RE: [ActiveDir] DNS setup questions
You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
I'd probably take a look at conditional forwarding and/or stub zones instead of doing Win2K-style secondaries. What version of BIND is in use in the other forest? BIND 8+ supports conditional forwarding, and BIND 9+ supports stub zones, IIRC. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
http://technet2.microsoft.com/WindowsServer/en/library/358c7852-d23b-4668-ad f5-6ad2fe001e9f1033.mspx?mfr=true Sorry, probably should have dug up the link before sending my other response. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Not at all. Both BIND and MS DNS support conditional forwarding (depending on BIND version and OS version, respectively). The destination for the conditional forwarding is irrelevant, since it's the servers receiving the queries from the clients that are responsible for forwarding (or not) the queries. There is no specific interaction between the two DNS implementations beyond standard querying. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Hmmm. Looks like BIND 8 supports conditional forwarding and BIND 9 supports stub zones. :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: Oh, Marcus (CCI-Atlanta) Sent: Thursday, October 26, 2006 6:19 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS setup questions Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
Conditional forwarding does not require AD DNS on the side that it is forwarding to so this would not be an issue, however I would personally recommend the use of stub zones as they can be AD integrated which means you do not have to worry about manually configuring secondary zones across multiple servers in your environment but only need to create it once and allow it to replicate out to your other DC/DNS servers. As for the opposing BIND side of the thing yeah make add them to the nameservers tab allow zone transfers only to servers listed on the names server tabs and setup secondaries on those BIND servers. You may also want to check the notify option so that the secondaries are notified when there are updates to the zone that they should transfer depending on what level of frequency you want IXFR's to happen at. Kurt Falde, MCSE NT4/2K/2K3, CCSE+, CISSP Premier Field Engineer Northeast Region Microsoft Corporation Mobile Phone: (301) 367-2721 Windows Vista -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS setup questions
There seems to be a bit of confusion on a couple of fronts. First, neither stub zones nor conditional forwarding are dependent on the destination (e.g., external forest/external environment) DNS implementation. DNS servers respond to queries; that is what DNS does, no matter what version or whose implementation. The mechanisms used in both stub zone population and conditional forwarding are queries. The only reason that the BIND DNS implementation would need to be 8+ is if it is necessary for the forest that is serviced by the BIND servers to also do conditional forwarding and/or stub zones on behalf of their clients. Second, there is one and only one item in DNS that requires pure Windows Server 2003 DNS, and that is the use of AD-integrated DNS zones that are stored in partitions other than the domain partition. Leaving BIND out of the picture for a moment, conditional forwarding and stub zones do, of course, require Win2K3 DNS servers, but that does not necessarily preclude the use of Windows 2000 DNS servers in the environment. Personally, I'd use Windows Server 2003 regardless, but that's simply because it gives you more options and you don't have to worry about what Win2K supports. (And as a side note, you can even have Win2K DNS servers if you're using AD-integrated DNS zones that are stored in partitions other than the domain partition- you just won't be able to use the Win2k servers as replicas.) This may prove useful: http://support.microsoft.com/default.aspx/kb/88 HTH, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Hmmm. Looks like BIND 8 supports conditional forwarding and BIND 9 supports stub zones. :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: Oh, Marcus (CCI-Atlanta) Sent: Thursday, October 26, 2006 6:19 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS setup questions Yeah I think you're right. I completely overlooked that part about Bind. :) :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info
RE: [ActiveDir] DNS Setup questions
Marvin, Please look at http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows 2000/en/server/help/sag_DNS_imp_DelegatingZones.htm for information regarding DNS zone delegation. This should answer your questions. Kevin Kevin E. McLaughlin MCSE, MCT, MCNE, MCNI, CCNA Senior Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marvin Cummings Sent: Saturday, May 18, 2002 10:25 AM To: NT 2000 Discussions; ActiveDir Subject: [ActiveDir] DNS Setup questions Excuse me if this post seems long winded, but I have to ask. My w2k home network looks like this: dsl w/linksys router tzo client hosting registered domain name of blah.com w2k server as DC running AD, DNS, DHCP DNS is AD-Integrated assigned dhcp addresses of 192.168.1.? seperate w2k exchange server as member server seperate w2k web server as member server 2 newly configured and seperate child domains DNS on each child domain is AD-Integrated My questions are: 1. I can't seem to access my server internally by its friendly name, www.blah.com. I can ping its IP address name fine. I have to type http://192.168.1.? to see my default web page. I know this is a DNS issue and that it has something to do with internal and external namespaces but I'm not sure how to go about resolving it. Until I added my 2 child domains and started reading on DNS I wasn't sure that I needed a seperate namespace and I'm hoping I don't. I'd like to have one namespace as I don't see having to worry about anyone accessing anything internally. Any help on this is appreciated. 2. Since adding my child domains I recieve an event 1265 that states that the DSA operation is unable to proceed because of a DNS lookup failure. Could this be related to my current setup? Or can anyone shed any light as to the reason behind this error. Not having any luck at Microsoft. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Setup questions
Kevin, Good redirect. Good article, too! Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin McLaughlin Sent: Sunday, May 19, 2002 10:32 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Setup questions Marvin, Please look at http://www.microsoft.com/windows2000/en/server/help/default.as p?url=/windows 2000/en/server/help/sag_DNS_imp_DelegatingZones.htm for information regarding DNS zone delegation. This should answer your questions. Kevin Kevin E. McLaughlin MCSE, MCT, MCNE, MCNI, CCNA Senior Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marvin Cummings Sent: Saturday, May 18, 2002 10:25 AM To: NT 2000 Discussions; ActiveDir Subject: [ActiveDir] DNS Setup questions Excuse me if this post seems long winded, but I have to ask. My w2k home network looks like this: dsl w/linksys router tzo client hosting registered domain name of blah.com w2k server as DC running AD, DNS, DHCP DNS is AD-Integrated assigned dhcp addresses of 192.168.1.? seperate w2k exchange server as member server seperate w2k web server as member server 2 newly configured and seperate child domains DNS on each child domain is AD-Integrated My questions are: 1. I can't seem to access my server internally by its friendly name, www.blah.com. I can ping its IP address name fine. I have to type http://192.168.1.? to see my default web page. I know this is a DNS issue and that it has something to do with internal and external namespaces but I'm not sure how to go about resolving it. Until I added my 2 child domains and started reading on DNS I wasn't sure that I needed a seperate namespace and I'm hoping I don't. I'd like to have one namespace as I don't see having to worry about anyone accessing anything internally. Any help on this is appreciated. 2. Since adding my child domains I recieve an event 1265 that states that the DSA operation is unable to proceed because of a DNS lookup failure. Could this be related to my current setup? Or can anyone shed any light as to the reason behind this error. Not having any luck at Microsoft. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
