Some DNS confusion, any clarification deeply appreciated.

Configuration: Three child domains (all Native Win 2003) - rem01, rem02, and
rem03.domain.internal and a root domain - domain.internal, each with two
DC/DNS servers. All DNS servers use AD Integrated zones with replication
scope to all DNS servers in Domain. Forwarders from the child domains to ISP
DNS for internet name resolution. Hub and spoke VPN from root to child
domains.

Question groups:

1. Should the Name Servers tab on each zone contain only the names of the
two servers in each domain and should you list only the "authoritative"
servers for the domain on this tab? Is this list in a priority order?

2. Stub zones on each DNS server for the other three (2 child and 1 root
domain) zones will work for name resolution between hots in different
domains? Is any other configuration needed to make stub zones work such as a
forwarder to each child/root domain? Should/can stubs be AD integrated?

3. Will zones configured as "AD integrated - Replication to all DNS servers
in domain" show up in the DNS GUI tool only under the DNS servers for said
domain? Another, way...I should not see fully populate zones in rem01 when
looking under rem02 DNS servers zone for rem01...I should see only the stub
with name servers for rem01 zone?

4. Is it possible to "transfer" a zone from an AD integrated zone to a
non-AD integrated "secondary"? If not, is the "zone transfer" tab totally
useless with AD integrated zones?

Many thanks.

Tom wrote:
> Some DNS confusion, any clarification deeply appreciated.
>
> Configuration: Three child domains (all Native Win 2003) - rem01,
> rem02, and rem03.domain.internal and a root domain - domain.internal,
> each with two DC/DNS servers. All DNS servers use AD Integrated
> zones with replication scope to all DNS servers in Domain. Forwarders
> from the child domains to ISP DNS for internet name resolution. Hub
> and spoke VPN from root to child domains.
>
> Question groups:
>
> 1. Should the Name Servers tab on each zone contain only the names of
> the two servers in each domain and should you list only the
> "authoritative" servers for the domain on this tab?
It should have the name of each DNS server that has the zone.

Is this list in a priority order?
There is no priority order, but each server having the AD integrated zone,
will have itself named as the Primary on the SOA record. This has as much to
do with making sure each server accepts zone updates as it does anything
else, clients will send zone updates to the master name server.

> 2. Stub zones on each DNS server for the other three (2 child and 1
> root domain) zones will work for name resolution between hots in
> different domains?
Yes, if you mean hosts.

> Is any other configuration needed to make stub zones work such as a
> forwarder to each child/root domain?
Stub zone work more like a delegation than a forwarder.

Should/can stubs be AD integrated?
As long as there are no Win2k DCs, yes. Replication to DNS servers in the
domain is OK.

> 3. Will zones configured as "AD integrated - Replication to all DNS
> servers in domain" show up in the DNS GUI tool only under the DNS
> servers for said domain? Another, way...I should not see fully
> populate zones in rem01 when looking under rem02 DNS servers zone for
> rem01...I should see only the stub with name servers for rem01 zone?
Stub zone have only NS records and Glue records.

> 4. Is it possible to "transfer" a zone from an AD integrated zone to a
> non-AD integrated "secondary"?
Yes, the transfer works just like any other Primary/Secondary zone.

One zone I did not see a mention is the _msdcs.forestrootdomain that is
created when you let Win2k3 DCPromo configure DNS on the first DC, this zone
should be on ALL DNS servers in the forest, and is where all DCs register
their GUID record , and where Global Catalogs register their records. Each
Member of domains in the forest need access to this zone is why the zone
replicates forest wide.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Kevin, thanks for the .

Regarding (#1) names servers listed on the Name Servers tab...if a zone has
a "domain-wide" replication scope to DNS servers is it correct to say that
only the DNS servers in the same domain would have a copy of the zone and
hence be listed in the Name Servers tab?

Also, is it the case that if I look on local DNS servers at a stub zone for
a remote domain that one should see only the name servers (on the name server
tab) that are the name servers listed as (NS) in the stub zone (the name
servers in the remote domain)?

Regarding stubs...once the stub zone is in place that is enough to direct
DNS queries for host.domainB.local say from domainA (with a stub for domainB)
to domainB, no forwarder needed, correct?

