dns on multiple domains

[okon3]

I have 2 domains and 3 domain controllers.
One domain for our voice network(Cisco windows 2000 server unity server with
Exchange) with one of the DCs and integrated dns and it also has an
integrated reverse lookup zone for our data network.
Our data domain has the other two DC's(windows 2000 server soon to be
upgraded to 2k3 server) and integrated DNS, one of these DCs has a primary
DNS zone for our voice domain, the other DC has no reference to the voice
domain(I would like it to).

Can I integrate the voice domains dns into our data domain dns servers or
what would be the recommended path?
Is there a limit to the number of AD integrated zones on 2000 or 2003
server? We are about to add some subnets for separate wireless access and
other projects that we would like to keep separate from our internal data
subnet, can I integrate these subnets as well if there is no real
authentication taking place?
Thanks

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

I have 2 domains and 3 domain controllers.
One domain for our voice network(Cisco windows 2000 server unity
server with Exchange) with one of the DCs and integrated dns and it
also has an integrated reverse lookup zone for our data network.
Our data domain has the other two DC's(windows 2000 server soon to be
upgraded to 2k3 server) and integrated DNS, one of these DCs has a
primary DNS zone for our voice domain, the other DC has no reference
to the voice domain(I would like it to).

Can I integrate the voice domains dns into our data domain dns
servers or what would be the recommended path?
Is there a limit to the number of AD integrated zones on 2000 or 2003
server? We are about to add some subnets for separate wireless
access and other projects that we would like to keep separate from
our internal data subnet, can I integrate these subnets as well if
there is no real authentication taking place?
Thanks

Yes, you can setup a zone stored in AD for another domain, but, before you
could use Secure updates, you'll need to create a trust, and make sure the
server in the external Domain has update rights in the zone. There is no
replication between external domains, but you can have Authentication in the
zone.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[okon3]

Read inline please.

In

Yes, you can setup a zone stored in AD for another domain, but, before you
could use Secure updates, you'll need to create a trust, and make sure the
server in the external Domain has update rights in the zone. There is no
replication between external domains, but you can have Authentication in the
zone.

OK thanks, is there a benefit other than redundancy without replication?
also:
Is there a limit to the number of AD integrated zones on 2000 or 2003
server? We are about to add some subnets for separate wireless access and
other projects that we would like to keep separate from our internal data
subnet, can I integrate these subnets as well if there is no real
authentication taking place? AD network authentication that is.
Thanks again,
Tom

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

OK thanks, is there a benefit other than redundancy without
replication?
SECURITY

also:
Is there a limit to the number of AD integrated zones on 2000 or 2003
server?

I have over 1000 zones on two servers and haven't found the wall yet.

We are about to add some subnets for separate wireless

access and other projects that we would like to keep separate from
our internal data subnet, can I integrate these subnets as well if
there is no real authentication taking place? AD network
authentication that is.

Any zone on a Domain Controller can be stored in Active Directory, (ADI) if
your DCs are in different Forests, or different Domains under Win2k, there
will be no replication between the servers, but you can still have a trust
and Authenticate between them. Just to read DNS requires no Authentication,
and is probably the only service on Win2k or Win2k3 that doesn't require
some sort of Authentication to read. However, setting the zone to Only
Secure updates, will require AD Authentication with a privileged account to
update.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[okon3]

Kevin,
Thanks for your reply and I appologize for the delay in my response.

I think I'm confusing myself, we are about attept public internet access.
I've not configured DHCP or DNS for none AD devices or users. I think that is
where I'm making it more difficult than it needs to be.

Should I just set up a DHCP scope and point the dns stuff to my ISPs or to
my DNS servers=a AD integratred reverse look up zone so it replicates between
my two DCs???
Thanks again,

 

[Ace Fekay [MVP]]

In

Kevin,
Thanks for your reply and I appologize for the delay in my response.

