Also, I'd go with option (3) below if you want to keep your DNS master on Linux; since AD uses a variety of special DNS RR's, I wouldn't feel comfortable in having the AD DNS master server being on anything but Windows. If you opt to use Linux DNS servers to root your AD implementation on, you need to allow for a number of non-standard records - see: http://www.linuxquestions.org/questions/linux-networking-3/howto-ms-acti ve-directory-with-bind-on-linux-379377/ So, I'd go with a DNS root that's off your real DNS namespace, and implement it on a Windows DNS server. I've done this before, and really all you have to do is delegate all DNS queries other than for the AD DNS root to your main DNS servers.
Thanks, Will -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ski Kacoroski Sent: Monday, July 18, 2011 6:10 PM To: [email protected] Subject: [lopsa-tech] Questions on AD domains and Bind DNS Hi, We need to restructure our AD domains from scratch and are wondering what other districts are doing. Our primary DNS servers will stay on Linux so they control the nsd.org domain and the. Currently we have separate domains and forests (staff.nsd.org, academic.nsd.org, proxydomain.nsd.org) with trusts between staff <=> proxydomain and academic <=> proxydomain. We need to move to a single forest with a toplevel and child domains (or just a single toplevel domain) for AD. Our ideas are: 1. ad.nsd.org Single top level domain for staff and students. We are concerned because this will allow students to log into staff computers and see resources in the entire domain. If you have a setup like this, have you seen problems with students getting into machines/resources they should not? 2. ad.nsd.org with child domains sta.ad.nsd.org and stu.ad.nsd.org This will separate out the staff and students to resolve the concerns of option #1. We put the shared resources in the top level ad.nsd.org domain. We just do not like the length of the path (e.g. sta.ad.nsd.org). 3. nsd top level domain with child domains sta.nsd and stu.nsd We like the idea of a short path, but are concerned with how this would affect DNS as now the AD domains are not subdomains of the main DNS server. Anyone try something like this? If you have any other ideas, comments, experiences, I would love to hear about them. cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, [email protected], 206-501-9803 or ski98033 on most IM services _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
