>>Use a TLD of .AD or .LAN. Especially in large environments. Don't use .AD, or you will have thousands of your users yelling and screaming about not being able to get to Andorra websites. Okay, maybe not thousands... :-)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 12, 2005 7:46 AM To: [email protected] Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub Yeah, I know I have been remiss these least couple mouths. With work, home improvements, Tivo, and my new addiction to World of Warcraft... haven't had much time to post. I am planning to go full tilt on reviewing Longhorn & W2k3 R2 and hope to push an AD podcast by June on. Recently I been doing work on ESX server, clustering, SQL server, Citrix and SAN stuff. To me the AD stuff is getting to the point that there are enough people versed in it at many levels that my contributions are getting less needed. Especially with Joe and Dean around ;) On the topic of DNS and Split-Brain DNS support. My past experiences have taught me to avoid Split-Brain DNS unless you like daily pain and the politics are two strong that you are forced to use it. Here are some of the things you run into with Split-Brain designs. Laptops that register A and PTR records multiple times with different IP. Our KCC script picks these up each night. VPN users who register names at home and at work. Now keep in mind, the politics of my organization allow secure and non-secure updates to our DDNS, and the DHCP service sometimes proxies registrations of down-level clients in some organizations. In addition, if you use split brain DNS and have multiple domain trees, delegated DNS, and firewalls, you will find yourself having secondary or stubs hosted on your DDNS servers. Also if your webmasters happen to use a URL of <domain>.<tld> to resolve web addresses and your AD is named the same as the URL, you will find that the URL doesn't work cause the DC's are intercepting the request. So internally you will have to train people to use www.<domain>.<tld> My recommendation going forward is to never do Split-DNS again. Use a TLD of .AD or .LAN. Especially in large environments. We did a lot of work to get this to work, and while it does work pretty well, it is an unnecessary operation IMHO. A lot of my early influence to use split DNS was from experts like Mark Minasi, and MCS when they insisted that you register your domain just in case you plan to use it later. I refer to this as when I was young and drinking the 1.0 AD cool-aid. I bought into using DNS and mirroring and one day replacing the UNIX DNS. My attitude now is let a third party or edge device host the forward facing DNS. Let DC's host the internal DDNS namespace as integrated zones and allow only secure updates, and don't allow DHCP to proxy down-level client registrations. What is the point of letting third-party devices register dynamically is my opinion. My opinion has changed on other AD design ideas as well since the release of ADAM and MIIS. So in summery just say no to split-brain. Toddler -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 11:40 AM To: [email protected] Subject: RE: [ActiveDir] DNS Question - Conditional Forwarding or Secondar y Zone Stub <Todd poke his head out of the hole he's been hiding in for eons. He then proceeded to say the following> >>> one thing I would like to try is to see if it would make hosting >>> split brain DNS zones with out the need to sync them manually. <to which I replied> No. Conditional Forwarding is not the answer to split-brain limitations. Until MS comes up with something specifically designed for this, you are still left with your manual/scripted procedure. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
