DNS Design Question--revisited

[C Hall]

Follow-up question to designing a dns structure:

I have several locations, but most locations have very few users (6 - 24).
I'm currently using primary/secondary zones, as several locations have
netware dns, that I'll use as secondary dns servers in those locations. Our
current structure is one forward lookup zone (domain.com), with our first dc
setup as the primary and additional dc's added as secondary...I can hear the
groans already....Reverse zones are setup, with each location acting as
primary for it's zone. If I were to create child zones for each of the
locations, making them primary for their zones, I would setup each of these
remote locations to forward to the 'main' location/dns server, correct? And
it would have forwarding setup to forward queries to our isp for external
addresses, correct? We have about 200 users company wide.

All ideas, comments, suggestions are welcome.

 

[Ace Fekay [MVP]]

Follow-up question to designing a dns structure:

I have several locations, but most locations have very few users (6 -
24). I'm currently using primary/secondary zones, as several
locations have netware dns, that I'll use as secondary dns servers in
those locations. Our current structure is one forward lookup zone
(domain.com), with our first dc setup as the primary and additional
dc's added as secondary...I can hear the groans already....Reverse
zones are setup, with each location acting as primary for it's zone.
If I were to create child zones for each of the locations, making
them primary for their zones, I would setup each of these remote
locations to forward to the 'main' location/dns server, correct? And
it would have forwarding setup to forward queries to our isp for
external addresses, correct? We have about 200 users company wide.

All ideas, comments, suggestions are welcome.

Are these locations different domain names? If not, there is not reason to
create a zone for each location. If they are child domains, you can use
delegations from the parent to the child DNS servers, then set a forwarder
from the child DNS to the parent DNS, then set a forwarder from the parent
to the ISP's.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248

btw- Netware DNS does not support AD's required SRV records. I believe their
latest version does support it, and I am assuming you are not using the
latest version. It's best to stick with MS DNS for AD since you have more
options, and the zone is secured by using AD Integrated zones and allowing
only Secure Updates (which Netware, even the latest version), does NOT
support.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[C Hall]

Ace,

Thanks for the reply. All locations are NOT seperate domains. From my
understanding, I think the only reason to create seperate forward lookkup
zones for these locations would be the number of records--sound about right?

"Ace Fekay [MVP]"

 

[C Hall]

What about the reverse zones? Should each server have a copy of all the
reverse zones? Or just it's own?

 

[C Hall]

Sorry for the hodge-podge replies...I keep getting interrupted...

In reference to you comments about netware:
We are using 5.1, so no, we're not running the latest & greatest. I do need
to have dns on those servers, however, as most of our locations have only
one netware server and I'm trying to get rid of IPX! Patui!! I'm not
intending to use them to replicate AD traffic. In cases where I have both
netware and win2k, I will be setting up dns on both servers just because not
all users in all locations are logging into the win2k domain. For the most
part, locations that run win2k dc's are doing so because we have application
serves also in those locations. Do you see any problems here? I wouldn't
setup a netware ip address in a w2k dc tcp/ip setting, just would have the
server configured for fault tolerance.

Thanks Ace.

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

Sorry for the hodge-podge replies...I keep getting interrupted...

In reference to you comments about netware:
We are using 5.1, so no, we're not running the latest & greatest. I
do need to have dns on those servers, however, as most of our
locations have only one netware server and I'm trying to get rid of
IPX! Patui!! I'm not intending to use them to replicate AD traffic.
In cases where I have both netware and win2k, I will be setting up
dns on both servers just because not all users in all locations are
logging into the win2k domain. For the most part, locations that run
win2k dc's are doing so because we have application serves also in
those locations. Do you see any problems here? I wouldn't setup a
netware ip address in a w2k dc tcp/ip setting, just would have the
server configured for fault tolerance.

Thanks Ace.

No problem.

One rule of thumb one must all remember is that in an AD environment, ALL
machines in the environment if they are to authenticate and use AD, they
must ONLY point to DNS servers that support AD's requirements or other
issues WILL occur. Your mix of backward level DNS servers that do not
support AD and W2k servers that do support AD is not a proper design and
will cause problems with your machines authentication and logging on to the
domain. There are many issues concerning this, besides what I mentioned, to
GPOs not working, long logon requests, can't use printers, etc, the list is
long. Any AD activity requires a DNS SRV record lookup to accomplish this
task, and the Netware machines do not support this.

Also, it is best practice no matter whether some users logon on to the
domain or not. You need to simplify your infrastructure. Too many variables.

I cannot see any problems if you just use your W2k DNS servers only and get
rid of the NW servers. You can't mix different DNS servers that do not
contain the same content on each server. The resolver service on a client
uses the DNS entries for fault tolerance. They check the first, if that
doesn't have the answer, it is considered an answer and won't check the
other.The only time it checks the second entry in IP properties is when the
first times out waiting for a response, and once it does it does not ask the
first one unless you restart the machine, provide a reg entry to alter this
behavior or restart the DNS Client service.

Ace

 

[Ace Fekay [MVP]]

Ace,

Thanks for the reply. All locations are NOT seperate domains. From my
understanding, I think the only reason to create seperate forward
lookkup zones for these locations would be the number of
records--sound about right?

