Active Directory DNS structure for parent/child domains

  • Thread starter Thread starter Michael Ting
  • Start date Start date
M

Michael Ting

I'm currently running an NT4 network across multiple domains (two way
trusts all around). I'm looking to upgrade to Active Directory. My
plan is to organize the domains into geographic locations under a
parent domain:

company.com (parent)
westcoast.company.com (child domain)
eastcoast.company.com (child domain)
asia.company.com (child domain)
europe.company.com (child domain)

I'm having trouble understanding how to set up the DNS structure for
this type of network. I originally thought I could use the DCs at each
location as DNS servers and allow AD to replicate the DNS information
back and forth. However, I found out that you can only do DNS
replication through AD within a domain and not out to child domains.

So what I'm left with is setting up delegations for the child domains
along with a web of secondary DNS domains:

company.com (integrated AD DNS for the "company.com" domain, delegate
"westcoast", "eastcoast", "asia" and "europe" to their respective
child domain DNS servers)

westcoast.company.com (integrated AD DNS for the
"westcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "eastcoast", "asia", and "europe"))

eastcoast.company.com (integrated AD DNS for the
"eastcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "westcoast", "asia", and "europe"))

asia.company.com (integrated AD DNS for the "asia.company.com" domain,
secondary DNS for "company.com" (which will in turn bring in DNS for
"westcoast", "eastcoast", and "europe"))

europe.company.com (integrated AD DNS for the "europe.company.com"
domain, secondary DNS for "company.com" (which will in turn bring in
DNS for "westcoast", "eastcoast", and "asia"))

Is this the correct way to set this up? Is there an easier, less
cumbersome solution? Thanks in advance for any help!
 
Yes..

Delegate down to child domains and forward up from child domains to the
parent domain.

Steve Dodson [MSFT]
Directory Services
--------------------
From: (e-mail address removed) (Michael Ting)
Newsgroups: microsoft.public.win2000.active_directory,microsoft.public.win2000.dns,micro
soft.public.win2000.networking
Subject: Active Directory DNS structure for parent/child domains
Date: 30 Oct 2003 12:09:24 -0800
Organization: http://groups.google.com
Lines: 42
Message-ID: <[email protected]>
NNTP-Posting-Host: 12.177.64.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1067544564 22391 127.0.0.1 (30 Oct 2003 20:09:24 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 30 Oct 2003 20:09:24 +0000 (UTC)
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.google.com!no
t-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:29031 microsoft.public.win2000.networking:43062
microsoft.public.win2000.active_directory:54016
X-Tomcat-NG: microsoft.public.win2000.active_directory

I'm currently running an NT4 network across multiple domains (two way
trusts all around). I'm looking to upgrade to Active Directory. My
plan is to organize the domains into geographic locations under a
parent domain:

company.com (parent)
westcoast.company.com (child domain)
eastcoast.company.com (child domain)
asia.company.com (child domain)
europe.company.com (child domain)

I'm having trouble understanding how to set up the DNS structure for
this type of network. I originally thought I could use the DCs at each
location as DNS servers and allow AD to replicate the DNS information
back and forth. However, I found out that you can only do DNS
replication through AD within a domain and not out to child domains.

So what I'm left with is setting up delegations for the child domains
along with a web of secondary DNS domains:

company.com (integrated AD DNS for the "company.com" domain, delegate
"westcoast", "eastcoast", "asia" and "europe" to their respective
child domain DNS servers)

westcoast.company.com (integrated AD DNS for the
"westcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "eastcoast", "asia", and "europe"))

eastcoast.company.com (integrated AD DNS for the
"eastcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "westcoast", "asia", and "europe"))

asia.company.com (integrated AD DNS for the "asia.company.com" domain,
secondary DNS for "company.com" (which will in turn bring in DNS for
"westcoast", "eastcoast", and "europe"))

europe.company.com (integrated AD DNS for the "europe.company.com"
domain, secondary DNS for "company.com" (which will in turn bring in
DNS for "westcoast", "eastcoast", and "asia"))

Is this the correct way to set this up? Is there an easier, less
cumbersome solution? Thanks in advance for any help!
Click to expand...


--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
In
Michael Ting said:
I'm currently running an NT4 network across multiple domains (two way
trusts all around). I'm looking to upgrade to Active Directory. My
plan is to organize the domains into geographic locations under a
parent domain:

company.com (parent)
westcoast.company.com (child domain)
eastcoast.company.com (child domain)
asia.company.com (child domain)
europe.company.com (child domain)

I'm having trouble understanding how to set up the DNS structure for
this type of network. I originally thought I could use the DCs at each
location as DNS servers and allow AD to replicate the DNS information
back and forth. However, I found out that you can only do DNS
replication through AD within a domain and not out to child domains.
True


So what I'm left with is setting up delegations for the child domains
along with a web of secondary DNS domains:

company.com (integrated AD DNS for the "company.com" domain, delegate
"westcoast", "eastcoast", "asia" and "europe" to their respective
child domain DNS servers)

westcoast.company.com (integrated AD DNS for the
"westcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "eastcoast", "asia", and "europe"))

eastcoast.company.com (integrated AD DNS for the
"eastcoast.company.com" domain, secondary DNS for "company.com" (which
will in turn bring in DNS for "westcoast", "asia", and "europe"))

asia.company.com (integrated AD DNS for the "asia.company.com" domain,
secondary DNS for "company.com" (which will in turn bring in DNS for
"westcoast", "eastcoast", and "europe"))

europe.company.com (integrated AD DNS for the "europe.company.com"
domain, secondary DNS for "company.com" (which will in turn bring in
DNS for "westcoast", "eastcoast", and "asia"))

Is this the correct way to set this up? Is there an easier, less
cumbersome solution? Thanks in advance for any help!
Click to expand...

This is the plan, each DNS server would have:

AD integrated zone for child.company.com
and a secondary for company.com AD zone
Each location should also have a Global Catalog, the Global Catalog record
is in the parent zone, this is why you need the secondary of the parent
zone.
In addtion, since the location are all over the world IMO the parent zone
needs to have as many static IP as possible and you should increase the TTL
to a minimum of two days, similar to public zone TTL and expiration values
so if the link is down to the parent all domain services can be found.

Personally I would have at least a minimum hardware requirement parent DC at
each location. Even if its only purpose is to be a DNS server, Global
Catalog server, and Enterprise replication.
I'll explain, each parent DC would have an AD Integrated zone for the parent
zone, but instead of delegations make the child a sub-domain in the parent.
Yes, it will work I do it myself, that way every location has an AD
Integrated Forward Lookup zone containing all records from all locations. No
delegations are needed then. This will completely do away with secondary
zones altogether and it would also be more secure. Then you just forward to
the ISP for Internet.
 
Back
Top