DNS delegation

  • Thread starter Thread starter charliey_2000
  • Start date Start date
C

charliey_2000

Hi,

We currently have our forest empty root domain and a
child domain dns hosted on a non-windows 2000 server.
Here is what we want to do. We are planning to move the
dns to the windows 2000 domain controllers for the domain
to take advantage of active directory replication. IF it
were a single windows 2000 domain then I think it would
be straight forward. Just create secondary dns zones for
the domain on the windows 2000 server and then after it
is populated change the currect dns server to point to
the windows 2000 server as the primary and start of
authority.

But in our case we have two DNS domains. The parent
forest root 2k domain and a child domain. We have two
domain controllers for each domain. My thought was since
they are at the same location just have the child domain
controllers take over the dns for both the parent(forest
root) and child domain. But then I was wondering can I
still have active directory integrated dns since we now
have two domains although it will be on DNS servers
(domain controllers) of the child domain.

The other way I suppose I could do this is delegate the
DNS domains to the domain controllers in their
perspective 2k domain controller. Now I would be
installing dns on four servers instead of two. Sorry this
is so long but I wanted to give as much detail as
possible.
 
Normally what you would want to do is to have Active
Directory-Integrated zone for root domain in root domain
and Active Directory-Integrated zone for child domain in
child domain. Then in root domain delegate child domain
zone to child domain DNS and in child domain create
secondary zone for root domain zone. In this configuration
you can manipuate zones separately easy and not to have
one big zone for all the domains.

I hope It was helpfull not too confusing. :)

Yuriy
 
In Yuriy <[email protected]> posted a question
Then Kevin replied below:

:: We currently have our forest empty root domain and a
:: child domain dns hosted on a non-windows 2000 server.
:: Here is what we want to do. We are planning to move the
:: dns to the windows 2000 domain controllers for the domain
:: to take advantage of active directory replication. IF it
:: were a single windows 2000 domain then I think it would
:: be straight forward. Just create secondary dns zones for
:: the domain on the windows 2000 server and then after it
:: is populated change the currect dns server to point to
:: the windows 2000 server as the primary and start of
:: authority.
::
:: But in our case we have two DNS domains. The parent
:: forest root 2k domain and a child domain. We have two
:: domain controllers for each domain. My thought was since
:: they are at the same location just have the child domain
:: controllers take over the dns for both the parent(forest
:: root) and child domain. But then I was wondering can I
:: still have active directory integrated dns since we now
:: have two domains although it will be on DNS servers
:: (domain controllers) of the child domain.
::

If all four DCs are at one location and the parent is empty, it would be a
perfect place for all DNS, since all machines must be able to find the
parent zone to find the forest global catalog record. I use the same
scenario, my empty AD parent zone also has a subdomain in it for the child
name. Then all machines would use the parent DCs for DNS.
Since my Child DNS servers do not have to do any internal DNS it made a
perfect place for the public zones I host.
 
In
Hi,

We currently have our forest empty root domain and a
child domain dns hosted on a non-windows 2000 server.
Here is what we want to do. We are planning to move the
dns to the windows 2000 domain controllers for the domain
to take advantage of active directory replication. IF it
were a single windows 2000 domain then I think it would
be straight forward. Just create secondary dns zones for
the domain on the windows 2000 server and then after it
is populated change the currect dns server to point to
the windows 2000 server as the primary and start of
authority.

But in our case we have two DNS domains. The parent
forest root 2k domain and a child domain. We have two
domain controllers for each domain. My thought was since
they are at the same location just have the child domain
controllers take over the dns for both the parent(forest
root) and child domain. But then I was wondering can I
still have active directory integrated dns since we now
have two domains although it will be on DNS servers
(domain controllers) of the child domain.

The other way I suppose I could do this is delegate the
DNS domains to the domain controllers in their
perspective 2k domain controller. Now I would be
installing dns on four servers instead of two. Sorry this
is so long but I wanted to give as much detail as
possible.
Click to expand...

To add to the other responses, yes, you can use the child DNS to host both.

Keep in mind in W2k AD, AD Integrated zones exist in the DOmain NC (one of 3
logical partitions in the physical AD database) which this partition only
exists on DCs of a specfic domain. I think you were loosely stating that,
but just want to solidfy that. If you host DNS on any DC/DNS, you can have
ANY zones you want on it but they will only replicate to any other DCs of
that doman only. So you can use that for your whole infrastructure.

