Yeah, I know I have been remiss these least couple mouths.
With work, home improvements, Tivo, and my new addiction to World of
Warcraft... haven't had much time to post. I am planning to go full tilt on
reviewing Longhorn & W2k3 R2 and hope to push an AD podcast by June on.
Recently I been doing work on ESX server, clustering, SQL server, Citrix and
SAN stuff.
To me the AD stuff is getting to the point that there are enough people
versed in it at many levels that my contributions are getting less needed.
Especially with Joe and Dean around ;)
On the topic of DNS and Split-Brain DNS support. My past experiences have
taught me to avoid Split-Brain DNS unless you like daily pain and the
politics are two strong that you are forced to use it.
Here are some of the things you run into with Split-Brain designs. Laptops
that register A and PTR records multiple times with different IP. Our KCC
script picks these up each night. VPN users who register names at home and
at work. Now keep in mind, the politics of my organization allow secure and
non-secure updates to our DDNS, and the DHCP service sometimes proxies
registrations of down-level clients in some organizations. In addition, if
you use split brain DNS and have multiple domain trees, delegated DNS, and
firewalls, you will find yourself having secondary or stubs hosted on your
DDNS servers. Also if your webmasters happen to use a URL of <domain>.<tld>
to resolve web addresses and your AD is named the same as the URL, you will
find that the URL doesn't work cause the DC's are intercepting the request.
So internally you will have to train people to use www.<domain>.<tld>
My recommendation going forward is to never do Split-DNS again. Use a TLD
of .AD or .LAN. Especially in large environments. We did a lot of work to
get this to work, and while it does work pretty well, it is an unnecessary
operation IMHO.
A lot of my early influence to use split DNS was from experts like Mark
Minasi, and MCS when they insisted that you register your domain just in
case you plan to use it later. I refer to this as when I was young and
drinking the 1.0 AD cool-aid. I bought into using DNS and mirroring and one
day replacing the UNIX DNS. My attitude now is let a third party or edge
device host the forward facing DNS. Let DC's host the internal DDNS
namespace as integrated zones and allow only secure updates, and don't allow
DHCP to proxy down-level client registrations. What is the point of letting
third-party devices register dynamically is my opinion.
My opinion has changed on other AD design ideas as well since the release of
ADAM and MIIS.
So in summery just say no to split-brain.
Toddler
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 11, 2005 11:40 AM
To: [email protected]
Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y
Zone Stub
<Todd poke his head out of the hole he's been hiding in for eons. He then
proceeded to say the following>
>>> one thing I would like to try is to see if it would make hosting split
brain DNS zones with out the need to sync them manually.
<to which I replied>
No. Conditional Forwarding is not the answer to split-brain limitations.
Until MS comes up with something specifically designed for this, you are
still left with your manual/scripted procedure.
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
