AD and DNS domains & dependencies

  • Thread starter Thread starter Surfer
  • Start date Start date
S

Surfer

Hello,
Hoping someone can clarify a basic question regarding my study
of AD and DNS.

My understanding is that MS DNS is RFC standards based and that
none of the RFCs reference or have dependencies on AD technologies.
Similarly, AD is RFC standards based and none of those RFCs reference
DNS. Yet the DNS wizard allows for the creation of Active Directory
Integrated Zones which tends to imply AD and DNS become integrated.

So the question basically is whether creating and AD Integrated
zone changes the security functionality which would exist if a Standard
zone was created. Or is it that "integration" merely creates a
"better DNS" (records stored in AD, zone replication uses AD, etc.)

Regards,

Surfer
 
Hey Surfer,

When creating a normal primary forward lookup zone in a MS DNS server we
are storing that information in a .dns file on the server itself.

When choosing to create an AD-Integrated forward lookup zone we store this
information within Active Directory. There are many advantages to this.
One is when a DC is also a DNS server we do not have to perform any "zone
transfers" to get the forward lookup zone. Instead we will get this
information with AD replication and will automatically create the fwd
lookup zone.

Also with AD-Integrated zones we only have to deal with AD replication
latency to make sure all DNS servers have the latest information/updates.

Again this is all contingent on DNS being installed on a W2K DC.

blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: AD and DNS domains & dependencies
| >Date: 1 Dec 2003 13:28:31 -0800
| >Organization: http://groups.google.com
| >Lines: 18
| >Message-ID: <[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec 2003
21:28:31 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
il
| >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:58092
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Hello,
| >Hoping someone can clarify a basic question regarding my study
| >of AD and DNS.
| >
| >My understanding is that MS DNS is RFC standards based and that
| >none of the RFCs reference or have dependencies on AD technologies.
| >Similarly, AD is RFC standards based and none of those RFCs reference
| >DNS. Yet the DNS wizard allows for the creation of Active Directory
| >Integrated Zones which tends to imply AD and DNS become integrated.
| >
| >So the question basically is whether creating and AD Integrated
| >zone changes the security functionality which would exist if a Standard
| >zone was created. Or is it that "integration" merely creates a
| >"better DNS" (records stored in AD, zone replication uses AD, etc.)
| >
| >Regards,
| >
| >Surfer
| >
 
Blim,
Thanks. As a follow up, the literature encourages AD
domain names which are the same as DNS domain names. Does
creating same names cause technical changes to AD or its
objects or do same names merely create administrative
Convenience?

What does one do when a company's existing DNS structure
is not ideal (i.e., following an acquisition) but also cannot
be changed in the timeframe needed to implement AD? I assume
you would implement an AD structure which reflects current
ideal (as opposed to paralleling the outdated existing DNS
structure) but does this divergence then create technical or
administrative issues?

Regards,

Surfer
 
Surfer,

In regards to AD namespaces it is always recommended that your internal AD
namespace does not conflict with your external DNS namespace.

KB article 254680 may help answer these quesitons:
http://support.microsoft.com/?id=254680