I think I'm confusing myself, we are about attept public internet
access. I've not configured DHCP or DNS for none AD devices or users.
I think that is where I'm making it more difficult than it needs to
be.

Should I just set up a DHCP scope and point the dns stuff to my ISPs
or to my DNS servers=a AD integratred reverse look up zone so it
replicates between my two DCs???
Thanks again,

With AD, you should always only use the internal DNS addresses for DHCP
Option 006. Your DNS will resolve the external queries for your clients. You
can specify both of your DCs as the first and second DNS entries.

You can also configure a forwarder in your DNS to send external queries to
the ISP's. If you are not sure how to do that, read this article:

How to configure DNS for Internet access in Windows Server 2003This
step-by-step guide describes how to configure Domain Name System (DNS) for
Internet access in the Windows Server2003 products. DNS is the core name ...
http://support.microsoft.com/kb/323380


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

 

[okon3]

I think I'm confusing myself, we are about attept public internet

With AD, you should always only use the internal DNS addresses for DHCP
Option 006. Your DNS will resolve the external queries for your clients. You
can specify both of your DCs as the first and second DNS entries.

You can also configure a forwarder in your DNS to send external queries to
the ISP's. If you are not sure how to do that, read this article:

How to configure DNS for Internet access in Windows Server 2003This
step-by-step guide describes how to configure Domain Name System (DNS) for
Internet access in the Windows Server2003 products. DNS is the core name ...
http://support.microsoft.com/kb/323380

Thanks Ace,
What I mean is for computers that we don't want on our internal network.
Like a Starbucks or Barnes and Noble bookstore.
We have our internal network on one subnet, then offer wireless as well as a
few public access hardwired PCs on a different subnet.
Do I set this scope up with our internal DNS ip's or our ISP's dns
same question about a wesite in a dmz, point to internal dns or isp dns?

I may be all wrong and not have a valid concern, if a pubic wireless user
uses a ipconfig /all then they have the ip to or DC, again maybe I'm
concerned for nothing But I would think having the specific IP would give
them a good target??? And yes we do have all traffic other than outbound
internet traffic blocked by our router, Hopefully my concern is all for not.

I've seen and read a few documents including the one you pointed out , but
nothing that really discusses AD network traffic for non-(I'll say AD)
traffic=authenticated users and machines.
Thanks again for your time and responses to all the posts.
Tom

 

[Ace Fekay [MVP]]

In

Thanks Ace,
What I mean is for computers that we don't want on our internal
network. Like a Starbucks or Barnes and Noble bookstore.
We have our internal network on one subnet, then offer wireless as
well as a few public access hardwired PCs on a different subnet.
Do I set this scope up with our internal DNS ip's or our ISP's dns
same question about a wesite in a dmz, point to internal dns or isp
dns?

I may be all wrong and not have a valid concern, if a pubic wireless
user uses a ipconfig /all then they have the ip to or DC, again maybe
I'm concerned for nothing But I would think having the specific IP
would give them a good target??? And yes we do have all traffic other
than outbound internet traffic blocked by our router, Hopefully my
concern is all for not.

I've seen and read a few documents including the one you pointed out
, but nothing that really discusses AD network traffic for non-(I'll
say AD) traffic=authenticated users and machines.
Thanks again for your time and responses to all the posts.
Tom

Ok, I see. I would probably setup one or possibly two internal DNS servers
that are not part of the AD infrastructure to handle this and have them
forward out. This will reduce resolution traffic on your line. I would also
harden the installation to disable NetBIOS and File &Print services,
possibly even use a Security Template if I remember the name of the
template, such as the HiSecureServer template. THis will reduce the
machine's exposure surface, but of course you want to make sure only TCP &
UDP 53 are accessible.

Yes, they will see the DNS server if they are technical folks, but then
again, what are they going to do with it, especially if it's tightened down.
You can also choose to use the ISP's to reduce your own resources and
security headaches.

Ace