Active Directory Integrated DNS across multiple domains

  • Thread starter Thread starter Alan Coleman
  • Start date Start date
A

Alan Coleman

I have a Windows 2000/2003 server forest with three domains. The root
domain, it's child, and a second top level domain.

The root domain has 4 domain controllers and DNS records for all of the
domains, including several other domains that don't have anything to do with
Active directory. The DNS zones for all of the domains are active directory
integrated.

This works for all 4 domain controllers within the root domain, they all
have DNS running and working and synchronized through the active directory.

However the child domain and the other primary do not have the DNS zones
replicated to them, I assume this is because they are in another domain.
Now this doesn't cause any problems network wise, because I just point all
of the machines to one of the DNS's in the root domain anyway. However, it
dawned on me that this may not be best practice and so I wanted some advice
or second opinion. Especially since the domain controllers from the child
and second primary domain must point to the root domain controllers for
their DNS... I have a feeling that may not be the best scenario.

If more information is needed, please let me know.
 
In
Alan Coleman said:
I have a Windows 2000/2003 server forest with three
domains. The root domain, it's child, and a second top
level domain.

The root domain has 4 domain controllers and DNS records
for all of the domains, including several other domains
that don't have anything to do with Active directory.
The DNS zones for all of the domains are active directory
integrated.

This works for all 4 domain controllers within the root
domain, they all have DNS running and working and
synchronized through the active directory.

However the child domain and the other primary do not
have the DNS zones replicated to them, I assume this is
because they are in another domain. Now this doesn't
cause any problems network wise, because I just point all
of the machines to one of the DNS's in the root domain
anyway. However, it dawned on me that this may not be
best practice and so I wanted some advice or second
opinion. Especially since the domain controllers from
the child and second primary domain must point to the
root domain controllers for their DNS... I have a feeling
that may not be the best scenario.

If more information is needed, please let me know.
Click to expand...

The best practice will depend on the OS of the DC/DNS servers.
It would be best to go ahead an delegate the child names in the parent zone,
regardless of OS.
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248&sd=RMVP

But Win2k3 has the added option of conditional forwarders, that is
forwarding based on the domain name.
 
My one concern with that, is that in both the child domain and the second
top level domain there is only one domain control (and therefore one DNS
server), I suppose though that this does not matter considering if the
domain control does go down, it will not matter if DNS is available or
unavailable... thank you for your input.
 
Best practices always recommend a minimum of two DCs per AD site. This covers
not just DNS but a host of other functions (e.g. authentication, load
balancing, availability, etc.) - the list goes on.

DNS is integral and crucial to AD operations; without it, it is like driving
a car without wheels.

Hope this info is helpful. Do let us know. Thanks!
 
If you really want DNS in your child domain, I would recommend you put one
(or two) 2003 DC's in the child domain, this will allow you to integrate the
Domain Zone into Forest Wide replication (new only to 2003). This will allow
the entire zone to replication to all DNS servers within the forest, not just
the domain. Beware however, if you do this and you have a 2000 DNS server, it
wil no longer receive a copy of the zone.

Delegation of the child zone would work too, but given limited size
networks, that might be alot of overhead for something so simple. Just make
sure you have at least 2 DNS servers for your domain/forest.




Desmond Lee said:
Best practices always recommend a minimum of two DCs per AD site. This covers
not just DNS but a host of other functions (e.g. authentication, load
balancing, availability, etc.) - the list goes on.

DNS is integral and crucial to AD operations; without it, it is like driving
a car without wheels.

Hope this info is helpful. Do let us know. Thanks!
Click to expand...
 
Back
Top