Let me know if that helps. Tks.
blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: Re: AD and DNS domains & dependencies
| >Date: 4 Dec 2003 14:12:18 -0800
| >Organization: http://groups.google.com
| >Lines: 85
| >Message-ID: <[email protected]>
| >References: <[email protected]>
<[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1070575938 27562 127.0.0.1 (4 Dec 2003
22:12:18 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Thu, 4 Dec 2003 22:12:18 +0000 (UTC)
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
..phx.gbl!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!n
ews.tele.dk!news.tele.dk!small.news.tele.dk!petbe.visi.com!news-out.visi.com
!hermes.visi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.goog
le.com!not-for-mail
| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58253
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Blim,
| >Thanks. As a follow up, the literature encourages AD
| >domain names which are the same as DNS domain names. Does
| >creating same names cause technical changes to AD or its
| >objects or do same names merely create administrative
| >Convenience?
| >
| >What does one do when a company's existing DNS structure
| >is not ideal (i.e., following an acquisition) but also cannot
| >be changed in the timeframe needed to implement AD? I assume
| >you would implement an AD structure which reflects current
| >ideal (as opposed to paralleling the outdated existing DNS
| >structure) but does this divergence then create technical or
| >administrative issues?
| >
| >Regards,
| >
| >Surfer
| >
| >
| >
| >
| >
| >[email protected] (Ben [MSFT]) wrote in message
| >> Hey Surfer,
| >>
| >> When creating a normal primary forward lookup zone in a MS DNS server
we
| >> are storing that information in a .dns file on the server itself.
| >>
| >> When choosing to create an AD-Integrated forward lookup zone we store
this
| >> information within Active Directory. There are many advantages to
this.
| >> One is when a DC is also a DNS server we do not have to perform any
"zone
| >> transfers" to get the forward lookup zone. Instead we will get this
| >> information with AD replication and will automatically create the fwd
| >> lookup zone.
| >>
| >> Also with AD-Integrated zones we only have to deal with AD replication
| >> latency to make sure all DNS servers have the latest
information/updates.
| >>
| >> Again this is all contingent on DNS being installed on a W2K DC.
| >>
| >> blim
| >> This posting is provided "AS IS" with no warranties, and confers no
rights.
| >> --------------------
| >> | >From: (e-mail address removed) (Surfer)
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >Subject: AD and DNS domains & dependencies
| >> | >Date: 1 Dec 2003 13:28:31 -0800
| >> | >Organization: http://groups.google.com
| >> | >Lines: 18
| >> | >Message-ID: <[email protected]>
| >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >Content-Transfer-Encoding: 8bit
| >> | >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec 2003
| >> 21:28:31 GMT)
| >> | >X-Complaints-To: (e-mail address removed)
| >> | >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >> | >Path:
| >>
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
| >>
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
| >> il
| >> | >Xref: cpmsftngxa06.phx.gbl
| >> microsoft.public.win2000.active_directory:58092
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Hello,
| >> | >Hoping someone can clarify a basic question regarding my study
| >> | >of AD and DNS.
| >> | >
| >> | >My understanding is that MS DNS is RFC standards based and that
| >> | >none of the RFCs reference or have dependencies on AD technologies.
| >> | >Similarly, AD is RFC standards based and none of those RFCs
reference
| >> | >DNS. Yet the DNS wizard allows for the creation of Active Directory
| >> | >Integrated Zones which tends to imply AD and DNS become integrated.
| >> | >
| >> | >So the question basically is whether creating and AD Integrated
| >> | >zone changes the security functionality which would exist if a
Standard
| >> | >zone was created. Or is it that "integration" merely creates a
| >> | >"better DNS" (records stored in AD, zone replication uses AD, etc.)
| >> | >
| >> | >Regards,
| >> | >
| >> | >Surfer
| >> | >
| >
 
Blim,
Thanks for pointing me to the KB article (254680). However, this
is entirely consistant with my other readings. Howeve, it does not
resolve my earlier confusion which I am hoping you (or someone)
can clarify.

The KB article in part reads,
"It is critical that the design of the DNS namespace
be created with Active Directory in mind and that the
namespace that exists on the Internet not conflict
with an organization's internal namespace...."

Unfortunately, this still leaves open my earlier question
to you(!), which is does having AD domain names which differ
from DNS domain names create either technical or administrative
issues? IOW, how does AD itself (as oposed to users)use DNS
names, at a technical or adminsistrative level?

Regards,


Surfer,

In regards to AD namespaces it is always recommended that your internal AD
namespace does not conflict with your external DNS namespace.

KB article 254680 may help answer these quesitons:
http://support.microsoft.com/?id=254680

Let me know if that helps. Tks.
blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: Re: AD and DNS domains & dependencies
| >Date: 4 Dec 2003 14:12:18 -0800
| >Organization: http://groups.google.com
| >Lines: 85
| >Message-ID: <[email protected]>
| >References: <[email protected]>
<[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1070575938 27562 127.0.0.1 (4 Dec 2003
22:12:18 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Thu, 4 Dec 2003 22:12:18 +0000 (UTC)
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!n
ews.tele.dk!news.tele.dk!small.news.tele.dk!petbe.visi.com!news-out.visi.com
!hermes.visi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.goog
le.com!not-for-mail
| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58253
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Blim,
| >Thanks. As a follow up, the literature encourages AD
| >domain names which are the same as DNS domain names. Does
| >creating same names cause technical changes to AD or its
| >objects or do same names merely create administrative
| >Convenience?
| >
| >What does one do when a company's existing DNS structure
| >is not ideal (i.e., following an acquisition) but also cannot
| >be changed in the timeframe needed to implement AD? I assume
| >you would implement an AD structure which reflects current
| >ideal (as opposed to paralleling the outdated existing DNS
| >structure) but does this divergence then create technical or
| >administrative issues?
| >
| >Regards,
| >
| >Surfer
| >
| >
| >
| >
| >
| >[email protected] (Ben [MSFT]) wrote in message
| >> Hey Surfer,
| >>
| >> When creating a normal primary forward lookup zone in a MS DNS server
we
| >> are storing that information in a .dns file on the server itself.
| >>
| >> When choosing to create an AD-Integrated forward lookup zone we store
this
| >> information within Active Directory. There are many advantages to
this.
| >> One is when a DC is also a DNS server we do not have to perform any
"zone
| >> transfers" to get the forward lookup zone. Instead we will get this
| >> information with AD replication and will automatically create the fwd
| >> lookup zone.
| >>
| >> Also with AD-Integrated zones we only have to deal with AD replication
| >> latency to make sure all DNS servers have the latest
information/updates.
| >>
| >> Again this is all contingent on DNS being installed on a W2K DC.
| >>
| >> blim
| >> This posting is provided "AS IS" with no warranties, and confers no
rights.
| >> --------------------
| >> | >From: (e-mail address removed) (Surfer)
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >Subject: AD and DNS domains & dependencies
| >> | >Date: 1 Dec 2003 13:28:31 -0800
| >> | >Organization: http://groups.google.com
| >> | >Lines: 18
| >> | >Message-ID: <[email protected]>
| >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >Content-Transfer-Encoding: 8bit
| >> | >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec 2003
21:28:31 GMT)
| >> | >X-Complaints-To: (e-mail address removed)
| >> | >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >> | >Path:
| >>
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
| >>
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
| >> il
| >> | >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:58092
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Hello,
| >> | >Hoping someone can clarify a basic question regarding my study
| >> | >of AD and DNS.
| >> | >
| >> | >My understanding is that MS DNS is RFC standards based and that
| >> | >none of the RFCs reference or have dependencies on AD technologies.
| >> | >Similarly, AD is RFC standards based and none of those RFCs
reference
| >> | >DNS. Yet the DNS wizard allows for the creation of Active Directory
| >> | >Integrated Zones which tends to imply AD and DNS become integrated.
| >> | >
| >> | >So the question basically is whether creating and AD Integrated
| >> | >zone changes the security functionality which would exist if a
Standard
| >> | >zone was created. Or is it that "integration" merely creates a
| >> | >"better DNS" (records stored in AD, zone replication uses AD, etc.)
| >> | >
| >> | >Regards,
| >> | >
| >> | >Surfer
| >> | >
| >
Click to expand...
 
Blim,
Nope, doesn't help - at least not completely.

Blim,
Thanks for pointing me to the KB article (254680). However, this
is entirely consistant with my other readings. Howeve, it does not
resolve my earlier confusion which I am hoping you (or someone)
can clarify.

The KB article in part reads,
"It is critical that the design of the DNS namespace
be created with Active Directory in mind and that the
namespace that exists on the Internet not conflict
with an organization's internal namespace...."

Unfortunately, this still leaves open my earlier question
to you(!), which is does having AD domain names which differ
from DNS domain names create either technical or administrative
issues? IOW, how does AD itself (as oposed to users)use DNS
names, at a technical or adminsistrative level?

Regards,



Surfer,

In regards to AD namespaces it is always recommended that your internal AD
namespace does not conflict with your external DNS namespace.

KB article 254680 may help answer these quesitons:
http://support.microsoft.com/?id=254680