Thanks again.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Some DNS confusion, any clarification deeply appreciated.
> >
> > Configuration: Three child domains (all Native Win 2003) - rem01,
> > rem02, and rem03.domain.internal and a root domain - domain.internal,
> > each with two DC/DNS servers. All DNS servers use AD Integrated
> > zones with replication scope to all DNS servers in Domain. Forwarders
> > from the child domains to ISP DNS for internet name resolution. Hub
> > and spoke VPN from root to child domains.
> >
> > Question groups:
> >
> > 1. Should the Name Servers tab on each zone contain only the names of
> > the two servers in each domain and should you list only the
> > "authoritative" servers for the domain on this tab?
> It should have the name of each DNS server that has the zone.
>
> Is this list in a priority order?
> There is no priority order, but each server having the AD integrated zone,
> will have itself named as the Primary on the SOA record. This has as much to
> do with making sure each server accepts zone updates as it does anything
> else, clients will send zone updates to the master name server.
>
> > 2. Stub zones on each DNS server for the other three (2 child and 1
> > root domain) zones will work for name resolution between hots in
> > different domains?
> Yes, if you mean hosts.
>
> > Is any other configuration needed to make stub zones work such as a
> > forwarder to each child/root domain?
> Stub zone work more like a delegation than a forwarder.
>
> Should/can stubs be AD integrated?
> As long as there are no Win2k DCs, yes. Replication to DNS servers in the
> domain is OK.
>
> > 3. Will zones configured as "AD integrated - Replication to all DNS
> > servers in domain" show up in the DNS GUI tool only under the DNS
> > servers for said domain? Another, way...I should not see fully
> > populate zones in rem01 when looking under rem02 DNS servers zone for
> > rem01...I should see only the stub with name servers for rem01 zone?
> Stub zone have only NS records and Glue records.
>
> > 4. Is it possible to "transfer" a zone from an AD integrated zone to a
> > non-AD integrated "secondary"?
> Yes, the transfer works just like any other Primary/Secondary zone.
>
> One zone I did not see a mention is the _msdcs.forestrootdomain that is
> created when you let Win2k3 DCPromo configure DNS on the first DC, this zone
> should be on ALL DNS servers in the forest, and is where all DCs register
> their GUID record , and where Global Catalogs register their records. Each
> Member of domains in the forest need access to this zone is why the zone
> replicates forest wide.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

Tom wrote:
> Kevin, thanks for the .
>
> Regarding (#1) names servers listed on the Name Servers tab...if a
> zone has
> a "domain-wide" replication scope to DNS servers is it correct to say
> that only the DNS servers in the same domain would have a copy of the
> zone and hence be listed in the Name Servers tab?

Domain wide replication means the zone is stored in the DomainDNSZones
partition, and replicated to all DNS server in the domain. It has nothing to
do with what is on the name servers tab.
Windows Server 2003 has three default replication partitions MicrosoftDNS,
DomainDNSZones, and ForestDNSZones.

>
> Also, is it the case that if I look on local DNS servers at a stub
> zone for
> a remote domain that one should see only the name servers (on the
> name server tab) that are the name servers listed as (NS) in the stub
> zone (the name servers in the remote domain)?

On stub zone the servers listed on the Name servers tab are the remote name
servers that have the full zone.

>
> Regarding stubs...once the stub zone is in place that is enough to
> direct
> DNS queries for host.domainB.local say from domainA (with a stub for
> domainB) to domainB, no forwarder needed, correct?

Correct, no forwarders needed to the domain named in the stub, nor any name
under the domain i.e. domainb.local includes host.sub.domainb.local.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Kevin, many thanks. I still am a bit confused on the matters of replication
scope and the name servers tab, at least from a practical standpoint.
Consider this scenario:

Two domains (domainA - parent, domainB - child) each with "domain-wide DNS
server replication scope". No forwarders to the other domain and no stub
zones for the other domain in each domain respectively. So, if on the name
servers tab of the local name servers in each domain one were to add the
names/ip address of DNS servers in the other domain, which because of the
"domain-wide replication scope" each domain would not have a full copy of the
other domains zone, this would have what effect? Based on our question/answer
session I say none. Is even possible to add a name server to the zones name
server tab that does not actually have a full copy of the zone?

