RE: Sites and Services



"sambrake" wrote:

>
>
> "MT" wrote:
>
> > We just recently upgraded our NT domain to 2K3 AD. We have one corp site with
> > around 40 branches. The in place upgrade went great, however when deploying
> > DC's to other sites I am having an issue with Headquarters clients
> > authentication to a Branch.
> > We are using a mixed Bind windows DNS environment where our AD name is the
> > same as our existing Bind DNS name. The appropriate zones are handed off to
> > our windows DNS server. Our Windows DNS servers then transfer the zones to
> > the BIND dns servers. All clients/server use our BIND servers located at
> > headquartes for DNS.
> >
> > Each DC is a GC and I have configured sites and services with the
> > appropriate server for each subnet.
> > Example Branch subnet 135.74.65.0/24 assigned to Branch site Houston which
> > includes the Houston DC.
> > Branch subnet 135.74.41.0/24 assigned to Branch site Tulsa which includes
> > Tulsa DC.
> > I have not defined any subnets for the Headquarters yet. (135.74.48.0 - 55.0)
> >
> > I would like to keep Headquarters pc's from authenticating at branches...and
> > vice versa. That is the whole reason to have GC's at each site.
> >
> > My thoughts are...It might have something to do with DNS. Setup each DC at
> > each branch as a DNS server and point all client at each branch to them for
> > resolution. Setup forwaders to the BIND servers.
> >
> > Any thoughts?
> >
> >
>
> The first thing I would do is make sure that your DNS zone for your Active
> Directory namespace (i.e. contoso.com) is Active Directory integrated and has
> all of the appropriate srv records for your domain controllers and GCs. Then
> setup all of your branch DCs as DNS servers and Replicate the zone to all DNS
> servers in your domain or forest. I would get the records from your bind
> servers put into the Active Directory zone using dnscmd and then setup your
> BIND servers with secondary zones unless you want to run split-brain with
> your BIND and Windows DNS zones.
>
> For your sites you have the right idea. Put a domain controller with DNS in
> each site and setup Site links so the clients will prefer their local domain
> contoller for authentication.

All of the AD zones _msdcs _tcp etc. are all AD integrated. Our Windows DNS
servers are the authorative for those zones on the BIND side, with the BIND
servers as secondaries.

With my sites and services setup...If I configure my headquarters site with
135.74.48.0 will that affect branch offices that have no DC?
.

Relevant Pages

  • Re: Pre-authentication failed for Windows 2008 systems
    ... This posting is provided "AS IS" with no warranties, ... If you are asking if the primary DNS zone contains A ... Active Directory Integrated Zones ... There are no WINS servers configured for this interface. ...
    (microsoft.public.windows.server.security)
  • [UNIX] Multiple Remote Vulnerabilities in BIND4 and BIND8
    ... ISS X-Force has discovered several serious vulnerabilities in the Berkeley ... Internet Name Domain Server (BIND). ... majority of DNS servers on the Internet. ... deployed recursive DNS servers on the Internet. ...
    (Securiteam)
  • Re: Forward lookup zone not automatically created for new domain in fo
    ... Company.biz is the forest root. ... forward lookup zones on the domain controllers hosting shell.company. ... You need your DNS servers in every domain/tree ... servers are Win2003 you can do forest wide AD Integration ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restrict Dynamic Updates
    ... in the near future from the Windows platform is Windows ... BIND/DNS servers to resolve all non-AD queries and redirect them to ... the AD/DNS servers only for AD-specific queries, allowing the BIND ... ISP/external DNS servers. ...
    (microsoft.public.windows.server.dns)
  • Re: [fw-wiz] PIX, DNS fixups and Zone Transfers
    ... > We've recently implemented a PIX firewall setup, resulting in two DNS ... On the DNS servers, the ... > the current setup so that lookups by machines on the DMZ would work fine. ... Our DNS zones have one primary and 4 secondaries, ...
    (Firewall-Wizards)