Another strong vote here for single forrest/single domain (AD domain)... the administration will be far simplified, when doing custom application integration it will make your life easier as you only need a single source for auth infformation etc etc...
One thing I have done in the past is to put the root domain on BIND but then do NS records for the _tcp and other SRV zones that AD requires pointing to domain controllers. Gives you a best of both worlds scenario. -rd On Jul 19, 2011, at 5:54 PM, Will Dennis wrote: > Also, I'd go with option (3) below if you want to keep your DNS master > on Linux; since AD uses a variety of special DNS RR's, I wouldn't feel > comfortable in having the AD DNS master server being on anything but > Windows. If you opt to use Linux DNS servers to root your AD > implementation on, you need to allow for a number of non-standard > records - see: > http://www.linuxquestions.org/questions/linux-networking-3/howto-ms-acti > ve-directory-with-bind-on-linux-379377/ > So, I'd go with a DNS root that's off your real DNS namespace, and > implement it on a Windows DNS server. I've done this before, and really > all you have to do is delegate all DNS queries other than for the AD DNS > root to your main DNS servers. > > Thanks, > Will > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Ski Kacoroski > Sent: Monday, July 18, 2011 6:10 PM > To: [email protected] > Subject: [lopsa-tech] Questions on AD domains and Bind DNS > > Hi, > > We need to restructure our AD domains from scratch and are wondering > what other districts are doing. Our primary DNS servers will stay on > Linux so they control the nsd.org domain and the. Currently we have > separate domains and forests (staff.nsd.org, academic.nsd.org, > proxydomain.nsd.org) with trusts between staff <=> proxydomain and > academic <=> proxydomain. We need to move to a single forest with a > toplevel and child domains (or just a single toplevel domain) for AD. > Our ideas are: > > 1. ad.nsd.org > Single top level domain for staff and students. We are concerned > because this will allow students to log into staff computers and see > resources in the entire domain. If you have a setup like this, have you > seen problems with students getting into machines/resources they should > not? > > 2. ad.nsd.org with child domains sta.ad.nsd.org and stu.ad.nsd.org This > will separate out the staff and students to resolve the concerns of > option #1. We put the shared resources in the top level ad.nsd.org > domain. We just do not like the length of the path (e.g. > sta.ad.nsd.org). > > 3. nsd top level domain with child domains sta.nsd and stu.nsd We like > the idea of a short path, but are concerned with how this would affect > DNS as now the AD domains are not subdomains of the main DNS server. > Anyone try something like this? > > If you have any other ideas, comments, experiences, I would love to hear > about them. > > cheers, > > ski > > -- > "When we try to pick out anything by itself, we find it > connected to the entire universe" John Muir > > Chris "Ski" Kacoroski, [email protected], 206-501-9803 or ski98033 on > most IM services _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
