heterogenous

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

This post, if anyone is willing to participate may go on for a while. I am
hoping to create a dialog for my sake as well as the sake of others. If you
wish to participate and have useful input, please by all means I'd
appreciate your help.

I recently took a job at a company where I am tasked with "cleaning up the
dns." It was presented as an easy task and I think it may be harder and
will encompass more than just a flick of a switch. Without further ado,
here is the environment:

One forest.
One domain tree we'll call domain.com.
Eight child domains of domain.com e.g. abc.domain.com.
Six physical multi-continental sites - no logical sites used in active
directory.
Two domain controllers in the root domain domain.com we'll call the
controllers AD01.domain.com and AD02.domain.com.
Each of the eight domains has one domain controller and every one is a
global catalog.
AD01 (win2k3) runs a third party DNS package called Meta IP from
www.metainfo.com.
AD02 (win2k) runs win2k DNS as secondary's for all the zones on AD01.
Nothing is active directory integrated.
No remote sites have dns servers. The remote sites all point backwards
across the world to AD01 thru WAN links.
AD01 is set to forward to unix servers in our DMZ that host our public zones

My goal is to get rid of Meta IP and make every physical site have its own
active directory integrated DNS server.

Where is a good place to start. I feel overwhelmed!!!

I know this is a hodge podge of info and may not be enough. that is why i
am trying to start a dialog.

Please respond back with questions if you have them.

Thank you
Matt
 
In
Matt said:
This post, if anyone is willing to participate may go on
for a while. I am hoping to create a dialog for my sake
as well as the sake of others. If you wish to
participate and have useful input, please by all means
I'd appreciate your help.

I recently took a job at a company where I am tasked with
"cleaning up the dns." It was presented as an easy task
and I think it may be harder and will encompass more than
just a flick of a switch. Without further ado, here is
the environment:

One forest.
One domain tree we'll call domain.com.
Eight child domains of domain.com e.g. abc.domain.com.
Six physical multi-continental sites - no logical sites
used in active directory.
Two domain controllers in the root domain domain.com
we'll call the controllers AD01.domain.com and
AD02.domain.com.
Each of the eight domains has one domain controller and
every one is a global catalog.
AD01 (win2k3) runs a third party DNS package called Meta
IP from www.metainfo.com.
AD02 (win2k) runs win2k DNS as secondary's for all the
zones on AD01. Nothing is active directory integrated.
No remote sites have dns servers. The remote sites all
point backwards across the world to AD01 thru WAN links.
AD01 is set to forward to unix servers in our DMZ that
host our public zones

My goal is to get rid of Meta IP and make every physical
site have its own active directory integrated DNS server.

Where is a good place to start. I feel overwhelmed!!!

I know this is a hodge podge of info and may not be
enough. that is why i am trying to start a dialog.

Please respond back with questions if you have them.

Does the Win2k3 have a zone 'msdcs.domain.com'? If not you will need to
create that zone and have a copy on all DNS servers. This zone holds the
Global Catalog records and is needed on all DNS servers unless you forward
all child DNS servers to the root domain DNS.
Then in the domain.com zone you will need a delegation for all the child
domains, then each child DNS will need a zone for 'child.domain.com' If
child are Win2k DNS server they will have to forward to the Root DNS server
which will hold delegations for the other child domains. This makes sure all
DNS servers can resolve all sites. You can alternately have a copy of the
Root Domain on all DNS servers.

If the child DNS in Win2k3 then you can set conditional Forwarders for all
the remote domains to the proper DNS for that domain.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248
817470 - HOW TO Reconfigure an _msdcs Subdomain to a Forest-wide DNS
Application Directory Partition When You Upgrade from Win:
http://support.microsoft.com/default.aspx?scid=kb;en-us;817470
 
I don't think your task is that daunting.. and once you start into it,
I think you will feel the same. Just take your time.

