There seems to be a bit of confusion on a couple of fronts. First, neither stub zones nor conditional forwarding are dependent on the "destination" (e.g., external forest/external environment) DNS implementation. DNS servers respond to queries; that is what DNS does, no matter what version or whose implementation. The mechanisms used in both stub zone population and conditional forwarding are queries. The only reason that the BIND DNS implementation would need to be 8+ is if it is necessary for the forest that is serviced by the BIND servers to also do conditional forwarding and/or stub zones on behalf of their clients.
Second, there is one and only one item in DNS that requires "pure" Windows Server 2003 DNS, and that is the use of AD-integrated DNS zones that are stored in partitions other than the domain partition. Leaving BIND out of the picture for a moment, conditional forwarding and stub zones do, of course, require Win2K3 DNS servers, but that does not necessarily preclude the use of Windows 2000 DNS servers in the environment. Personally, I'd use Windows Server 2003 regardless, but that's simply because it gives you more options and you don't have to worry about what Win2K supports. (And as a side note, you can even have Win2K DNS servers if you're using AD-integrated DNS zones that are stored in partitions other than the domain partition- you just won't be able to use the Win2k servers as replicas.) This may prove useful: http://support.microsoft.com/default.aspx/kb/811118 HTH, Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 26, 2006 6:21 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] DNS setup questions > > Hmmm. Looks like BIND 8 supports conditional forwarding and > BIND 9 supports stub zones. > > :m:dsm:cci:mvp | marcusoh.blogspot.com > > > -----Original Message----- > From: Oh, Marcus (CCI-Atlanta) > Sent: Thursday, October 26, 2006 6:19 PM > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] DNS setup questions > > Yeah I think you're right. I completely overlooked that part > about Bind. :) > > :m:dsm:cci:mvp | marcusoh.blogspot.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, October 26, 2006 5:20 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] DNS setup questions > > Since the partner forest is not using AD DNS zones but a Unix > BIND system, wouldn't that eliminate the ability to do the > conditional forwarding? I thought that required both sides to > be W2K3 AD DNS... > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Thursday, October 26, 2006 1:55 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] DNS setup questions > > > > You could use conditional-forwarding. You could also setup > an AD int > > stub zone. I'm not well versed in the security aspects of > either... > > but either one of those would work fine... > > > > :m:dsm:cci:mvp | marcusoh.blogspot.com > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Thursday, October 26, 2006 4:32 PM > > To: ActiveDir@mail.activedir.org > > Subject: DNS setup questions > > > > OK; my Google-fu isn't working well today, and it's been a > while since > > I had to do any advanced DNS work. Too much BPM work, not enough AD > > admin lately... > > > > Here's the scenario: > > > > Our domain: W2K3 functional level single-domain forest using > > AD-integrated DNS, secure updates only Partner domain: W2K3 > functional > > level single-domain forest using BIND DNS. > > > > We are planning to establish a trust between the domains. > We need to > > set up DNS so that both domains can resolve at minimum SRV > records to > > keep the trust working and allow member enumeration for > selective auth > > setup. > > IIRC, we need to create secondary zones in each domain > pointing to the > > other domain, and on the W2K3 side, add the BIND servers to the > > nameservers tab, right? Anything else I need to do on the W2K3 DNS > > side? I really think I'm missing something here, but I > can't find any > > information with the answers I need... > > > > Also, if I allow zone transfers to the other domain's DNS IP > > addresses, what's to prevent them from setting up something > other than > > a secondary server? I know AD integrated won't allow another AD > > integrated DNS server outside the current domain, but I > just want to > > make sure I don't leave anything insecure... > > > > Thanks... > > > > ********************** > > Charlie Kaiser > > W2K3 MCSA/MCSE/Security, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
