David_Wallis

how would you configure dns in this environment?

Each circle is a different domain, we want the foreign site to be able to resolve machines on other sites..

At the moment I have delegated the uk.companyname.local dns to a different server IYSWIM..

however this works fine, with FQDN's but not for others (obviously)

Whats the recommended way of doing this, and we dont want to run dns in the companyname.local domain as this wont exist on every site in the uk. where as the uk.companyname.local will.

Any tips, suggestions?

Sorry to be vauge, but its late in the day.

We host nothing public internally (all our entries are hosted on the isp's servers)

David

Kieran_Burns

iTrader: (1)

First question: different domains, but same forest therefore sub-domains?

cos then it's simply AD integrated....

Plus do you only want the top domain (the one connected to the 'net) to be resolving external names, or can any do that?

Ah hang on... different primary domains (I should loook closer)...

Ummm... AD integrated for each site - secondaries for each primary server to the primary on the other sites... but still the question of external resolution...

David_Wallis

AD integrated is fine, however the uk.companyname.local domain is the only one that is going to be at everysite (each site will have a dc in this domain) however the top level domain will only be based at our head office and key sites, but this is the one we want to providing the internet based resolution..

the foreign site also needs to be able resolve uk based clients.

Same Forest though.

David

KiwiGTI

2000 or 2003 AD?

DNS zone for companyname.local should be in the root domain. Then delegate zones for uk.company.local and foreignsite.companyname.local to DNS servers (DCs) in each child domain. Then set up relication between all the DCs for the AD Integrated zones onall the DCs. Remember it is still DNS so the structure can exist independantly of the AD structure.

Root domain then has the ISP DNS servers listed in root hints. (Or in our case we have the root AD domain as the root (.) DNS zone. External DNS is done through the proxy server)

If using 2003 set up a separate application partition for DNS that will get replicated to all DCs acting as DNS servers.

what would scooby do

alternatively.... have a w4nk LOL , pay some mug to do it for yah

David_Wallis

unfortunatley we are paid to do it, yet we would like to implement it in the best way possible, not the worst way.

Whats the difference between using the root hints and the forwarders?

companyname.local is in the root domain, and I have delegated the UK domain.

It may be replication I havent set up properly.. I think you tend to treat it as AD and DNS rather than DNS in ad. Ill have a look at the replication settings.

David

Jeff Wiltshire

Root Hints are used for recursion (ie from the root servers down). This will mean that the DNS is responible for it's own resolution. Forwarders are used for iterative lookups where your DNS asks another DNS (typically your ISPs) to resolve the name for you. Look up iteration and recursion for a better description.

I assume that the real issue is that the 2 child domains cannot resolve hosts in the other child without using FQDN ?

Have a look here

http://www.microsoft.com/resources/d...owDnsWorks.asp

David_Wallis

yes, the issue is that the child domains need to use FQDN's, however we were planning on just using forwarders on the root servers for internet resolution as thats the way it worked before (IE NT4).

roblane

To add to what Jeff said then... If you want a client in your "foreign" domain to be able to resolve a host in the UK domain without using the FQDN of that host then assuming you have

i) NO netbios name resolution (WINS) in the environment


ii) the client resolver pointing at a DNS which either holds the UK.mycompany.local zone or can fwd a query to that zone

you'll simply need the clients to be configured with an appropriate dns suffix search list.
e.g

foreign.mycompany.local
uk.mycompany.local
mycompany.local

David_Wallis

I was thinking that..

WINS is not installed as yet as this is a test environment, and we need to be able to do lookups for non WINS enabled hosts.. such as Unix etc.

The main problem we are having is finding the recommended way of doing it..

The root domain is a native 2003 fresh install, so with DNS integrated, we are assuming we then need to tell this to replicate to all servers within the forrest, or just within the domain.

the foreigndomain will also be a new install, do we initially use the root servers as the DNS servers whilst installing, or install a new dns server at the same time? or do we create the delegation before building the domain?

The uk domain is to be an NT4 domain which is being upgraded, from what we can tell we need this to be 'interim mode' - no 2000 dc's, one nt4 dc need to remain for 2 months or so..

We are currently testing in a test lab so Im free to try anything, I have 3 lans / subnets with routing configured and a dedicated internet connection (to provide external dns resolution)

Any suggestions from the beginning.. this is something the MS courses were very 'light' on and its a long time since.

David

Jeff Wiltshire

Either, as Rob suggested, WINS/Domain suffix or you need to use FQDN. The 'correct' way of doing this will be FQDN....it's also the one the users will hate the most.

David_Wallis

argh..

http://www.microsoft.com/resources/d...pCltConfig.asp

so we cant even configure the suffixes via DHCP as it says..

FQDN's for everything

David

Jeff Wiltshire

You have to remember that this is the way DNS works. The only time that they will actually need FQDN internally is if they cross from 1 child domain to the other.


The only other alternative is to put everything in the same DNS zone (xxx.yourcompany.local) and not have the sub-domains.

David_Wallis

True..

I think im just assuming it can do what we have been told it 'should' do..

with replication configured it seems much better... still playing around though, so any suggestions are welcome.

roblane

Jeff's suggestion is an excellent one.

Ultimately your forest will all be Windows 2003 so having a single mycompany.local zone with subdomains for foreign and uk is perfectly reasonable especially if you change the replication scope of the zone to "All DNS Servers in the Active Directory Forest".

The only downside of this approach is possibly an increase in replication traffic - all hosts will be registering in a single zone which will be replicated to all sites. In practice this is usually far outweighed by the benefit of not having DNS lookups crossing the WAN.

If you're going to have an NT4 only environment then as you know you will need wins for a while.

As for recommended ways to do it - well the DNS infrastructure has historically been in the remit of the unix folks so I guess the classic would be separate zones for each domain with appropriate fwding & search suffixes. Happy to be educated there.

Most big orgs still do it that way but in a greenfield site or as they move to 2003 the forest wide dns zones is definitely the way to go.

You'll still want the search suffixes tho and you CAN do them very easily via group policy. (Computer / Admin template / network /dns clients). So that'll work for your Windows clients assuming they're XP or better...If not you can use the techniques described in Q275553

Jeff Wiltshire

David


The way I would do it is....

Work out the hosts that you actually need the users to resolve (there are probable very few once you have discounted the workstations) and manually add the to the top level DNS domain. If you really want to you can manually add them to the 2 child domains as well. Use the same name and IP addresses across all the domains to remain consistant.

Your probable talking about less than 20 addresses so it's an easy fix........

David_Wallis

LMFAO..

I fookin wish..

8000+ Users + 100's of clients all with their own systems..

Workstations arent a problem as they can use wins to resolve.

We use DNS to get to there systems as each client is on their own net / router behind a pix.. all to complicated..

I Know what you are saying and I can do that, but I think what I will do for the important ones is just keep the existing zone (could allways do some cname records for the ones that cant be changed to fqdn's)

Eitherway aint my problem