2k3 AD/DNS design

  • Thread starter Thread starter Stubby
  • Start date Start date
S

Stubby

All:

with Windows 2003 server, is it possible to have this:

blah.ads -> empty root domain
| |
ab.blah.edu cd.blah.edu -> 2 child domains of blah.ads, with different
names

Is this possible when the DNS (BIND) server resides in a blah.edu zone with
all of the records for both ab.blah.edu and cd.blah.edu? I can't find
anything definitive that says child domains can have different names than
the parent in a Windows 2003 AD environment. Thank you.

Stubb
 
If "blah .edu" (rather than "blah.ads") is your root domain and ab.blah.edu
is a child domain, you can create a zone for the child domain in the root
and delegate the zone to the child. Delegation basically acknowledges that
the zone exists, but allows the SOA to be elsewhere. I think of it as sort
of "backward forwarding".

....kurt
 
But can the names be different? We're trying to design what i have below,
the empty root (blah.ads) have 2 domains join as child domains to the same
forest but with ab.blah.edu.
 
In
Stubby said:
All:

with Windows 2003 server, is it possible to have this:

blah.ads -> empty root domain
| |
ab.blah.edu cd.blah.edu -> 2 child domains of blah.ads, with
different names

Is this possible when the DNS (BIND) server resides in a blah.edu
zone with all of the records for both ab.blah.edu and cd.blah.edu? I
can't find anything definitive that says child domains can have
different names than the parent in a Windows 2003 AD environment.
Thank you.
Stubb
Click to expand...

NO, they cannot be different in the same tree. AD is based on and STRICTLY
follows the DNS hierarchal tree naming convention with a contiguous
namespace.

You can, however, create a separate tree in AD with it's own contigious
namespace. One tree can be blah1.ads, the other tree can be blah2.edu.
Notice I appended a numeral? That is because the default NetBIOS domain name
will follow the highest more portion of the namespace by default. If you
make them blah.ads and blah.edu, the default NetBIOS names are 'blah' and
conlficts WILL ensue. I usually like to follow the defaults because if you
were to change the names, only confusion will set in by your users.

Keep in mind, (with all due respect, I'm sure you already know this, so
please do pardon me if I am redundant or assume otherwise), AD stores it's
service locations and resource records in DNS, hence the complete reliance
on DNS for clients to locate a logon server to authenticate, logon, other
DCs to replicate, etc. Therefore, the DNS naming structure must be strictly
followed for an AD design. Just a note, if one uses an ISP or some other DNS
server that does not host the AD zone name in a client machine, how would
that client find a DC in order for it to logon to a domain? If a DC has an
outside DNS, how would it find either itself or other DCs to replicate to?

If you use BIND, which is no problem whatsover, but it will definitely add
additional administrative overhead, and does not allow only secure updates
with Microsoft products, which is what AD is and the client base is when it
comes to what you are allowing to register. This will eliminate transient
machines from registering into it. TSIGs (BIND's method of secure updates)
are not compatible with Microsoft DNS.

What BIND doesn't offer either is AD Integrated zones. Bind just stores it
in a text file, which is not a secure method of storing the zone. AD
Integrated will store it in the actual physical AD database and replicates
to all DCs in that specific domain (Win2000, but 2003 has more options for
storage). This way all DCs can be DNS servers and there is no need for
Secondaries, since all DCs in that domain will have a copy of the zone in
it;s database and the zone will automatically appear on each DC/DNS in that
domain. Win2003 has options to replicate it forest wide.

Honestly, Microsoft's DNS just works and it has many additional options to
secure it and make it efficiently possible to be on more than one DNS
server. You can always use the BIND server as a forwardee (use it as an
Internet resolver and/or for resources in the schools other parts of the
network) for all the Windows DNS servers. If using BIND is because of a
political reason, I can understand...

As for the original question, may I ask what the purpose and goals are? AD
is pretty flexible to adapt to any business model design, but one needs to
be within its basic restrictions, and that is basically pretty much *only*
based on DNS' hierarchy namespace naming restrictions.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
 
Thank you for your very informative response. The reason the design looks
like i outlined below is because that is the way a higher up wants to have
it. I am not well versed in the deep issues of DNS at all, thus my posting.
Also, with separate trees in the forest, i'm assuming i may have some
application issues too, if the apps are not aware of that infrastructure.
What we have now is 3 NT4 domains that we are going to upgrade to WIN2k3 in
place. The proposed design is an empty root with one name, then child
domains to it with another name. It is being done to keep the DNS that is
publicly available separate from AD. The thing that confuses me is that they
are using split DNS, so nothing is visible anyway. Any other thoughts you
may have would be greatly appreciated, thanks again.

"Ace Fekay [MVP]"
 
In
Stubby said:
Thank you for your very informative response. The reason the design
looks like i outlined below is because that is the way a higher up
wants to have it. I am not well versed in the deep issues of DNS at
all, thus my posting. Also, with separate trees in the forest, i'm
assuming i may have some application issues too, if the apps are not
aware of that infrastructure. What we have now is 3 NT4 domains that
we are going to upgrade to WIN2k3 in place. The proposed design is an
empty root with one name, then child domains to it with another name.
It is being done to keep the DNS that is publicly available separate
from AD. The thing that confuses me is that they are using split DNS,
so nothing is visible anyway. Any other thoughts you may have would
be greatly appreciated, thanks again.
Click to expand...

It's called politics by the higher ups. :-)

Well, you can't create a different child domain name that doesn't follow the
hierarchy for that tree. Period. EOS (end of story).

As for keeping them separated, go ahead, let the BIND server handle the
external stuff, and let Windows DNS handle the internal AD domain name. That
gives you separation. In the internal DNS, for www records, etc, that is
being hosted on public IPs, manually create them and provide the public IPs
for those records. That is the easy part. You can then forward to the BIND
servers for them to act as resolvers for the internal DNS server to resolve
names other than the internal zone name.

A split namespace (split zones or split brain, whatever you like to call it)
is common when the internal name is the same as the external name, but one
must need separate DNS servers to host them for you cannot mix public and
private records. Sure Bind handles 'views' where you can mix them, but I
don't believe in using that feature. What happens if the BIND serer gets
compromised? Then everything gets compromised. Firewall or not, BIND has
vulnerabilities (as anything else) and stores the zone as a text file, but
AD Integration stores it in the AD database which is secure from anyone
poking around in the file structure.

I think you should take a look at the design docs to get a better
understanding of AD and DNS.

Download details Windows Server 2003 Active Directory Branch Office Guide:
http://www.microsoft.com/downloads/...F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en

Best Practice Guide for Securing Windows Server Active Directory
Installations:
http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx

Sample Active Directory Visio Chart - TechRepublic:
http://techrepublic.com.com/5138-6240-728948.html

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain (whether it was upgraded or not, this is full of useful information
relating to AD and DNS, among other info):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
http://support.microsoft.com/?id=323380

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

Deploying and Designing Active Directory [DNS Design, Migration, Cert Auth,
Branch Offices, Exchange, ADC, Import-Export, etc]: 2000 or 2003:
http://www.microsoft.com/technet/pr...hnologies/activedirectory/deploy/default.mspx

Split zone or split horizon:
http://www.winnetmag.com/Windows/Article/ArticleID/39771/39771.html
http://www.microsoft.com/serviceproviders/whitepapers/split_dns.asp
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers

I hope that helps.

Ace
 
Back
Top