If there were full copies of each domains zone in the other domain when both
domains use "domain-wide" replication scope it is possible that each domain
holds a non-AD Integrated copy of the other domains zone that was transferred
using a "zone transfer" (from the AD Integrated "primary" to the standard
"secondary")? If this could be the case, then these name servers holding
"secondary" copies of the zone should be listed in the Name Servers tab in
the other domain too?

Thanks again.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Kevin, thanks for the .
> >
> > Regarding (#1) names servers listed on the Name Servers tab...if a
> > zone has
> > a "domain-wide" replication scope to DNS servers is it correct to say
> > that only the DNS servers in the same domain would have a copy of the
> > zone and hence be listed in the Name Servers tab?
>
> Domain wide replication means the zone is stored in the DomainDNSZones
> partition, and replicated to all DNS server in the domain. It has nothing to
> do with what is on the name servers tab.
> Windows Server 2003 has three default replication partitions MicrosoftDNS,
> DomainDNSZones, and ForestDNSZones.
>
> >
> > Also, is it the case that if I look on local DNS servers at a stub
> > zone for
> > a remote domain that one should see only the name servers (on the
> > name server tab) that are the name servers listed as (NS) in the stub
> > zone (the name servers in the remote domain)?
>
> On stub zone the servers listed on the Name servers tab are the remote name
> servers that have the full zone.
>
> >
> > Regarding stubs...once the stub zone is in place that is enough to
> > direct
> > DNS queries for host.domainB.local say from domainA (with a stub for
> > domainB) to domainB, no forwarder needed, correct?
>
> Correct, no forwarders needed to the domain named in the stub, nor any name
> under the domain i.e. domainb.local includes host.sub.domainb.local.
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

Tom wrote:
> Kevin, many thanks. I still am a bit confused on the matters of
> replication scope and the name servers tab, at least from a practical
> standpoint. Consider this scenario:
>
> Two domains (domainA - parent, domainB - child) each with
> "domain-wide DNS server replication scope". No forwarders to the
> other domain and no stub zones for the other domain in each domain
> respectively. So, if on the name servers tab of the local name
> servers in each domain one were to add the names/ip address of DNS
> servers in the other domain, which because of the "domain-wide
> replication scope" each domain would not have a full copy of the
> other domains zone, this would have what effect?

> Based on our
> question/answer session I say none. Is even possible to add a name
> server to the zones name server tab that does not actually have a
> full copy of the zone?

It is possible to add an NS record for a DNS server that does not have the
full zone. However, if that server has a Stub zone, you could end up with
unexpected results, I can tell you that if the zone has an NS record for a
particular DNS, and you attempt to add a stub zone for the domain to the
server listed in the NS record, the stub will not load.

>
> If there were full copies of each domains zone in the other domain
> when both domains use "domain-wide" replication scope it is possible
> that each domain holds a non-AD Integrated copy of the other domains
> zone that was transferred using a "zone transfer" (from the AD
> Integrated "primary" to the standard "secondary")?

Zone transfer tab has nothing to do with AD replication, and you cannot have
a standard zone of any type and an AD zone for the same name on a DNS
server.
So if the zone is in AD, don't add the zone (for any type) on another DC
within the AD zone's replication scope. There are no, ifs, ands, buts or
exceptions to this rule, one DNS server can only load one zone for a name.
The Best thing to do is to make a plan and stick to it. A Secondary zone for
a Primary of any type (ADI or Standard) that is dynamic is not the best
plan, you'll get continual zone transfers causing 3000 and 9999 events. If
its a Standard Primary Dynamic zone you'll get continual 3150 leading to
3000 and 9999 events.


If this could be
> the case, then these name servers holding "secondary" copies of the
> zone should be listed in the Name Servers tab in the other domain too?

Secondary zones should have NS records for themselves.

You asked about Stub zones, which have only the NS records for the
Authoritative servers with the Full zone.
This has nothing to do with the Replication scope for zones stored in Active
Directory. While Active Directory integrated Primary (aka Master or
Multi-Master) will usually have an NS record for all Domain Controllers they
are on Stub zones do not have NS records for the server they exist on
anywhere, they have only NS records for the Authoritative servers.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================