I'd probably take a look at conditional forwarding and/or stub zones instead of doing Win2K-style secondaries. What version of BIND is in use in the other forest? BIND 8+ supports conditional forwarding, and BIND 9+ supports stub zones, IIRC.
Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, October 26, 2006 4:32 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] DNS setup questions > > OK; my Google-fu isn't working well today, and it's been a > while since I had to do any advanced DNS work. Too much BPM > work, not enough AD admin lately... > > Here's the scenario: > > Our domain: W2K3 functional level single-domain forest using > AD-integrated DNS, secure updates only Partner domain: W2K3 > functional level single-domain forest using BIND DNS. > > We are planning to establish a trust between the domains. We > need to set up DNS so that both domains can resolve at > minimum SRV records to keep the trust working and allow > member enumeration for selective auth setup. > IIRC, we need to create secondary zones in each domain > pointing to the other domain, and on the W2K3 side, add the > BIND servers to the nameservers tab, right? Anything else I > need to do on the W2K3 DNS side? I really think I'm missing > something here, but I can't find any information with the > answers I need... > > Also, if I allow zone transfers to the other domain's DNS IP > addresses, what's to prevent them from setting up something > other than a secondary server? I know AD integrated won't > allow another AD integrated DNS server outside the current > domain, but I just want to make sure I don't leave anything > insecure... > > Thanks... > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/