Conditional forwarding does not require AD DNS on the side that it is forwarding to so this would not be an issue, however I would personally recommend the use of stub zones as they can be AD integrated which means you do not have to worry about manually configuring secondary zones across multiple servers in your environment but only need to create it once and allow it to replicate out to your other DC/DNS servers.
As for the opposing BIND side of the thing yeah make add them to the nameservers tab allow zone transfers only to servers listed on the names server tabs and setup secondaries on those BIND servers. You may also want to check the notify option so that the secondaries are notified when there are updates to the zone that they should transfer depending on what level of frequency you want IXFR's to happen at. Kurt Falde, MCSE NT4/2K/2K3, CCSE+, CISSP Premier Field Engineer Northeast Region Microsoft Corporation Mobile Phone: (301) 367-2721 Windows Vista -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 26, 2006 1:55 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] DNS setup questions > > You could use conditional-forwarding. You could also setup an AD int > stub zone. I'm not well versed in the security aspects of either... > but either one of those would work fine... > > :m:dsm:cci:mvp | marcusoh.blogspot.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > Kaiser > Sent: Thursday, October 26, 2006 4:32 PM > To: ActiveDir@mail.activedir.org > Subject: DNS setup questions > > OK; my Google-fu isn't working well today, and it's been a while since > I had to do any advanced DNS work. Too much BPM work, not enough AD > admin lately... > > Here's the scenario: > > Our domain: W2K3 functional level single-domain forest using > AD-integrated DNS, secure updates only Partner domain: W2K3 functional > level single-domain forest using BIND DNS. > > We are planning to establish a trust between the domains. We need to > set up DNS so that both domains can resolve at minimum SRV records to > keep the trust working and allow member enumeration for selective auth > setup. > IIRC, we need to create secondary zones in each domain pointing to the > other domain, and on the W2K3 side, add the BIND servers to the > nameservers tab, right? Anything else I need to do on the W2K3 DNS > side? I really think I'm missing something here, but I can't find any > information with the answers I need... > > Also, if I allow zone transfers to the other domain's DNS IP > addresses, what's to prevent them from setting up something other than > a secondary server? I know AD integrated won't allow another AD > integrated DNS server outside the current domain, but I just want to > make sure I don't leave anything insecure... > > Thanks... > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
