RE: Sites and Services



"MT" wrote:

> We just recently upgraded our NT domain to 2K3 AD. We have one corp site with
> around 40 branches. The in place upgrade went great, however when deploying
> DC's to other sites I am having an issue with Headquarters clients
> authentication to a Branch.
> We are using a mixed Bind windows DNS environment where our AD name is the
> same as our existing Bind DNS name. The appropriate zones are handed off to
> our windows DNS server. Our Windows DNS servers then transfer the zones to
> the BIND dns servers. All clients/server use our BIND servers located at
> headquartes for DNS.
>
> Each DC is a GC and I have configured sites and services with the
> appropriate server for each subnet.
> Example Branch subnet 135.74.65.0/24 assigned to Branch site Houston which
> includes the Houston DC.
> Branch subnet 135.74.41.0/24 assigned to Branch site Tulsa which includes
> Tulsa DC.
> I have not defined any subnets for the Headquarters yet. (135.74.48.0 - 55.0)
>
> I would like to keep Headquarters pc's from authenticating at branches...and
> vice versa. That is the whole reason to have GC's at each site.
>
> My thoughts are...It might have something to do with DNS. Setup each DC at
> each branch as a DNS server and point all client at each branch to them for
> resolution. Setup forwaders to the BIND servers.
>
> Any thoughts?
>
>

The first thing I would do is make sure that your DNS zone for your Active
Directory namespace (i.e. contoso.com) is Active Directory integrated and has
all of the appropriate srv records for your domain controllers and GCs. Then
setup all of your branch DCs as DNS servers and Replicate the zone to all DNS
servers in your domain or forest. I would get the records from your bind
servers put into the Active Directory zone using dnscmd and then setup your
BIND servers with secondary zones unless you want to run split-brain with
your BIND and Windows DNS zones.

For your sites you have the right idea. Put a domain controller with DNS in
each site and setup Site links so the clients will prefer their local domain
contoller for authentication.
.

Relevant Pages

  • Re: Pre-authentication failed for Windows 2008 systems
    ... This posting is provided "AS IS" with no warranties, ... If you are asking if the primary DNS zone contains A ... Active Directory Integrated Zones ... There are no WINS servers configured for this interface. ...
    (microsoft.public.windows.server.security)
  • [UNIX] Multiple Remote Vulnerabilities in BIND4 and BIND8
    ... ISS X-Force has discovered several serious vulnerabilities in the Berkeley ... Internet Name Domain Server (BIND). ... majority of DNS servers on the Internet. ... deployed recursive DNS servers on the Internet. ...
    (Securiteam)
  • Re: Forward lookup zone not automatically created for new domain in fo
    ... Company.biz is the forest root. ... forward lookup zones on the domain controllers hosting shell.company. ... You need your DNS servers in every domain/tree ... servers are Win2003 you can do forest wide AD Integration ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restrict Dynamic Updates
    ... in the near future from the Windows platform is Windows ... BIND/DNS servers to resolve all non-AD queries and redirect them to ... the AD/DNS servers only for AD-specific queries, allowing the BIND ... ISP/external DNS servers. ...
    (microsoft.public.windows.server.dns)
  • RE: replication scope question
    ... DNS installed that hosts secondary zones for all four of the zones on the DC. ... changing the scope to the default setting "All DNS servers in the Active ... Directory domain" or should I leave the replication scope alone? ...
    (microsoft.public.windows.server.active_directory)
Loading