HELP/heterogenous/multiple domains/split dns

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

This post, if anyone is willing to participate may go on for a while. I am
hoping to create a dialog for my sake as well as the sake of others. If you
wish to participate and have useful input, please by all means I'd
appreciate your help.

I recently took a job at a company where I am tasked with "cleaning up the
dns." It was presented as an easy task and I think it may be harder and
will encompass more than just a flick of a switch. Without further ado,
here is the environment:

One forest.
One domain tree we'll call domain.com.
Eight child domains of domain.com e.g. abc.domain.com.
Six physical multi-continental sites - no logical sites used in active
directory.
Two domain controllers in the root domain domain.com we'll call the
controllers AD01.domain.com and AD02.domain.com.
Each of the eight domains has one domain controller and every one is a
global catalog.
AD01 (win2k3) runs a third party DNS package called Meta IP from
www.metainfo.com.
AD02 (win2k) runs win2k DNS as secondary's for all the zones on AD01.
Nothing is active directory integrated.
No remote sites have dns servers. The remote sites all point backwards
across the world to AD01 thru WAN links.
AD01 is set to forward to unix servers in our DMZ that host our public zones
(stupid).

My goal is to get rid of Meta IP and make every physical site have its own
active directory integrated DNS server.

Where is a good place to start. I feel overwhelmed!!!

I know this is a hodge podge of info and may not be enough. that is why i
am trying to start a dialog.

Please respond back with questions if you have them.

Thank you
Matt
 
In
Matt said:
This post, if anyone is willing to participate may go on for a while.
I am hoping to create a dialog for my sake as well as the sake of
others. If you wish to participate and have useful input, please by
all means I'd appreciate your help.

I recently took a job at a company where I am tasked with "cleaning
up the dns." It was presented as an easy task and I think it may be
harder and will encompass more than just a flick of a switch.
Without further ado, here is the environment:

One forest.
One domain tree we'll call domain.com.
Eight child domains of domain.com e.g. abc.domain.com.
Six physical multi-continental sites - no logical sites used in active
directory.
Two domain controllers in the root domain domain.com we'll call the
controllers AD01.domain.com and AD02.domain.com.
Each of the eight domains has one domain controller and every one is a
global catalog.
AD01 (win2k3) runs a third party DNS package called Meta IP from
www.metainfo.com.
AD02 (win2k) runs win2k DNS as secondary's for all the zones on AD01.
Nothing is active directory integrated.
No remote sites have dns servers. The remote sites all point
backwards across the world to AD01 thru WAN links.
AD01 is set to forward to unix servers in our DMZ that host our
public zones (stupid).

My goal is to get rid of Meta IP and make every physical site have
its own active directory integrated DNS server.

Where is a good place to start. I feel overwhelmed!!!

I know this is a hodge podge of info and may not be enough. that is
why i am trying to start a dialog.

Please respond back with questions if you have them.

Thank you
Matt

Easiest method (do this on a weekend), in a nutshell:

- Eliminate MetaIP.
- Install DNS on each DC in domain.com
- Point all machines in domain.com to the DNS servers you just installed (no
others, no ISP's)
- Create the zone on one of those servers, and make it AD Integrated. Create
the zone on the other DC(s) and also make them AD Integrated.
- Install DNS on each DC in all 8 child domains.
- Point all machines in each child domain to their respective DNS servers
only (no others, no ISP's).
- Create only the child zones respective to each child domain. Do not create
any other zone, just the child zones. Make them AD Integrated.
- Create delegations for each child domain from domain'com's DNS servers. In
the domain.com's DNS server, under the domain.com zone, rt-click, new
delegation, type in the first part of the name of a child domain. Specifiy
the respective DNS server(s) in teh child domains by FQDN and IP. Repeat for
all child domains.
- In each child domain's DNS server(s) individually create a forwarder back
to one of the DNS servers in domain.com
- In the domain.com's DNS server(s), configure a forwarder to the ISP's DNS
server.

You should be good to go...

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
question 1: what is the need for multiple domains in your opinion and how do
those needs weigh against the administrative somplexity added?

"Create only the child zones respective to each child domain. Do not create
any other zone, just the child zones. Make them AD Integrated. "

am i creating these on the child domain dns server?
 
In
Matt said:
question 1: what is the need for multiple domains in your opinion
and how do those needs weigh against the administrative somplexity
added?

Mutliple domains usually indicate separate functions or divisions in an
entity that have their own administrators at their respective location. Keep
in mind, a domain is a logical boundary as well as a security boundary. Each
domain has their own 'domain admins", just as each house on a block has
their own owner, but yet, the whole block has a significant common theme.

This is soley based on your company's requirements and business needs. Take
for example the US Armed Forces. Each division has their own single domain.
Each base is an OU. WIth this there is centralized administration and
control and administrators are kept to a MINIMUM. It depends on YOUR needs
and requirements.
"Create only the child zones respective to each child domain. Do not
create any other zone, just the child zones. Make them AD Integrated.
"

am i creating these on the child domain dns server?

Yes you are. :-)

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248

Use the above guidelines for EACH domain. Add to this, the forwarding
configuration I previously mentioned.

Cheers!

Ace
 
In each child domain's DNS server(s) individually create a forwarder back to one of the DNS servers in domain.com .... if you don't mind all DNS traffic that deals with other people's domain names to flow through a single point of failure.  If you do mind, use a stub "zone" instead, thus permitting each of the "child" DNS servers to perform query resolution locally themselves.
In the domain.com's DNS server(s), configure a forwarder to the ISP's DNS server.
.... if that is in fact the appropriate thing to do (which it may or may not be, according to exact circumstance).
 
Back
Top