Clarification on integrated DNS situation

[Jim Geith]

Win2k forest with 13 child domains. The root domain has 2 DNS servers, each
child domain has a DNS server, all are AD Integrated connected by at least a
T1, sites configured with mapped private IP subnets and site links. The DNS
servers in the child domains are set to forward the the root domain DNS
servers. I have tried setting the DNS servers to point only to itself, or
to the root DNS servers for resolution in the network control panel.

The problem I need to understand and resolve involves child domain admins
creating a new zone, not part of the Win2k domain space to use for their web
servers, etc. The resolution works fine at their own sites, but another
child domain does resolve the record properly and the request is actually
going to the internet and at time gets the public IP when available. If the
zones are instead put on the root domain DNS servers it works when the child
domains forward to them. I would like for each child domain to manage it's
own DNS needs.

Example: Win2k root domain name 123.com, child domain hosted at the child
domains AD DNS city.123.com resolves across AD just fine. When a new zone
and host records are created zzz.com server.zzz.com that can only be
resolved at the child domain. Shouldn't all DNS servers be getting a copy
of that zone with AD integration?

Thanks.

 

[Ace Fekay [MVP]]

In

Win2k forest with 13 child domains. The root domain has 2 DNS
servers, each child domain has a DNS server, all are AD Integrated
connected by at least a T1, sites configured with mapped private IP
subnets and site links. The DNS servers in the child domains are set
to forward the the root domain DNS servers. I have tried setting the
DNS servers to point only to itself, or to the root DNS servers for
resolution in the network control panel.

The problem I need to understand and resolve involves child domain
admins creating a new zone, not part of the Win2k domain space to use
for their web servers, etc. The resolution works fine at their own
sites, but another child domain does resolve the record properly and
the request is actually going to the internet and at time gets the
public IP when available. If the zones are instead put on the root
domain DNS servers it works when the child domains forward to them.
I would like for each child domain to manage it's own DNS needs.

Example: Win2k root domain name 123.com, child domain hosted at the
child domains AD DNS city.123.com resolves across AD just fine. When
a new zone and host records are created zzz.com server.zzz.com that
can only be resolved at the child domain. Shouldn't all DNS servers
be getting a copy of that zone with AD integration?

Thanks.

Not if they are in different domains. AD Integrated zones exist in the
Domain NC partition. That's one of three partitions (logical divisions) in
the physical AD database. The other two are the Schema Partition and the
Configuration Container. The Schema and COnfig are replicated forest wide.
The Domain NC is just replicated between domain controllers in that specific
domain. Windows 2003 changes that with the ability to replicate the zone in
what's called an "Application Partition" that we can select different domain
App partitions to replicate a zone to.But not W2k.

To get what you need, you'll have to rely on Seconday zones. Give it a shot
and let us know how you make out.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jim Geith]

I was about to get to arrive at this conclusion, but thanks for the
confirmation. Today we discussed leaving the two root DNS servers AD
integrated and making the child domain DNS servers secondary servers. Not
to lay blame but I think it's safe to say there are a lot of misconceptions
due to MS' own DNS materials. They really need to present examples like
yours. I'm a busy guy and don't have time to get super cozy with the AD
database, but vaguely recalled something when I was explaining that AD
integrated zones use the DC replication topology. Which made me think it
about it a little differently. Which runs smack into the materials that
generalize by saying AD integrated zones are replicated on AD integrated DNS
servers. They forget to specify the scope of the replication so it's off to
the races for some busy head scratching admins. I saw the features of 2003
DNS and it gives the ability to control zone replication among local DC's,
or forest wide replication. Which is cool. I still want the child domain
admins to be able to maintain their specific DNS needs, but also assure the
remaining child domains can resolve those records.

Thanks again.

 

[Ace Fekay [MVP]]

In

I was about to get to arrive at this conclusion, but thanks for the
confirmation. Today we discussed leaving the two root DNS servers AD
integrated and making the child domain DNS servers secondary servers.
Not to lay blame but I think it's safe to say there are a lot of
misconceptions due to MS' own DNS materials. They really need to
present examples like yours. I'm a busy guy and don't have time to
get super cozy with the AD database, but vaguely recalled something
when I was explaining that AD integrated zones use the DC replication
topology. Which made me think it about it a little differently.
Which runs smack into the materials that generalize by saying AD
integrated zones are replicated on AD integrated DNS servers. They
forget to specify the scope of the replication so it's off to the
races for some busy head scratching admins. I saw the features of
2003 DNS and it gives the ability to control zone replication among
local DC's, or forest wide replication. Which is cool. I still want
the child domain admins to be able to maintain their specific DNS
needs, but also assure the remaining child domains can resolve those
records.

Thanks again.

No problem Jim.

Glad to have helped.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory