Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it?
Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: [email protected] Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes ============================================= Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcp IN NS windnsserver.example.com. _udp IN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the "Responsible person" field has the correct e-mail address (with the "@" replaced with "."). In the "Name Servers" tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain "A" records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain "A" record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a "hidden master". It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in "DNS on Windows Server 2003". Both are O'Reilly books. ---------------------------------------------------------------------- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, May 23, 2006 2:14 PM To: [email protected] Subject: [ActiveDir] AD DNS along with Bind Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about it however, it doesnt say what DNS should client point to? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
