Clients in Different DNS zone

  • Thread starter Thread starter Rob McShinsky
  • Start date Start date
R

Rob McShinsky

Currently we have our client computers in a different DNS zone than what
their Fully Qualified Domain Name is. Example below:

Machine belongs to domain: dhmcmaster.dh.hitchcock.org
Machines DNS record is in: dhcp.hitchcock.org.

What are some of the implications/limitations of having these client record
in a different zone than what their fully qualified domain says. We
currently have 5000+ clients and 160+ servers in our environment. In
smaller environments that I have worked for I have always had them in the
same zone following the fully qualified name. I am trying to make a case
for moving these records to the fully qualified domain name.

Thanks
Rob McShinsky
 
In
Rob McShinsky said:
Currently we have our client computers in a different DNS zone than
what their Fully Qualified Domain Name is. Example below:

Machine belongs to domain: dhmcmaster.dh.hitchcock.org
Machines DNS record is in: dhcp.hitchcock.org.
Click to expand...

So you are saying the the machine's Primary DNS Suffix is set to
dhcp.hitchcock.org, but joined to dhmcmaster.dh.hitchcock.org?
What are some of the implications/limitations of having these client
record in a different zone than what their fully qualified domain
says. We currently have 5000+ clients and 160+ servers in our
environment. In smaller environments that I have worked for I have
always had them in the same zone following the fully qualified name.
I am trying to make a case for moving these records to the fully
qualified domain name.

Thanks
Rob McShinsky
Click to expand...

It can lead to some confusion,m but I don't think it's critical for a client
machine. I remember one other gentelmen that has this same setup but you
would need to add in the NIC properties toallow to register the machine
under the zone it belongs in. This is not a requirement, since after all
many companies don't want to register their clients since they believe
either that it clutters up DNS with all the client registrations, which are
not really needed in most cases, or it maybe a University or some other
school where laptops, PDA, etc, are constantly signing on and off and to
have their records registered is just overhead and not needed. .

On a DC, the Primary DNS Suffix is what the netlogon service uses and what
the client machines use to register into DNS. If you do need registration,
you would need to provide that (especially on the DCs) the extra suffix to
register into. It's recommended at least on a DC to set the proper Primary
DNS Suffix of the domain that it's a domain controller for, otherwise, it's
your choice and your adminstration overhead to have clients register in the
zone or some other zone that it's not a member of.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In

So you are saying the the machine's Primary DNS Suffix is set to
dhcp.hitchcock.org, but joined to dhmcmaster.dh.hitchcock.org?


It can lead to some confusion,m but I don't think it's critical for a
client machine. I remember one other gentelmen that has this same
setup but you would need to add in the NIC properties toallow to
register the machine under the zone it belongs in. This is not a
requirement, since after all many companies don't want to register
their clients since they believe either that it clutters up DNS with
all the client registrations, which are not really needed in most
cases, or it maybe a University or some other school where laptops,
PDA, etc, are constantly signing on and off and to have their records
registered is just overhead and not needed. .

On a DC, the Primary DNS Suffix is what the netlogon service uses and
what the client machines use to register into DNS. If you do need
registration, you would need to provide that (especially on the DCs)
the extra suffix to register into. It's recommended at least on a DC
to set the proper Primary DNS Suffix of the domain that it's a domain
controller for, otherwise, it's your choice and your adminstration
overhead to have clients register in the zone or some other zone that
it's not a member of.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...

In MS terms, this is known as a 'disjoint namespace' and there are a
couple of issues that *may* occur because of it. In particular, updates
to the 'dnsHostName' and 'servicePrincipalName' attributes of Computer
objects are 'validated writes' and will fail if the client DNS name
doesn't match the AD DNS domain name. The symptoms are usually 5788 and
5789 errors from NETLOGON.

The fix is fairly simple; change the permissions on the above mentioned
attributes to grant 'Self' R/W access. This bypasses the validated write
restriction and allows the clients to udpate their own attrbutes. There
is a potential denial of service with this approach since any computer
could update the SPN and advertise services. Exchange 2000, SQL Server
and many other applications need to update the SPN so it's required in
some circumstances...

Search the MS support site with "disjoint namespace" for further
information.

Wayne
 
In
Rob McShinsky said:
OK so here are the details, since the thread seems to running well
here. We use a Bind DNS structure with a Linux DHCP servicing about
6500 clients throughout the organization. We do not allow the W2K
and above clients to register themselves. The registration and
deregistration requests are all made by the DHCP server.
We are also using DNS suffix search lists and the primary DNS suffix
is the one that matches the domain name (dhmcmaster.dh.hitchcock.org)

Servers however ARE allowed to dynamicly update the domain name space
(dhmcmaster.dh.hitchcock.org) with whatever recoreds they need.

We don't seem to be having any difficulties, but wanted to make sure
we were not overlooking something that may interfere with anything.
i.e. kerberos authentication/reauthentication, computer account
password syncronization, et al..

Thanks for your input.

Rob McShinsky
Click to expand...

Hi Rob

As I said previously, it's really not a big deal to not have clients
register. The important aspect, however, is the DCs, which you've already
allowed to update and making sure their Primary DNS Suffix is set properly
to their domain name. Same goes with member servers with their Primary DNS
Suffixes. I would also let member servers that have static IPs and running
services such as Exchange, SQL, etc, update. As for clients, I don't see a
big thing about them.

Your config seems fine. As long as domain services are accessble by all
clients, logons are fine and don't take a long time, Event Viewer is clean,
etc, you've got a solid system.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top