I did see one item of concern in your notes. You say that you have 8
physical sites (not AD sites). So, I am assuming you mean that in AD
they are all in the same site. If so may want to setup sites for each
domain. Mostly for replication. If they are all in the same site you
are looking at additional replication traffic that may not be nessary.
InterSite Replication is 3 hours verses 15 second for IntraSite (which
is what it sounds like what you have setup). If your physical
connections are all high speed, then that may be acceptable. Just a
thought.

Also, why not use DNS provided by Microsoft. It works great.

regards
doug
 
what is your opinion on the need for multiple domains. is it necessary and
if so under what circumstances. how does that weigh against the
administrative complexity.

I appreciate your time and the answer you gave was very detailed and helpful.
 
In
Matt said:
what is your opinion on the need for multiple domains.
is it necessary and if so under what circumstances. how
does that weigh against the administrative complexity.

I guess this depends on the size of your organization, multiple domains
means you'll have multiple administrators because each domain has it own
security. IMO, it is better under most circumstances to have one domain
divided into organizational units and delegate certain administrative tasks.
 
In
Matt said:
This post, if anyone is willing to participate may go on for a while.
I am hoping to create a dialog for my sake as well as the sake of
others. If you wish to participate and have useful input, please by
all means I'd appreciate your help.
<snip>

So Matt, after the mutliple threads and responses, which scenario do you
like best suited for your company?

Maybe if you can tell us a little about your company requirements,
divisions, and if they have administrators at the international locations,
we can focus on a more meaningful suggestion for your scenario.

Don't forget to add to your list, creating the physical sites and subnet
objects in AD. That will help control logon and replication traffic.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Thanx for your response and sorry for the delay. The organization has
inherited garbage in its network because it used to be two physically
separate networks in one building run by two separate departments...one
engineering and one data processing. the multiple domains were set up in the
original NT networks. when the two separate networks were connected they
establised trusts to allow the users to share info. when the migration was
made to win2k/2k3 they kept the multiple domain model. they also had no
sites in AD yet they have six physical sites around the world.

I personally think the administrative overhead and complexity makes it
unnecessary. in this environment it makes more sense to have one forest root
and one domain tree and then multiple OU's containing servers and users with
delegation if necessary.

I am hoping to gain more information to present to the director as to why we
should move away from this model and to the one root, one tree model. all i
have now it seems is just "because you way sucks" and i know that isnt
enough to sell my idea.
 
In
Matt said:
Thanx for your response and sorry for the delay. The organization has
inherited garbage in its network because it used to be two physically
separate networks in one building run by two separate
departments...one engineering and one data processing. the multiple
domains were set up in the original NT networks. when the two
separate networks were connected they establised trusts to allow the
users to share info. when the migration was made to win2k/2k3 they
kept the multiple domain model. they also had no sites in AD yet
they have six physical sites around the world.

I personally think the administrative overhead and complexity makes it
unnecessary. in this environment it makes more sense to have one
forest root and one domain tree and then multiple OU's containing
servers and users with delegation if necessary.

I am hoping to gain more information to present to the director as to
why we should move away from this model and to the one root, one tree
model. all i have now it seems is just "because you way sucks" and
i know that isnt enough to sell my idea.

Good point. You'll have to make a good case to sell your idea in a logical
fashion. The way I see it, and as I explained about reasons to have/not have
multiple domains, is based on administration and security. If your office is
in control of all locations, then the idea is to have just the one domain
(the forest root domain only, no others), and create OUs for each location,
then delegating full control for each respective OUs associated to their
respective remote locations. That gives you complete control, and minimizes
issues with security of your infrastructure. Multiple domains, unless
absolutely necessary, that is if each location needs full control of the
whole domain and are separate administrative entities, are administrative
overhead and security risks, if you need centralized control. So far from
what you've posted, it appears the central admin model with only one domain
may be better suited for your company needs.

Wish you luck!


Ace
 
M> This post, if anyone is willing to participate may go on for a while.

Indeed. This is, after all, the fourth time that you've posted it,
starting a new thread. How many repeats are you planning to have?
 
Back
Top