Re: 2 Questions...
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/27/04
- Next message: TAREK YAHYA: "NETLOGON SERVICE STOPPED EVERYTIME I RESTART THE SERVER"
- Previous message: Kevin D. Goodknecht [MVP]: "Re: What is "Nonsecure"?"
- In reply to: Dan Kennedy: "2 Questions..."
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 26 Mar 2004 20:15:26 -0700
A little late to your party, but let me toss in 2 cents.
Your first question is pretty well already dealt with.
You have said that you inherited and/or already have
an empty root forest with apparently one child domain.
In one post you asked about the value of the empty root.
This design was a popular suggestion when W2k was new,
but in final analysis perhaps the one real advantage to this
design (except for large, highly geo distributed infrastructures)
is isolation of the forest infrastructure from accidental
change/destruction of the root domain (as being empty its
change rate is close to nil). This however is not an actual
value if one has only one other domain. Many of the other
believe benefits just are not there upon a deep analysis.
With a multi-domain forest one has a few choices for DNS
support, and the best of these in part depends on the site
dispersion on the map.
In your case, with the root and one child domain, if I can
assume that you have a high concentration of the corp. child
at the main location where the root domain is sited, then the
most direct and simple is to have all DNS support for both
domains AD integrated into the DCs of the root. This could
be done either as a single zone or as two. The root has less
workload, is (I am assuming) equally local to your clients
as DCs of corp.
What if you do have remote sites, one with only DCs of corp?
One could use standard zone transfer to these, or if you are
running W2k3 AD you could enlist those DCs in the forestroot
DNS application context (where all of the DNS records would
be if you used one zone).
Alternatively you could have each domain AD integrate its own
zone. In this case you have the issues of:
1. root zone machines having no local access to DNS records of
the corp zone unless 1a) corp replicated its zone up to root DNS
with std transfers, or 1b) you enlisted root DNS in the corp domain
DNS application context if using W2k3 AD
2. corp machines not having access to root zone data, which is cured
as already stated or by having the DNS servers of corp forward to
those of root.
There are of course other variations.
However, if your deployment is all local, there really is no good
reason I can think of to not simply use DNS servers in the root with
a single zone, and all machines use these and only these.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dan Kennedy" <dankennedy24@hotmail.com> wrote in message news:53aba508.0403261041.62866e44@posting.google.com... > 1. How do I tell who the "master" holder of a zone is? That is, is > there one DNS server in my domain that more or less controls each > particular zone? If so, how do I find it? I thought the Start of > Authority tab on the zones would be the answer but each DNS server has > themself listed as the SOA for a zone that spans 3 servers. The zone > in question is AD integrated. > > 2. I have a 2 domain setup with comapany.com at the top and > corp.company.com beneath. Is there a way running W2K3 to have the > zone from the top level be replicated automatically to the lower level > domain? Is this necessary or should I just have the couple boxes in > the top level domain point to the child domain for DNS? That seems > easier but I wonder if there are drawbacks. As an alternative I guess > I could create 2nd zones on all the lower level DNS servers so that > each of them had a copy of the top level domains DNS but that seems > too manual... there should be an easier way right? > > Thanks, > Dan
- Next message: TAREK YAHYA: "NETLOGON SERVICE STOPPED EVERYTIME I RESTART THE SERVER"
- Previous message: Kevin D. Goodknecht [MVP]: "Re: What is "Nonsecure"?"
- In reply to: Dan Kennedy: "2 Questions..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