If they are all one domain, then you can use DNS AD Integrated zones. They
are stored in the AD database and replicate along with it. Any W2k or S2k3
DC/DNS supports this feature. Secondaries are not required. Think about it,
the zone info on each need to be the same exact info, the same exact content
so no matter what DNS you use, they all have the same content or can
reference that content. I have never heard of creating separate zones for
each location when all the machines are part of the same domain. The domain
is just that, a domain and is autonomous and needs to available throughout
the infrastructure.

Ace

 

[Ace Fekay [MVP]]

What about the reverse zones? Should each server have a copy of all
the reverse zones? Or just it's own?

All servers should have a copy of the reverse zone for each subnet so the
whole infrastructure can resolve itself.

See what I'm getting at? The whole infrastructure must be resolvable by
using DNS servers that have the same content or reference to that content.

Ace

 

[Ace Fekay [MVP]]

Here's more info on the client side resolver and how it works. Maybe this
will help out.

Querying DNS Servers
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prjj_ipa_bsmz.asp

 

[C Hall]

Ace,

Okay...loud and clear. One thing about something you said earlier....you
mentioned getting rid of Netware...I can chose not to configure dns on
Netware, but removing it from all branches is not an option at this point. I
could configure zones for each location and have all clients point to the
nearest server, but that would mean queries across wan links. I understand
what you're saying about the incompatibilities with the dns versions (ms v.
netware), but I'm stuck with NW at the moment.

Comments?

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

Ace,

Okay...loud and clear. One thing about something you said
earlier....you mentioned getting rid of Netware...I can chose not to
configure dns on Netware, but removing it from all branches is not an
option at this point. I could configure zones for each location and
have all clients point to the nearest server, but that would mean
queries across wan links. I understand what you're saying about the
incompatibilities with the dns versions (ms v. netware), but I'm
stuck with NW at the moment.

Comments?

Well, I meant to get rid of or disable the NW DNS services since the version
you are using cannot support AD's requirements. Choosing not to configure
DNS on the NW servers is the same thing that I was saying.

But that leads to this statement confusing me:

...I can chose not to
configure dns on Netware, but removing
it from all branches is not an
option at this point.

Do you mean you are not choosing to configure DNS on NW, and that means you
won't be using DNS, correct? Then what do you mean by removing it from all
branches? Meaning DNS or the NW servers themselves?

What I'm trying to say, simplify your DNS infrastructure. Don't mix DNS
services that either do not support your infrastructure (even though AD is
not used throughout your network), or that do not contain the same content
(all your zones). With all due respect, leaving it the way it is, is a
sloppy design that will lead to problems and complicating resolution in your
network (such as what you are trying to get help on now). Simplify it. Do
yourself a favor. Go to the highest possible denominator, and in this case,
based on what the future needs are and that is to support AD, use what
supports AD. If you dont want to use W2k DNS, then you can use BIND 8.2.3 or
newer, but for your sake, whatever you use, retire the NW DNS servers since
they do not support your requirements.

Ace

 

[C Hall]

Well, I meant to get rid of or disable the NW DNS services since the
version

you are using cannot support AD's requirements. Choosing not to configure
DNS on the NW servers is the same thing that I was saying.

But that leads to this statement confusing me:

Do you mean you are not choosing to configure DNS on NW, and that means you
won't be using DNS, correct? Then what do you mean by removing it from all
branches? Meaning DNS or the NW servers themselves?

What I meant above is this: I inherited a Netware network with dns not
ever fully configured. A couple of branches had dns, most did not. But
we were running IPX/SPX and the related services. We started adding w2k
servers as applications that were needed, needed w2k. This led to domain
controllers. Which led to this present situation. Before moving forward,
I wanted to get a clear picture of what I needed to do, hence this post.

leaving it the way it is, is a sloppy design that will lead to problems

and complicating resolution in your

network (such as what you are trying to get help on now).

I agree and now understand where problems would come from.

If you dont want to use W2k DNS, then you can use BIND 8.2.3 or
newer, but for your sake, whatever you use, retire the NW DNS servers since
they do not support your requirements.

Ace

Thanks again, Ace.

 

[Ace Fekay [MVP]]

What I meant above is this: I inherited a Netware network with dns not
ever fully configured. A couple of branches had dns, most did not. But
we were running IPX/SPX and the related services. We started adding
w2k servers as applications that were needed, needed w2k. This led to
domain controllers. Which led to this present situation. Before
moving forward, I wanted to get a clear picture of what I needed to
do, hence this post.

and complicating resolution in your
I agree and now understand where problems would come from.




Thanks again, Ace.

That's one of the most difficults things to handle when someone gets a
network handed down that needs work to update it. I wish you well. I hope I
was clear, but not too straightforward.

Ace

 

[C Hall]

I've done some reading about dns--"DNS and BIND", O'Reilly--it's a bit
different when you're in the trenches. Thanks for all your input.
Chris

 

[Ace Fekay [MVP]]

I've done some reading about dns--"DNS and BIND", O'Reilly--it's a bit
different when you're in the trenches. Thanks for all your input.
Chris

That's a good book. My pleasure for the help. Good luck.

Ace