Re: Active Directory Integrated zones questions

Kevin, thanks for the help.

Regarding (#1) names servers listed on the Name Servers tab...if a zone has
a "domain-wide" replication scope to DNS servers is it correct to say that
only the DNS servers in the same domain would have a copy of the zone and
hence be listed in the Name Servers tab?

Also, is it the case that if I look on local DNS servers at a stub zone for
a remote domain that one should see only the name servers (on the name server
tab) that are the name servers listed as (NS) in the stub zone (the name
servers in the remote domain)?

Regarding stubs...once the stub zone is in place that is enough to direct
DNS queries for host.domainB.local say from domainA (with a stub for domainB)
to domainB, no forwarder needed, correct?

Thanks again.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

Tom wrote:
Some DNS confusion, any clarification deeply appreciated.

Configuration: Three child domains (all Native Win 2003) - rem01,
rem02, and rem03.domain.internal and a root domain - domain.internal,
each with two DC/DNS servers. All DNS servers use AD Integrated
zones with replication scope to all DNS servers in Domain. Forwarders
from the child domains to ISP DNS for internet name resolution. Hub
and spoke VPN from root to child domains.

Question groups:

1. Should the Name Servers tab on each zone contain only the names of
the two servers in each domain and should you list only the
"authoritative" servers for the domain on this tab?
It should have the name of each DNS server that has the zone.

Is this list in a priority order?
There is no priority order, but each server having the AD integrated zone,
will have itself named as the Primary on the SOA record. This has as much to
do with making sure each server accepts zone updates as it does anything
else, clients will send zone updates to the master name server.

2. Stub zones on each DNS server for the other three (2 child and 1
root domain) zones will work for name resolution between hots in
different domains?
Yes, if you mean hosts.

Is any other configuration needed to make stub zones work such as a
forwarder to each child/root domain?
Stub zone work more like a delegation than a forwarder.

Should/can stubs be AD integrated?
As long as there are no Win2k DCs, yes. Replication to DNS servers in the
domain is OK.

3. Will zones configured as "AD integrated - Replication to all DNS
servers in domain" show up in the DNS GUI tool only under the DNS
servers for said domain? Another, way...I should not see fully
populate zones in rem01 when looking under rem02 DNS servers zone for
rem01...I should see only the stub with name servers for rem01 zone?
Stub zone have only NS records and Glue records.

4. Is it possible to "transfer" a zone from an AD integrated zone to a
non-AD integrated "secondary"?
Yes, the transfer works just like any other Primary/Secondary zone.

One zone I did not see a mention is the _msdcs.forestrootdomain that is
created when you let Win2k3 DCPromo configure DNS on the first DC, this zone
should be on ALL DNS servers in the forest, and is where all DCs register
their GUID record , and where Global Catalogs register their records. Each
Member of domains in the forest need access to this zone is why the zone
replicates forest wide.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================



.

Relevant Pages

  • Re: DNS signature failed to verify error
    ... Both DNS servers have the zone named _msdcs.domain.local with Dynamic ... This zone is or should replicate to all DNS ...
    (microsoft.public.windows.server.dns)
  • Re: Active Directory Integrated zones questions
    ... All DNS servers use AD Integrated ... zones with replication scope to all DNS servers in Domain. ... It should have the name of each DNS server that has the zone. ...
    (microsoft.public.windows.server.dns)
  • Re: With Dynamic updates off, DNS server A records still update
    ... > I am running a set of internal and a set of external DNS servers, ... The intranet application directory partition elists only the ... > The problem I am having is that the intranet zone on the external DNS ...
    (microsoft.public.windows.server.dns)
  • Re: ad and dns setup
    ... MCSE, MVP Directory Services ... _msdcs, forward zone, reverse lookup zone. ... To fully rebuild DNS: ... changes immediately to all servers, this helps to speedup the process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ad and dns setup
    ... If they have correct IP, yes, if not you need to change the NS under zone ... MCSE, MVP Directory Services ... To fully rebuild DNS: ... changes immediately to all servers, this helps to speedup the process. ...
    (microsoft.public.windows.server.active_directory)