Let me know if that helps. Tks.
blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: Re: AD and DNS domains & dependencies
| >Date: 4 Dec 2003 14:12:18 -0800
| >Organization: http://groups.google.com
| >Lines: 85
| >Message-ID: <[email protected]>
| >References: <[email protected]>
<[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1070575938 27562 127.0.0.1 (4 Dec 2003
22:12:18 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Thu, 4 Dec 2003 22:12:18 +0000 (UTC)
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!n
ews.tele.dk!news.tele.dk!small.news.tele.dk!petbe.visi.com!news-out.visi.com
!hermes.visi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.goog
le.com!not-for-mail
| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58253
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Blim,
| >Thanks. As a follow up, the literature encourages AD
| >domain names which are the same as DNS domain names. Does
| >creating same names cause technical changes to AD or its
| >objects or do same names merely create administrative
| >Convenience?
| >
| >What does one do when a company's existing DNS structure
| >is not ideal (i.e., following an acquisition) but also cannot
| >be changed in the timeframe needed to implement AD? I assume
| >you would implement an AD structure which reflects current
| >ideal (as opposed to paralleling the outdated existing DNS
| >structure) but does this divergence then create technical or
| >administrative issues?
| >
| >Regards,
| >
| >Surfer
| >
| >
| >
| >
| >
| >[email protected] (Ben [MSFT]) wrote in message
| >> Hey Surfer,
| >>
| >> When creating a normal primary forward lookup zone in a MS DNS server
we
| >> are storing that information in a .dns file on the server itself.
| >>
| >> When choosing to create an AD-Integrated forward lookup zone we store
this
| >> information within Active Directory. There are many advantages to
this.
| >> One is when a DC is also a DNS server we do not have to perform any
"zone
| >> transfers" to get the forward lookup zone. Instead we will get this
| >> information with AD replication and will automatically create the fwd
| >> lookup zone.
| >>
| >> Also with AD-Integrated zones we only have to deal with AD replication
| >> latency to make sure all DNS servers have the latest
information/updates.
| >>
| >> Again this is all contingent on DNS being installed on a W2K DC.
| >>
| >> blim
| >> This posting is provided "AS IS" with no warranties, and confers no
rights.
| >> --------------------
| >> | >From: (e-mail address removed) (Surfer)
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >Subject: AD and DNS domains & dependencies
| >> | >Date: 1 Dec 2003 13:28:31 -0800
| >> | >Organization: http://groups.google.com
| >> | >Lines: 18
| >> | >Message-ID: <[email protected]>
| >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >Content-Transfer-Encoding: 8bit
| >> | >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec 2003
21:28:31 GMT)
| >> | >X-Complaints-To: (e-mail address removed)
| >> | >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >> | >Path:
| >>
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
| >>
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
| >> il
| >> | >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:58092
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Hello,
| >> | >Hoping someone can clarify a basic question regarding my study
| >> | >of AD and DNS.
| >> | >
| >> | >My understanding is that MS DNS is RFC standards based and that
| >> | >none of the RFCs reference or have dependencies on AD technologies.
| >> | >Similarly, AD is RFC standards based and none of those RFCs
reference
| >> | >DNS. Yet the DNS wizard allows for the creation of Active Directory
| >> | >Integrated Zones which tends to imply AD and DNS become integrated.
| >> | >
| >> | >So the question basically is whether creating and AD Integrated
| >> | >zone changes the security functionality which would exist if a
Standard
| >> | >zone was created. Or is it that "integration" merely creates a
| >> | >"better DNS" (records stored in AD, zone replication uses AD, etc.)
| >> | >
| >> | >Regards,
| >> | >
| >> | >Surfer
| >> | >
| >
Click to expand...
 
Surfer,

Apologies for the delay.

AD (and W2K-->W2K communication) is completely reliant on DNS name
resolution as that is it's primary method.

In theory you can have an AD name that is different then the DNS name.
This situation is called a disjoint namespace. This cannot be done through
the Dcpromo wizard as both names are automatically made the same. This
situation can occur during an NT4 upgrade though. This is outlined in KB
262376.

The majority of the NT4 disjoint namespace issues result in single label
DNS namespaces. In XP and W2K SP4 we have a problem registering these
single label namespaces. This is outlined in KB article 300684:
http://support.microsoft.com/?id=300684.

The main problem with disjoint namespaces is that it requires you to manage
two separate forward lookup zones within DNS. For instance the AD name is
abc.com while the DNS suffix name is xyz.com. You will be required to have
both fwd lookup zones in DNS as the A and PTR record for a DC will register
in xyz.com while all AD related records (SRV, cname, etc) will register
within abc.com. In turn this can cause unecessary complications.