If it were more of a complex organization with adminstratively separate
remote child domains, then the ideal is the delegation method.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:
: In : (e-mail address removed) <[email protected]>
: posted their thoughts, then I offered mine
:: Hi,
::
:: We currently have our forest empty root domain and a
:: child domain dns hosted on a non-windows 2000 server.
:: Here is what we want to do. We are planning to move the
:: dns to the windows 2000 domain controllers for the domain
:: to take advantage of active directory replication. IF it
:: were a single windows 2000 domain then I think it would
:: be straight forward. Just create secondary dns zones for
:: the domain on the windows 2000 server and then after it
:: is populated change the currect dns server to point to
:: the windows 2000 server as the primary and start of
:: authority.
::
:: But in our case we have two DNS domains. The parent
:: forest root 2k domain and a child domain. We have two
:: domain controllers for each domain. My thought was since
:: they are at the same location just have the child domain
:: controllers take over the dns for both the parent(forest
:: root) and child domain. But then I was wondering can I
:: still have active directory integrated dns since we now
:: have two domains although it will be on DNS servers
:: (domain controllers) of the child domain.
::
:: The other way I suppose I could do this is delegate the
:: DNS domains to the domain controllers in their
:: perspective 2k domain controller. Now I would be
:: installing dns on four servers instead of two. Sorry this
:: is so long but I wanted to give as much detail as
:: possible.
:
: To add to the other responses, yes, you can use the child DNS to host
: both.
:
: Keep in mind in W2k AD, AD Integrated zones exist in the DOmain NC
: (one of 3 logical partitions in the physical AD database) which this
: partition only exists on DCs of a specfic domain. I think you were
: loosely stating that, but just want to solidfy that. If you host DNS
: on any DC/DNS, you can have ANY zones you want on it but they will
: only replicate to any other DCs of that doman only. So you can use
: that for your whole infrastructure.
:
: If it were more of a complex organization with adminstratively
: separate remote child domains, then the ideal is the delegation
: method.
:
:
: --
: Regards,
: Ace


There is two problems I can think of by using the child DCs to host the DNS
for the entire Forest. If you add another child domain the zone will not
replicate to the new child domain.
The main advantage to using the empty root for DNS for the forest, it
simplifies the forest partition because the Global Catalog records are in
the parent zone only, and are required before you can logon or add members
to any Domain. I'd use the parent for both DNS and Global Catalog.
By using the parent to host DNS for the entire forest all records for all
domains are replicated to all DCs in the Forrest root domain. I think this
simplifies setting up the infrastructure as long as you have at least one
parent DC at all locations to act as DNS and Global Catalog.
 
I would agree with Yuriy. One other suggestion though...if the empty
parent/root and the child domains are seperated by a WAN (i.e. slow) link,
then I would suggest specfiying Forwarders on the child DNS server to
forward to the parent/root DNS servers (as opposed to creating a secondary
of the parent/root zone). When using a slow link, this will save the
limited bandwidth from being used for zone transfers.
 
In
There is two problems I can think of by using the child DCs to host
the DNS for the entire Forest. If you add another child domain the
zone will not replicate to the new child domain.
Click to expand...

I agree there. That's why I was saying you can only use the DNS servers in
the child domain.
The main advantage to using the empty root for DNS for the forest, it
simplifies the forest partition because the Global Catalog records
are in the parent zone only, and are required before you can logon or
add members to any Domain. I'd use the parent for both DNS and Global
Catalog.
Click to expand...

That would be the ideal scenario. I was just answering the original question
about the child DNS can be used.
By using the parent to host DNS for the entire forest all records for
all domains are replicated to all DCs in the Forrest root domain. I
think this simplifies setting up the infrastructure as long as you
have at least one parent DC at all locations to act as DNS and Global
Catalog.
Click to expand...

No argument there....sounds good to me and would rather design it in this
fashion.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:
: In : Kevin D. Goodknecht [MVP] <[email protected]> posted their
: thoughts, then I offered mine
:
:: The main advantage to using the empty root for DNS for the forest, it
:: simplifies the forest partition because the Global Catalog records
:: are in the parent zone only, and are required before you can logon or
:: add members to any Domain. I'd use the parent for both DNS and Global
:: Catalog.
:
: That would be the ideal scenario. I was just answering the original
: question about the child DNS can be used.


Oh yea, I know the original question was to use the Child for all DNS,
Myself If I had two parent DCs sitting there as an empty root, I would give
them something to do other than sit there using electricity. I mean, if they
are just there managing the namespace and they are not Authenticating users,
DNS replication doesn't use much bandwidth, that's about all they will have
to do. Am I right or Amarillo? :-)

We haven't heard from Charlie since the original post, I may be just talking
into thin air. ROFL
 
In
Kevin D. Goodknecht said:
Oh yea, I know the original question was to use the Child for all DNS,
Myself If I had two parent DCs sitting there as an empty root, I
would give them something to do other than sit there using
electricity. I mean, if they are just there managing the namespace
and they are not Authenticating users, DNS replication doesn't use
much bandwidth, that's about all they will have to do. Am I right or
Amarillo? :-)

We haven't heard from Charlie since the original post, I may be just
talking into thin air. ROFL


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
Click to expand...

Right or Armarillo...never heard of that one! :-) But yes, you're right!

Hopefully Charlie is monitoring the thread so at least he gets something out
of it.. :-)


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top