PHWinfo - Afficher un message - Active Directory Integrated zones questions

15/07/2006, 12h09

Tom wrote:
> Some DNS confusion, any clarification deeply appreciated.
>
> Configuration: Three child domains (all Native Win 2003) - rem01,
> rem02, and rem03.domain.internal and a root domain - domain.internal,
> each with two DC/DNS servers. All DNS servers use AD Integrated
> zones with replication scope to all DNS servers in Domain. Forwarders
> from the child domains to ISP DNS for internet name resolution. Hub
> and spoke VPN from root to child domains.
>
> Question groups:
>
> 1. Should the Name Servers tab on each zone contain only the names of
> the two servers in each domain and should you list only the
> "authoritative" servers for the domain on this tab?
It should have the name of each DNS server that has the zone.

Is this list in a priority order?
There is no priority order, but each server having the AD integrated zone,
will have itself named as the Primary on the SOA record. This has as much to
do with making sure each server accepts zone updates as it does anything
else, clients will send zone updates to the master name server.

> 2. Stub zones on each DNS server for the other three (2 child and 1
> root domain) zones will work for name resolution between hots in
> different domains?
Yes, if you mean hosts.

> Is any other configuration needed to make stub zones work such as a
> forwarder to each child/root domain?
Stub zone work more like a delegation than a forwarder.

Should/can stubs be AD integrated?
As long as there are no Win2k DCs, yes. Replication to DNS servers in the
domain is OK.

> 3. Will zones configured as "AD integrated - Replication to all DNS
> servers in domain" show up in the DNS GUI tool only under the DNS
> servers for said domain? Another, way...I should not see fully
> populate zones in rem01 when looking under rem02 DNS servers zone for
> rem01...I should see only the stub with name servers for rem01 zone?
Stub zone have only NS records and Glue records.

> 4. Is it possible to "transfer" a zone from an AD integrated zone to a
> non-AD integrated "secondary"?
Yes, the transfer works just like any other Primary/Secondary zone.

One zone I did not see a mention is the _msdcs.forestrootdomain that is
created when you let Win2k3 DCPromo configure DNS on the first DC, this zone
should be on ALL DNS servers in the forest, and is where all DCs register
their GUID record , and where Global Catalogs register their records. Each
Member of domains in the forest need access to this zone is why the zone
replicates forest wide.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

15/07/2006, 12h09	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Active Directory Integrated zones questions Tom wrote: > Some DNS confusion, any clarification deeply appreciated. > > Configuration: Three child domains (all Native Win 2003) - rem01, > rem02, and rem03.domain.internal and a root domain - domain.internal, > each with two DC/DNS servers. All DNS servers use AD Integrated > zones with replication scope to all DNS servers in Domain. Forwarders > from the child domains to ISP DNS for internet name resolution. Hub > and spoke VPN from root to child domains. > > Question groups: > > 1. Should the Name Servers tab on each zone contain only the names of > the two servers in each domain and should you list only the > "authoritative" servers for the domain on this tab? It should have the name of each DNS server that has the zone. Is this list in a priority order? There is no priority order, but each server having the AD integrated zone, will have itself named as the Primary on the SOA record. This has as much to do with making sure each server accepts zone updates as it does anything else, clients will send zone updates to the master name server. > 2. Stub zones on each DNS server for the other three (2 child and 1 > root domain) zones will work for name resolution between hots in > different domains? Yes, if you mean hosts. > Is any other configuration needed to make stub zones work such as a > forwarder to each child/root domain? Stub zone work more like a delegation than a forwarder. Should/can stubs be AD integrated? As long as there are no Win2k DCs, yes. Replication to DNS servers in the domain is OK. > 3. Will zones configured as "AD integrated - Replication to all DNS > servers in domain" show up in the DNS GUI tool only under the DNS > servers for said domain? Another, way...I should not see fully > populate zones in rem01 when looking under rem02 DNS servers zone for > rem01...I should see only the stub with name servers for rem01 zone? Stub zone have only NS records and Glue records. > 4. Is it possible to "transfer" a zone from an AD integrated zone to a > non-AD integrated "secondary"? Yes, the transfer works just like any other Primary/Secondary zone. One zone I did not see a mention is the _msdcs.forestrootdomain that is created when you let Win2k3 DCPromo configure DNS on the first DC, this zone should be on ALL DNS servers in the forest, and is where all DCs register their GUID record , and where Global Catalogs register their records. Each Member of domains in the forest need access to this zone is why the zone replicates forest wide. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ https://secure.lsaol.com/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================