I'd do a cursory check of the contents of the zone you're going to delete and make sure someone didn't hack something by putting a record in with a different IP than it's defined as in the real zone.
Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Thursday, March 10, 2011 6:09 PM To: NT System Admin Issues Subject: RE: Domain trust question Yep. That's what I was leaning towards, but was nervous to delete a zone I didn't create. Thank you for the verification, and the patience. The conditional forwarders have now been created, without issue. >>> Brian Desmond <[email protected]> 3/10/2011 3:57 PM >>> OK: So on the DCs (all of them) for GEO: --> Delete the ad.company.com zone --> Create a conditional forwarder for ad.company.com pointing to the --> AD.company.com DCs So on a DC (one of them) for AD: --> Create an AD integrated conditional forwarder for geo.company.com --> pointing to the geo.company.com DCs Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Thursday, March 10, 2011 5:14 PM To: NT System Admin Issues Subject: RE: Domain trust question Ok, so it sounds like I'm getting myself confused. And, right after I speed-replied (sorry...) I poked around and saw that SoA is not something that can be edited for the secondary zone. So, back to my original issue, if you don't mind: How it is setup now (I didn't do the initial setup, just trying to get it working so I can do the trust) geo.company.com has multiple forward lookup zones. One of them, is a AD-integrated, primary zone, for the AD.company.com domain. Same goes the other way for AD.company.com. When I try to setup a conditional forwarder, in either direction, and I put in the IP address of the DNS server in the other domain, I get a red X by the IP, and under the Validated column, I get the message: "The server with this IP is not authoritative for the required zone." I'd rather do the conditional forwarder, as from what I've been reading, it is supposed to be much easier to setup, and I don't anticipate much change in name servers... >>> Brian Desmond <[email protected]> 3/10/2011 2:57 PM >>> No. The SOA record points to the Primary DNS Server for the zone. In the case of AD Integrated DNS, there's some special tweaks inside the DNS service such that the SOA record always returns the responding DC. Secondary zones are purely copies of the zone. You can't change anything in them including the SOA record. Thus far what I've read is mutually exclusive. You either do conditional forwarders or secondary zones, not both. Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Thursday, March 10, 2011 4:46 PM To: NT System Admin Issues Subject: RE: Domain trust question And the SoA should be the DNS server from the other domain, right? i.e. in geo.company.com, I setup a secondary zone for AD.company.com. The SoA for that should be the nameserver in AD.company.com? >>> Brian Desmond <[email protected]> 3/10/2011 2:40 PM >>> The primary zone for each domain should live inside THAT domain's forest. Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Thursday, March 10, 2011 3:41 PM To: NT System Admin Issues Subject: RE: Domain trust question Ok, so here's my current situation: 2 domains, ad.company.com, and geo.company.com. AD.company.com is at 2008R2 functional level, both for domain and forest. geo.company.com is at 2003 functional level, both for domain and forest. In DNS for each domain, there are AD-Integrated primary forward lookup zones for the other domain. When I try to add a conditional forwarder, I get this message "The server with this IP is not authoritative for the required zone." Did we mess up by making the zones primary, vs. secondary, or is there some other issue? >>> Brian Desmond <[email protected]> 3/10/2011 10:40 AM >>> Forest trust will enable Kerb across the trust and UPN routing, but otherwise given two single domain forests it's pretty much functionally identical. Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Thursday, March 10, 2011 11:10 AM To: NT System Admin Issues Subject: Domain trust question We currently have a Windows domain which we're using as an applications domain. All of our network login/authentication is done through our Novell domain. Our current domain is at a Windows Server 2003 functional level, both for the domain and forest. We are in the midst of planning a migration away from Novell, and into a new forest/domain that we've set up, which is at a 2008 R2 functional level, for both forest and domain. We want to setup a one-way trust between the two domains, so that users from the 2008 R2 domain will be able to access resources in the 2003 domain. My question: Would it be best practices in this case to create a forest trust? Or would I use some other type of trust? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
