I'm looking at re-working our current DNS configuration. I have 20 domains
in a single forest and each domain represents an individual site that
connect like a hub/spoke topology to the forest level DCs. Right now, DNS
is only ran on the 2 forest level DNS servers, but I'd like to have a
writable copy of each respective domain's zone at each site. Is this
recommended?

The problem is, though, that we're running 2000 almost everywhere. However,
we plan to upgrade our forest DCs to Server 2003 next month. Upgrading all
site dcs to 2003 is an option, but we're trying to avoid it if possible. I
tried running ADI zones on different dcs in different domains, but they
would never transfer to each other due to limitations in 2000 (I believe).
Will updating the forest level dcs to 2003 fix this limitation or do all DNS
servers that will host the zone have to be 2003?

Lastly, if we don't upgrade to 2003 everywhere, is it recommended to host
ADI zones for each respective domain at each respective site? And then
setup a secondary zone for each domain on the forest level DNS server that
pulls from the respective site's DC? The only problem that I forsee with
that scenario is that if the site dc goes down, we lose the only writable
copy of DNS for that domain - which is not an option. Therefore, wouldn't
we have to run DNS on both domain controllers for each domain that are ADI
and then setup secondary zones on the forest level DNS servers?

It seems like it would be easier to upgrade everything to server 2003 vs.
the administrative overhead of putting writable copies of DNS at remote
sites.

--
Tim

"Tim Chin" <nothanks> wrote in message
news:%23kLiii$9GHA.4464@TK2MSFTNGP02.phx.gbl...
> I'm looking at re-working our current DNS configuration. I have 20
> domains in a single forest and each domain represents an individual site
> that connect like a hub/spoke topology to the forest level DCs. Right
> now, DNS is only ran on the 2 forest level DNS servers, but I'd like to
> have a writable copy of each respective domain's zone at each site. Is
> this recommended?

If not recommended necessarily it is common and normal to
do as you suggest with each DNS zone having a master (most)
local to the majority of the clients.

With AD DNS you can even have multiple masters so that each
location has a writable copy. This part only works across the forest
however if you use Win2003 DNS (it only works across each domain
if you have Win2000.)

> The problem is, though, that we're running 2000 almost everywhere.
> However, we plan to upgrade our forest DCs to Server 2003 next month.
> Upgrading all site dcs to 2003 is an option, but we're trying to avoid it
> if possible.

One has to wonder why you have so many domains?

You can always have each (site specific) DNS server hold
a "secondary zone" for each of the other DNS zones but this
becomes tedious and obnoxious with (as many as) twenty
domains/zones.

> I tried running ADI zones on different dcs in different domains, but they
> would never transfer to each other due to limitations in 2000 (I believe).

No, the other DNS servers could be secondaries.

> Will updating the forest level dcs to 2003 fix this limitation or do all
> DNS servers that will host the zone have to be 2003?

The forest functional level has nothing (directly*) to do with this,
but upgrading to Win2003 DNS servers would allow more choices
for cross-zone/domain resolution: conditional forwarding, stub
zones, AD-Integrated DNS replication across the forests, as well
as the already available (in Win2000) cross-secondaries that were
traditionally used.

*Upgrading the Forest Level would however require you to FIRST
upgrade all the DCs so indirectly this would give you Win2003
DCs however.

> Lastly, if we don't upgrade to 2003 everywhere, is it recommended to host
> ADI zones for each respective domain at each respective site?

It is the usual case. It is far less fault tolerant (e.g., you lose a
WAN line) to have the clients dependent on a remote DNS).

Depending on your network it may even be more reliable day to
day (e.g., timeouts due to network delays) and much more efficient
(network congestion, network latency, etc.)


> And then setup a secondary zone for each domain on the forest level DNS
> server that pulls from the respective site's DC?

That is usually. Your situation is complicated by "20 domains/zones"
which means a LOT of secondary relationships to setup.

The real problem you have stems from so many zones....

> The only problem that I forsee with that scenario is that if the site dc
> goes down, we lose the only writable copy of DNS for that domain - which
> is not an option.

How is your current situation better? (Are the central DCs somehow
more fault tolerant, better maintained, etc.?)

And with the new idea those Site specific DCs could be
set to AD Integrated since presumably you have at least
2-DCs for EACH Domain and therefore you could have
both fault tolerance and local DC-DNS writable DCs with
as many "Secondaries" for them as you wish (at other sites.)

> Therefore, wouldn't we have to run DNS on both domain controllers for each
> domain that are ADI and then setup secondary zones on the forest level DNS
> servers?

That is the right way to do it anyway. Without DNS on every
DC (or at least 'enough') you don't really have the full fault
tolerance that multiple DCs implies.

> It seems like it would be easier to upgrade everything to server 2003 vs.
> the administrative overhead of putting writable copies of DNS at remote
> sites.

Upgrading to Win2003 will you (by giving you more
potential solutions) but the biggest would be to consider
consolidating those domains into a much smaller number (one?)
of domains.....



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]