Hope that helps.

blim
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: Re: AD and DNS domains & dependencies
| >Date: 9 Dec 2003 12:55:45 -0800
| >Organization: http://groups.google.com
| >Lines: 161
| >Message-ID: <[email protected]>
| >References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1071003345 6627 127.0.0.1 (9 Dec 2003
20:55:45 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Tue, 9 Dec 2003 20:55:45 +0000 (UTC)
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!news.tele.dk!news.tele.dk!small.news.tele.dk!priap
us.visi.com!orange.octanews.net!news.octanews.net!news-out.visi.com!hermes.v
isi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.google.com!no
t-for-mail
| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58799
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Blim,
| >Nope, doesn't help - at least not completely.
| >
| >Blim,
| >Thanks for pointing me to the KB article (254680). However, this
| >is entirely consistant with my other readings. Howeve, it does not
| >resolve my earlier confusion which I am hoping you (or someone)
| >can clarify.
| >
| >The KB article in part reads,
| > "It is critical that the design of the DNS namespace
| > be created with Active Directory in mind and that the
| > namespace that exists on the Internet not conflict
| > with an organization's internal namespace...."
| >
| >Unfortunately, this still leaves open my earlier question
| >to you(!), which is does having AD domain names which differ
| >from DNS domain names create either technical or administrative
| >issues? IOW, how does AD itself (as oposed to users)use DNS
| >names, at a technical or adminsistrative level?
| >
| >Regards,
| >
| >
| >
| >[email protected] (Ben [MSFT]) wrote in message
| >> Surfer,
| >>
| >> In regards to AD namespaces it is always recommended that your
internal AD
| >> namespace does not conflict with your external DNS namespace.
| >>
| >> KB article 254680 may help answer these quesitons:
| >> http://support.microsoft.com/?id=254680
| >>
| >> Let me know if that helps. Tks.
| >> blim
| >> This posting is provided "AS IS" with no warranties, and confers no
rights.
| >> --------------------
| >> | >From: (e-mail address removed) (Surfer)
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >Subject: Re: AD and DNS domains & dependencies
| >> | >Date: 4 Dec 2003 14:12:18 -0800
| >> | >Organization: http://groups.google.com
| >> | >Lines: 85
| >> | >Message-ID: <[email protected]>
| >> | >References: <[email protected]>
| >> <[email protected]>
| >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >Content-Transfer-Encoding: 8bit
| >> | >X-Trace: posting.google.com 1070575938 27562 127.0.0.1 (4 Dec 2003
| >> 22:12:18 GMT)
| >> | >X-Complaints-To: (e-mail address removed)
| >> | >NNTP-Posting-Date: Thu, 4 Dec 2003 22:12:18 +0000 (UTC)
| >> | >Path:
| >>
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
| >>
..phx.gbl!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!n
| >>
ews.tele.dk!news.tele.dk!small.news.tele.dk!petbe.visi.com!news-out.visi.com
| >>
!hermes.visi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.goog
| >> le.com!not-for-mail
| >> | >Xref: cpmsftngxa07.phx.gbl
| >> microsoft.public.win2000.active_directory:58253
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Blim,
| >> | >Thanks. As a follow up, the literature encourages AD
| >> | >domain names which are the same as DNS domain names. Does
| >> | >creating same names cause technical changes to AD or its
| >> | >objects or do same names merely create administrative
| >> | >Convenience?
| >> | >
| >> | >What does one do when a company's existing DNS structure
| >> | >is not ideal (i.e., following an acquisition) but also cannot
| >> | >be changed in the timeframe needed to implement AD? I assume
| >> | >you would implement an AD structure which reflects current
| >> | >ideal (as opposed to paralleling the outdated existing DNS
| >> | >structure) but does this divergence then create technical or
| >> | >administrative issues?
| >> | >
| >> | >Regards,
| >> | >
| >> | >Surfer
| >> | >
| >> | >
| >> | >
| >> | >
| >> | >
| >> | >[email protected] (Ben [MSFT]) wrote in message
| >> | >> | >> Hey Surfer,
| >> | >>
| >> | >> When creating a normal primary forward lookup zone in a MS DNS
server
| >> we
| >> | >> are storing that information in a .dns file on the server itself.

