Re: I need Help -- Tear it up and call me stupid!
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 7 Jun 2005 13:47:47 -0500
"Rob" <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:50E0AD36-66CC-4506-A8BF-448AC63F524B@xxxxxxxxxxxxxxxx
> I need advice with setting up a ADS (active Directory structure) that will
> perform the following:
> Currently we have DNS/and DHCP configured on a UNIX box.
While technically the DNS can stay on UNIX you will be much
happier if you move it to Win2003 when you upgrade the domain.
> We are in a NT4.0 Domain and also run WINS since alot of the clients are
> still windows 9X
If you need WINS under NT4 you will still need WINS under Win2003
(even if you remove all of the Win9x machines.)
> I want to make an ADS structure that will service the internal network,
and
> still allow unix to service the external netwrk,
This is NOT an AD issue -- UNIX doesn't use AD -- it is strictly a DNS
issue and the odds are you doon't want a "structure" but rather a DNS
server set which resolves all names (both internal and external) for all
of your users and computers.
> however we have several
> offsite offices that we want to authentic through ads via the internet --
how
> do we do this, how will the structure\ and dns records be...
It's usually a poor practice -- so if the site is large enough you put a DC
there. If it is not large enough, you are probably better off establishing
a VPN-RRAS connection to the main network and then the "offsite"
can be treated as a local network.
> One of the factors is that people can access this domain(ADS) from
outside..
> also we need to use the existing naming structure -- example:
You CAN do that but VPNs are likely the best approach.
> right now the domain = XXXXXX
For AD use at LEAST a "two label name", e.g., XXXXX.yyy
Do NOT use a name without at least two labels.
The usual case is you NT_DOMAIN_NAME become NT_DOMAIN_NAME.com
or EDU or .net etc.
> DNS zone XXXXXX.edu also resolvable via internet \ website too
This is difficult to get correct (although possible) unless you use the VPN
method (which switches the remote clients over to the local AD DNS
WHEN they are connected.)
In that case you will NOT be able to use the same name INTERNALLY
as you use externally but should use a CHILD of the external name:
Name.edu for public resources, and child.Name.edu for your AD users.
> SUBZONE = intranet.XXXXXXX.edu
Yes, like that.
> Both zones are currently administrated from UNIX
The child zone will become the AD zone so UNIX probably should
use handle that one (though technically feasible.)
> Additionally, what benefits will we gain from doing an inplace upgrade
> oppose to a parrelel domain\and migration.
Inplace just works. Migration is a lot of work and may not be 'perfect'.
> I looked through links and sites and still need help. so please help me
out
> without sending links of whitepages.
People ask such things never realizing that such papers are BETTER
than casual postings (like mine here) for the GENERAL case UNTIL
you ask specific questions like some of the above.
> Any thoughts about the overall DNS name server structure?
Given what you have said, I am strongly INCLINED towards the
publicname.edu and privatechildof.publicname.edu for your AD
zone/domain.
> What are some key questions or things we need to consider when making our
> name?
Public vs. Private (private is usually better but you need to expose it on
the Internet)
Parent vs. Child (child is better in since you need to expose it but don't
want
to put your internal records in a fully public zone.)
Child of a publicly registered name sounds best FOR YOU.
> What about design issue like: DDNS, DHCP/bootp servers, and
> Internet/intranet DNS design.
You need DDNS for the DCs; you may expose a NON-Dynamic
secondary for the external clients.
You NEED "secure DNS only" which means your Dynamic DNS
servers must run on your DCs only -- and this eliminates UNIX
except for additional secondaries which will/can NOT be dynamic.
> my thoughts are to use = ADS.internal.XXXXXX.edu
I wouldn't add a fourth label (but there is nothing technically wrong
with it) so use either ads.XXXXXX.edu or internal.XXXXXX.edu.
> Since Unix still operates at a primary and secondary convention, would we
> need to do this in AD also, instead of doing integrated zones?
No, you would have a NEW (child) zone which will be dynamic but
you MAY have a DNS server (running Unix OR Windows) running
as a secondary for the Internet users to avoid having a DC or dynamic
DNS exposed on the Internet.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
.
- References:
- Prev by Date: Re: Windows Server 2003 DNS Lookup Problems
- Next by Date: conditional forwarding configuration issues
- Previous by thread: I need Help -- Tear it up and call me stupid!
- Next by thread: conditional forwarding configuration issues
- Index(es):
Relevant Pages
|
