DNS Design question

  • Thread starter Thread starter C Hall
  • Start date Start date
C

C Hall

Hi all,

I have multiple sites connected via frame relay and am running both Netware
5.1 and W2k. I'm looking for guidance on re-designing our dns structure.
Here's the layout: we have 12 locations, most of which have about 6 - 12
users. All locations except for one use Netware as their primary f & p
server. One location has a w2k dc and we have another dc in our ops center.
We have two locations that we have w2k member servers running apps (SQL2k,
TS). At one of those locations, we'll convert one of the servers to a w2k
dc. Right now, we're using primary/secondary zones on the 2k servers. Users
that use a mortagage program (on one of the member servers) are located in
several locations. Users that use a trust services program, are contained in
one location.

The question: I'm converting our netware network to pure ip and will install
dns on all servers, setting up child zones for each of the locations that
contain a NW box. Our 2k servers are setup to forward queries for internet
resources. My question is what would be the best approach for designing dns
in those locations that have both 2k and nw? Perhaps setup both, using one
for failover and copying any necessary records to the 2k server? And the
clients?
 
In
C Hall said:
Hi all,

I have multiple sites connected via frame relay and am
running both Netware
5.1 and W2k. I'm looking for guidance on re-designing our
dns structure. Here's the layout: we have 12 locations,
most of which have about 6 - 12 users. All locations
except for one use Netware as their primary f & p server.
One location has a w2k dc and we have another dc in our
ops center. We have two locations that we have w2k member
servers running apps (SQL2k, TS). At one of those
locations, we'll convert one of the servers to a w2k dc.
Right now, we're using primary/secondary zones on the 2k
servers. Users that use a mortagage program (on one of
the member servers) are located in several locations.
Users that use a trust services program, are contained in
one location.

The question: I'm converting our netware network to pure
ip and will install dns on all servers, setting up child
zones for each of the locations that contain a NW box.
Our 2k servers are setup to forward queries for internet
resources. My question is what would be the best approach
for designing dns in those locations that have both 2k
and nw? Perhaps setup both, using one for failover and
copying any necessary records to the 2k server? And the
clients?
Click to expand...

I don't know to much about Netware, but I can tell you don't use its DNS IP
on the Windows domain members, if the NW DNS has different names in it from
the Windows DNS, use the NW DNS as a forwarder for the Windows DNS, then
check the box "Do not use recursion" (Forwarders tab)
Active Directory domains use DNS to locate domain controllers for
authentication, if there is a DNS server that does not support the AD domain
in the client DNS list, in any position, you can expect very inconsistent
behavior and network errors.
 
Let me make sure I get this correct:
but I can tell you don't use its DNS IP on the Windows domain members,
Click to expand...
On the windows dns mmc, don't add the NW DNS ip address as a dns member
server.
if the NW DNS has different names in it from the Windows DNS,
Click to expand...
Would you be referring to the zone or internal domain names?
use the NW DNS as a forwarder for the Windows DNS
Click to expand...
In the windows dns mmc, click the tab where you set a forwarder and enter
the NW IP?
then
check the box "Do not use recursion" (Forwarders tab)
Click to expand...
On windows?
 
In
C Hall said:
Let me make sure I get this correct:

On the windows dns mmc, don't add the NW DNS ip address
as a dns member server.
Click to expand...

Not sure what you mean here, i was talking about in TCP/IP properties on the
machine's interfaces. All AD domain members must use only the DNS for the AD
domain, if the DNS server does not have a zone for the AD domain, don't use
it for DNS on any interface, in any position.
Would you be referring to the zone or internal domain
names?
Click to expand...

If the Netware DNS has domains that are not in the Windows DNS, use it a a
forwarder for the Windows DNS.
In the windows dns mmc, click the tab where you set a
forwarder and enter the NW IP?
Yes.

On windows?
Click to expand...

Yes, this prevents the Windows DNS from using root hints to find names in
the NW DNS.
 
Kevin D. Goodknecht Sr. said:
In

Not sure what you mean here, i was talking about in TCP/IP properties on the
machine's interfaces. All AD domain members must use only the DNS for the AD
domain, if the DNS server does not have a zone for the AD domain, don't use
it for DNS on any interface, in any position.
Click to expand...

Kevin is correct in a general way here.