| >> | >>
| >> | >> When choosing to create an AD-Integrated forward lookup zone we
store
| >> this
| >> | >> information within Active Directory. There are many advantages
to
| >> this.
| >> | >> One is when a DC is also a DNS server we do not have to perform
any
| >> "zone
| >> | >> transfers" to get the forward lookup zone. Instead we will get
this
| >> | >> information with AD replication and will automatically create the
fwd
| >> | >> lookup zone.
| >> | >>
| >> | >> Also with AD-Integrated zones we only have to deal with AD
replication
| >> | >> latency to make sure all DNS servers have the latest
| >> information/updates.
| >> | >>
| >> | >> Again this is all contingent on DNS being installed on a W2K DC.
| >> | >>
| >> | >> blim
| >> | >> This posting is provided "AS IS" with no warranties, and confers
no
| >> rights.
| >> | >> --------------------
| >> | >> | >From: (e-mail address removed) (Surfer)
| >> | >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >> | >Subject: AD and DNS domains & dependencies
| >> | >> | >Date: 1 Dec 2003 13:28:31 -0800
| >> | >> | >Organization: http://groups.google.com
| >> | >> | >Lines: 18
| >> | >> | >Message-ID: <[email protected]>
| >> | >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >> | >Content-Transfer-Encoding: 8bit
| >> | >> | >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec
2003
| >> 21:28:31 GMT)
| >> | >> | >X-Complaints-To: (e-mail address removed)
| >> | >> | >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >> | >> | >Path:
| >> | >>
| >>
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
| >> | >>
| >>
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
| >> | >> il
| >> | >> | >Xref: cpmsftngxa06.phx.gbl
| >> microsoft.public.win2000.active_directory:58092
| >> | >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >> | >
| >> | >> | >Hello,
| >> | >> | >Hoping someone can clarify a basic question regarding my study
| >> | >> | >of AD and DNS.
| >> | >> | >
| >> | >> | >My understanding is that MS DNS is RFC standards based and
that
| >> | >> | >none of the RFCs reference or have dependencies on AD
technologies.
| >> | >> | >Similarly, AD is RFC standards based and none of those RFCs
| >> reference
| >> | >> | >DNS. Yet the DNS wizard allows for the creation of Active
Directory
| >> | >> | >Integrated Zones which tends to imply AD and DNS become
integrated.
| >> | >> | >
| >> | >> | >So the question basically is whether creating and AD Integrated
| >> | >> | >zone changes the security functionality which would exist if a
| >> Standard
| >> | >> | >zone was created. Or is it that "integration" merely creates a
| >> | >> | >"better DNS" (records stored in AD, zone replication uses AD,
etc.)
| >> | >> | >
| >> | >> | >Regards,
| >> | >> | >
| >> | >> | >Surfer
| >> | >> | >
| >> | >
| >
 
Blim,
To summarise this thread, the vast majority of literature
states AD and DNS can be "integrated". Further, MS from the KB
articles you have referenced in this thread "recommends" keeping
AD and DNS names the same, the one article going so far as to
state:
| > "It is critical that the design of the DNS
| > namespace be created with Active Directory
| > in mind and that the namespace that exists
| > on the Internet not conflict with an organization's
| > internal namespace...."
Click to expand...

Now back to reality: in the vast majority of medium and
large corporations (not to mention the even larger number of small
".dot com" companies) DNS structures pre-date the developement
and deployment of AD and DNS deployments cannot be changed to
accomodate AD in the short term. To this, AD cannot be changed
at all at the root level once installed. Yet merger and aquistion
creates a constant need for DNS change at the (company) root level.
Thus MS recommendations fly completely in the face of typical
business need and break the age old axiom that systems should
revolve around business, not business around systems.

The real problem I was trying to address in this thread is
that the constant emphasis that "integration" which can exist
between the two technologies suggests that technical dependencies
do also. Through this discussion, my initial suspicions have been
confirmed: that no technical dependencies exist other than
those resulting from the optional (and technically unnecesary)
use by DNS of AD as a convenient depository for DNS name space
objects, replication, etc. "Integration" also implies a
technical bilateralism (AD <--> DNS) while at a technical level
implementing the optional integration is more unilateral
(DNS --> AD), with DNS benefitting from AD more than AD benefitting
from DNS. DNS's role in fact remains much as it has always been: a
mechanism for name resolution, with no increase or change
in functionality resulting from "integration" with AD.

It would be a very large job indeed to stricken "AD <--> DNS
integration" from the huge number of KB articles and user documention,
etc. currently available but this is an issue which should be addressed
to reduce the current level of confusion that the two can and should
be linked through the use of a common root name, and "critical"
things can happen if you don't do this, etc..

Regards,


Surfer,

Apologies for the delay.

