerant replication, granular >>replication, appreciative of rules (Sites, Subnets, Site-links etc.) Yeah, stubs are cool and beautiful and all that. So, why are we still asking for AD-intg secondaries if Stubs are good enough?
Why do we still want integrated zones? Or even integrated secondary zones? Because we want all records for a zone including CNAME, MX, etc. Stubs by defnition don't hold those records. You would have to query the server that holds the stub and that would forward the query on (much like a caching server right?). But you do get a read-only copy of the SOA, NS, and A RR's which might take care of much of what you want to resolve for. Integrated zones are nice since they can be updated anywhere they live. They can also suck because they can be updated anywhere they live. All DC's are authoritative (generally speaking of course). But darned if they aren't convenient (security folks should likely jump out of their skin on that statement ;) Personally, I don't often see the benefit of integrated secondary zones. I can see the argument that, "hey, I already have a DNS host there and wouldn't it be efficient to host a secondary there. And gee, it sure was easy to use the AD integrated replication so wouldn't it be cool if I could do that too?" Makes sense on some levels. But secondaries are pretty much becoming obsolete in many uses. Why put the effort into it? Replicated stubs could be great if I don't need those extra records. Forwarders would be just as good in practice. Slightly more traffic could traverse the WAN, but not likely enough to make a difference and sway the thinking IMHO. Fascinating conversation though. I never fail to pick up some jewel of information... Oh yeah, the original question that started this landslide: "OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries?" I suppose only Microsoft can really answer that, although Dean's answer is likely the one you'll hear on any given day. "Because" to paraphrase. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 1:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? >>Why is it not a good idea to store zone data in AD? For the simple fact that I can use it as a vector to introduce malicious contents into the secondarying AD. >>Why not exploit a modern replication engine? modern, legacy. Does it really matter which one we go through? >>The admin. overhead to your approach seems high I don't see the overhead, especially since I have now learnt that you could AD-intg this and have it replicate to all participating servers. Everything after that is simply normal DNS install/config. Even if I grant you that, I still think that the fact that Cond-fwd (I made that up. tired of typing) makes the server less overloaded (and therefore more responsive) than when using Stubs balances this out. I know I do not have to list all the advantages of cond-fwd for you - you prolly wrote the specs on that, for all I know. However, in this disjointed namespace scenario under discussion, I do not see how Stubs can achieve superior results compared to cond-fwd. >>thus stubs self-learning, fault-tolerant replication, granular >>replication, appreciative of rules (Sites, Subnets, Site-links etc.) Yeah, stubs are cool and beautiful and all that. So, why are we still asking for AD-intg secondaries if Stubs are good enough? And, yeah, I meant to say keys, not hives. As for exporting it instead of AD-intg, my blinkers were foggy. I got used to the regular way of doing it, and I've never had the need to do it another way. Now I know :( Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Fri 11/19/2004 10:13 AM To: Send - AD mailing list Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Much of your reply surprises me and reminds of past dealings with those blinkered by the limitations of BIND ;-) I really don't know where to begin ... conditional forwarding is a Q&D solution in my opinion (what does it offer that stubs don't, there are some features but are they what motivate your recommendation?). In addition, why export the conditional forwarders, why not AD integrate those as well (you also said "hive", I hope you mean key:-)? The admin. overhead to your approach seems high, look for ways of allowing the system to maintain these things for you ... thus stubs self-learning, fault-tolerant replication, granular replication, appreciative of rules (Sites, Subnets, Site-links etc.) Why is it not a good idea to store zone data in AD? Why not exploit a modern replication engine? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? How many new DCs are you adding per day/week/month? :) If I were doing this, Stub or Secondaries would take a back-seat. I would be investing in Conditional Forwarding. I would have all my other DNS servers forward unresolved queries to one or (ideally) 2 of MY DNS servers. On those 2 designated DNS servers, I will configure Conditional Forwarders for all the foreign zones hosted on the Unix boxen and specify the Unix boxes as the DNS servers to forward the queries to. QED. No messing with secondaries or notify or such any more from then on. When I introduce a new DC/DNS server into my environment, all I will need to do is configure it to forward to MY designated DNS servers. When I want to add more designated servers, I don't have to recreate the conditionally-forwarded zones. They are stored in the registry of the existing designated servers, so I will just go export and import the hive as necessary. Of course, all my rants above is predicated on your designated DNS servers being W2K3 servers. I don't think the problem of AD-intg secondaries is simply technical feasibility. I think (shut up, Al :)) it is more of practicality. Post-NT, you typically create secondaries for foreign zones [1]. Since the zones you are secondarying are "foreign", I think storing those foreign information in your AD is not a good idea. [1] I disagree with Minasi's recommendation of creating secondaries of every zones on every DNS server in a parent-child environment, but that's out of the scope of this discussion. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 8:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because I have a couple of dozen remote DCs that serve DNS for their locations. Our unix boxes are in a DNS zone that is handled by bind/unix server. All of my DCs carry this zone as a secondary. This works fine, but it is a bit of a pain to maintain. I have to remember to configure the zone on any new DCs, and I have to have the unix guys add a "notify" line on the bind server for the new DCs (OK, I don't HAVE to do the notify part...). Plus, replication of the zone is handled by DNS instead of the much more efficient AD replication. Ever since laying eyes on w2k3 DNS server, I've always wondered why the developers didn't allow for integrated secondaries. Don't get me wrong, integrated stubs are great, but between the two, I'd have thought integrated secondaries would have been the more desirable. I just assumed I was missing some technical reason that made it unfeasible. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because when it's integrated, there is no concept of "secondaries" as we understood it to be in pre-2Kx world. It's there in AD, and any DC can see and write to it. Now, if you are secondarying the zones on another server located in another forest/network, why would you want to store that info in your own AD. You will not be modifying that zone locally on the secondary anyway. Or, are you intending to? Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones? OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
