Re: Windows 2003 DNS with dedicated root and peer domain
From: Mike (Mike_at_discussions.microsoft.com)
Date: 10/27/04
- Previous message: Ulf B. Simon-Weidner [MVP]: "Re: Multiple DNS servers allowed?"
- In reply to: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Reply: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 27 Oct 2004 13:19:03 -0700
Thanks for your excellent reply Ulf B.
I’ve given the empty / dedicated root setup some careful thought and see it
fit for the following reasons:
- Mitigate risk associated with domain admins having forest wide rights.
- Company I’m working for have gone through several changes – acquiring and
selling off divisions, hence the reason for a generic empty root for any
future changes..
What are the work arounds for child/peer domain admins gaining forest wide
rights? I presume we’re not talking about something that can be easily done
and that it would require some 3rd party tools or some LDP / ADSI editing
activity..which would be okay as I am just trying to logically separate these
‘extra’ privilege in case of accidental error etc..
My domain is going to be something like root.local and my main user/resource
domain called companyname.local. – I also plan to use Windows 2003 DNS with
integrated zones… so how should this be configured? Could you give me a
summary of the specifics or a URL (I haven’t been able to find anything) re
configuring dissimilar namespaces within AD. – Obviously I want to prevent as
much traffic / requests etc going into my root domain..
My current setup has a secondary DNS copy of the root domain in my main
domain, and a copy (secondary DNS) of the main domain within my root.
Best regards,
M
"Ulf B. Simon-Weidner [MVP]" wrote:
> "Mike" <Mike@discussions.microsoft.com> wrote in message
> news:Mike@discussions.microsoft.com:
> > Guys,
> >
> > Could somebody PLEASE comment on what the optimal configuration of a new
> >
> > forest running Windows 2003 DNS would be with.
> >
> > - A dedicated root domain (no users etc etc)
> > - A production domain within the same forest with a different DNS
> > namespace.
> >
> > Would it be configure primary and secondary zones between each of the two
> > dis-similar namespaces?!
> >
> > Feedback would be most grateful!
> >
>
> Hello Mikey,
>
> The domain is not a security boundary, the forest is one. You will not
> able to prevent malicious administrators from becoming domain or
> enterprise admin in the forest root domain (if they have enough
> administrative rights in the subdomain), but you make it a bit harder
> for the usual administrator and if you have multiple administrators you
> might prevent them to make errors by accident.
>
> So you might not need a separate forest root. Depending on your
> administrative folks.
>
> Also if you are using Microsoft DNS it's also recommended to integrate
> DNS into Active Directory. If you have Windows Server 2003 Active
> Directory you are even able to set the replication scopes for the
> DNS-Data to replicate only to DCs which are also DNS-Server in the
> domain or in the forest. The Windows 2000 behavior was to replicate to
> all DCs in the Domain, regardless if they are DNS-Servers (and know
> what to do with that data) or not. There are no other replication
> scopes in Windows 2000 AD.
>
> It is recommended that you have the zones set up as follows:
>
> _msdcs.yourdomain.com (AD-Integrated zone, replicating to all
> DNS-Domaincontrollers in the Active Directory FOREST)
> Yourdomain.com (AD-Integrated zone, replicating to all DNS-DCs in the
> DOMAIN)
>
> Reason here is that specific services like GCs are only searched via
> the _msdcs of the forest root. Therefor it needs to be available
> throughout the whole FOREST.
>
> If you want to implement a subdomain you are usually configuring it to
> replicate to all DNS-DCs in the DOMAIN as well.
>
> Hope that helps.
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org
>
- Previous message: Ulf B. Simon-Weidner [MVP]: "Re: Multiple DNS servers allowed?"
- In reply to: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Reply: Ulf B. Simon-Weidner [MVP]: "Re: Windows 2003 DNS with dedicated root and peer domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