AD (and W2K-->W2K communication) is completely reliant on DNS name
resolution as that is it's primary method.

In theory you can have an AD name that is different then the DNS name.
This situation is called a disjoint namespace. This cannot be done through
the Dcpromo wizard as both names are automatically made the same. This
situation can occur during an NT4 upgrade though. This is outlined in KB
262376.

The majority of the NT4 disjoint namespace issues result in single label
DNS namespaces. In XP and W2K SP4 we have a problem registering these
single label namespaces. This is outlined in KB article 300684:
http://support.microsoft.com/?id=300684.

The main problem with disjoint namespaces is that it requires you to manage
two separate forward lookup zones within DNS. For instance the AD name is
abc.com while the DNS suffix name is xyz.com. You will be required to have
both fwd lookup zones in DNS as the A and PTR record for a DC will register
in xyz.com while all AD related records (SRV, cname, etc) will register
within abc.com. In turn this can cause unecessary complications.

Hope that helps.

blim
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| >From: (e-mail address removed) (Surfer)
| >Newsgroups: microsoft.public.win2000.active_directory
| >Subject: Re: AD and DNS domains & dependencies
| >Date: 9 Dec 2003 12:55:45 -0800
| >Organization: http://groups.google.com
| >Lines: 161
| >Message-ID: <[email protected]>
| >References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| >NNTP-Posting-Host: 203.109.159.59
| >Content-Type: text/plain; charset=ISO-8859-1
| >Content-Transfer-Encoding: 8bit
| >X-Trace: posting.google.com 1071003345 6627 127.0.0.1 (9 Dec 2003
20:55:45 GMT)
| >X-Complaints-To: (e-mail address removed)
| >NNTP-Posting-Date: Tue, 9 Dec 2003 20:55:45 +0000 (UTC)
| >Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!news.tele.dk!news.tele.dk!small.news.tele.dk!priap
us.visi.com!orange.octanews.net!news.octanews.net!news-out.visi.com!hermes.v
isi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.google.com!no
t-for-mail
| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58799
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Blim,
| >Nope, doesn't help - at least not completely.
| >
| >Blim,
| >Thanks for pointing me to the KB article (254680). However, this
| >is entirely consistant with my other readings. Howeve, it does not
| >resolve my earlier confusion which I am hoping you (or someone)
| >can clarify.
| >
| >The KB article in part reads,
| > "It is critical that the design of the DNS namespace
| > be created with Active Directory in mind and that the
| > namespace that exists on the Internet not conflict
| > with an organization's internal namespace...."
| >
| >Unfortunately, this still leaves open my earlier question
| >to you(!), which is does having AD domain names which differ
| >from DNS domain names create either technical or administrative
| >issues? IOW, how does AD itself (as oposed to users)use DNS
| >names, at a technical or adminsistrative level?
| >
| >Regards,
| >
| >
| >
| >[email protected] (Ben [MSFT]) wrote in message
| >> Surfer,
| >>
| >> In regards to AD namespaces it is always recommended that your
internal AD
| >> namespace does not conflict with your external DNS namespace.
| >>
| >> KB article 254680 may help answer these quesitons:
| >> http://support.microsoft.com/?id=254680
| >>
| >> Let me know if that helps. Tks.
| >> blim
| >> This posting is provided "AS IS" with no warranties, and confers no
rights.
| >> --------------------
| >> | >From: (e-mail address removed) (Surfer)
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >Subject: Re: AD and DNS domains & dependencies
| >> | >Date: 4 Dec 2003 14:12:18 -0800
| >> | >Organization: http://groups.google.com
| >> | >Lines: 85
| >> | >Message-ID: <[email protected]>
| >> | >References: <[email protected]>
<[email protected]>
| >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >Content-Transfer-Encoding: 8bit
| >> | >X-Trace: posting.google.com 1070575938 27562 127.0.0.1 (4 Dec 2003
22:12:18 GMT)
| >> | >X-Complaints-To: (e-mail address removed)
| >> | >NNTP-Posting-Date: Thu, 4 Dec 2003 22:12:18 +0000 (UTC)
| >> | >Path:
| >>
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
| >>
.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!n
| >>
ews.tele.dk!news.tele.dk!small.news.tele.dk!petbe.visi.com!news-out.visi.com
| >>
!hermes.visi.com!newsfeed2.dallas1.level3.net!news.level3.com!postnews1.goog
| >> le.com!not-for-mail
| >> | >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58253
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Blim,
| >> | >Thanks. As a follow up, the literature encourages AD
| >> | >domain names which are the same as DNS domain names. Does
| >> | >creating same names cause technical changes to AD or its
| >> | >objects or do same names merely create administrative
| >> | >Convenience?
| >> | >
| >> | >What does one do when a company's existing DNS structure
| >> | >is not ideal (i.e., following an acquisition) but also cannot
| >> | >be changed in the timeframe needed to implement AD? I assume
| >> | >you would implement an AD structure which reflects current
| >> | >ideal (as opposed to paralleling the outdated existing DNS
| >> | >structure) but does this divergence then create technical or
| >> | >administrative issues?
| >> | >
| >> | >Regards,
| >> | >
| >> | >Surfer
| >> | >
| >> | >
| >> | >
| >> | >
| >> | >
| >> | >[email protected] (Ben [MSFT]) wrote in message
| >> | >> Hey Surfer,
| >> | >>
| >> | >> When creating a normal primary forward lookup zone in a MS DNS
server
we
| >> | >> are storing that information in a .dns file on the server itself.