Technically all domain members must be able
to RESOLVE the domain's DNS zone entries,
which usually means using the DNS server(s)
that hold that zone directly.

But more generally internally machines must use
internal DNS servers that can resolve all internal
names.

(Even this is slightly askew since again the key is
that whatever server the clients use it must resolve
all of the names needed by that client, but the
practical truth of the above and the common
practices are what Kevin is referring too.)

If clients do not use the actual DNS server holding
their domain's DNS zone, they must use one that
will resolve it correct -- that is one that delegates
to it, (conditionally) forwards to it, holds a secondary
copy of it, or otherwise finds a way to resolve the
names the client need.
 
Thanks Kevin & Herb for your posts.

The more I read, the more questions I have....let me take this a piece at a
time.

First, the two w2k DNS servers:

I have configured one forward lookup zone--domain_name.com. The server
located in our main office is primary for this zone and the other server is
secondary for the zone. I have three reverse lookup zones--1 for the main
location, 1 for the remote location and another where I will be locating
another dc. We have no more than 200 nodes at this point. Is this an
efficient design? Or do you have recommendations? Would it be better to
create child forward lookup zones for EACH location and leave the root
empty? I guess I have envisioned using the netware server in our main
location as a secondary dns server to the primary w2k dns server in the main
location.

On the netware side, I'll be creating a child zone for each of the
locations, making the server at that location primary for it's forward and
reverse lookup zones.
 
In
C Hall said:
Thanks Kevin & Herb for your posts.

The more I read, the more questions I have....let me take
this a piece at a time.

First, the two w2k DNS servers:

I have configured one forward lookup
zone--domain_name.com. The server located in our main
office is primary for this zone and the other server is
secondary for the zone. I have three reverse lookup
zones--1 for the main location, 1 for the remote location
and another where I will be locating another dc. We have
no more than 200 nodes at this point. Is this an
efficient design? Or do you have recommendations? Would
it be better to create child forward lookup zones for
EACH location and leave the root empty? I guess I have
envisioned using the netware server in our main location
as a secondary dns server to the primary w2k dns server
in the main location.

On the netware side, I'll be creating a child zone for
each of the locations, making the server at that location
primary for it's forward and reverse lookup zones.
Click to expand...

One problem you have, I forgot to mention, the underscore in your domain
name. An underscore, is only a legal character if it is the first character
in a subdomain. You have to set the Windows DNS to Name Checking allow All
names on the Advanced Tab of the DNS server property sheet. I'm not sure
what you have to do to BIND, to accept the underscore. If you run netdiag /v
you will get a warning message for the invalid character and that not all
DNS servers support the underscore.

Also, I recommend to use AD integrated DNS zones instead of
Primary/Secondary scenario. To change this, delete the secondary zone and
change the primary to AD integrated and wait for the zone to replicate. Do
not create or convert the secondary to AD integrated, this will create a
conflicting zone in AD and possibly overwrite the first zone you convert to
AD.
 
One problem you have, I forgot to mention, the underscore in your domain
name. An underscore, is only a legal character if it is the first character
in a subdomain. You have to set the Windows DNS to Name Checking allow All
names on the Advanced Tab of the DNS server property sheet. I'm not sure
what you have to do to BIND, to accept the underscore. If you run netdiag /v
you will get a warning message for the invalid character and that not all
DNS servers support the underscore.
Click to expand...

I was just using that as an example, but thanks for the info. I do have some
servers named server_name. Would that cause a problem? It doesn't seem to.
Also, I recommend to use AD integrated DNS zones instead of
Primary/Secondary scenario. To change this, delete the secondary zone and
change the primary to AD integrated and wait for the zone to replicate. Do
not create or convert the secondary to AD integrated, this will create a
conflicting zone in AD and possibly overwrite the first zone you convert to
AD.
Click to expand...

I would use integrated zones except that a couple of our locations will have
both NW &2k DNS. In the back of my mind, I'll be making the NW server a
secondary server to the w2k.
 
Even if the rules are more forgiving, I
strongly recommend that all names follow
these rules (NetBIOS and each Label of the
DNS names):

Only Alphabetic as the first character,
only Alphanumeric for the subsequent characters,
no more than 14 characters TOTAL.

(15 is the enforced limit for "NetBIOS machine
names" but there are strange compatibility reasons
for going one less.)
 
Back
Top