| >> | >>
| >> | >> When choosing to create an AD-Integrated forward lookup zone we
store
this
| >> | >> information within Active Directory. There are many advantages
to
this.
| >> | >> One is when a DC is also a DNS server we do not have to perform
any
"zone
| >> | >> transfers" to get the forward lookup zone. Instead we will get
this
| >> | >> information with AD replication and will automatically create the
fwd
| >> | >> lookup zone.
| >> | >>
| >> | >> Also with AD-Integrated zones we only have to deal with AD
replication
| >> | >> latency to make sure all DNS servers have the latest
information/updates.
| >> | >>
| >> | >> Again this is all contingent on DNS being installed on a W2K DC.
| >> | >>
| >> | >> blim
| >> | >> This posting is provided "AS IS" with no warranties, and confers
no
rights.
| >> | >> --------------------
| >> | >> | >From: (e-mail address removed) (Surfer)
| >> | >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >> | >Subject: AD and DNS domains & dependencies
| >> | >> | >Date: 1 Dec 2003 13:28:31 -0800
| >> | >> | >Organization: http://groups.google.com
| >> | >> | >Lines: 18
| >> | >> | >Message-ID: <[email protected]>
| >> | >> | >NNTP-Posting-Host: 203.109.159.59
| >> | >> | >Content-Type: text/plain; charset=ISO-8859-1
| >> | >> | >Content-Transfer-Encoding: 8bit
| >> | >> | >X-Trace: posting.google.com 1070314111 32470 127.0.0.1 (1 Dec
2003
21:28:31 GMT)
| >> | >> | >X-Complaints-To: (e-mail address removed)
| >> | >> | >NNTP-Posting-Date: Mon, 1 Dec 2003 21:28:31 +0000 (UTC)
| >> | >> | >Path:
| >> | >>
| >>
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfee
| >> | >>
| >>
d01.sul.t-online.de!t-online.de!fu-berlin.de!postnews1.google.com!not-for-ma
| >> | >> il
| >> | >> | >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:58092
| >> | >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >> | >
| >> | >> | >Hello,
| >> | >> | >Hoping someone can clarify a basic question regarding my study
| >> | >> | >of AD and DNS.
| >> | >> | >
| >> | >> | >My understanding is that MS DNS is RFC standards based and
that
| >> | >> | >none of the RFCs reference or have dependencies on AD
technologies.
| >> | >> | >Similarly, AD is RFC standards based and none of those RFCs
reference
| >> | >> | >DNS. Yet the DNS wizard allows for the creation of Active
Directory
| >> | >> | >Integrated Zones which tends to imply AD and DNS become
integrated.
| >> | >> | >
| >> | >> | >So the question basically is whether creating and AD Integrated
| >> | >> | >zone changes the security functionality which would exist if a
Standard
| >> | >> | >zone was created. Or is it that "integration" merely creates a
| >> | >> | >"better DNS" (records stored in AD, zone replication uses AD,
etc.)
| >> | >> | >
| >> | >> | >Regards,
| >> | >> | >
| >> | >> | >Surfer
| >> | >> | >
| >> | >
| >
Click to expand...
 
Back
Top