new namespace structure versus DNS structure

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

Hi, I'm planning an AD design for my company that has the current structure:
NT4 domain in Europe -- approx. 50 users, Exchange 5.5 server
NT4 domain in USA -- approx. 50 users, Exchange 5.5 server
Site-Site VPN exists as the WAN connection
internal DNS on PDC's in each location
external DNS located offsite for company.com and delegated
us.company.com

Both domains are administered separately as they arose from different
companies. Now through acquisitions, we are a single company (let's call it
"company.com"). I manage the USA domain and am initiating the AD plan. I
am proposing the following scenario for scalability:
Create empty dedicated forest root domain: forestroot.corp
Create new domain tree in above forest: us.company.com
*created with an upgrade to my NT4 PDC to Win2003
(Europe will eventually create new domain tree: eur.company.com)
*again as an upgrade to their NT4 PDC

Here are my concerns:
(1) Can I locate internal DNS on the forestroot.corp DC for itself and the
us.company.com domains or should I leave DNS on the us.company.com DC as it
is now (on the NT4 PDC)?
(2) Should there be a 2nd forestroot.corp DC in Europe for redundancy?
(3) if #2 is yes, what traffic can I expect between these DC's?
(4) I know about extra DNS admin work for external lookups, but in this case
would anyone consider using a private internal namespace such as "us.corp"?

Thanks in advance!

Chris
 
In
Chris said:
Hi, I'm planning an AD design for my company that has the current
structure: NT4 domain in Europe -- approx. 50 users, Exchange 5.5
server NT4 domain in USA -- approx. 50 users, Exchange 5.5 server
Site-Site VPN exists as the WAN connection
internal DNS on PDC's in each location
external DNS located offsite for company.com and delegated
us.company.com

Both domains are administered separately as they arose from different
companies. Now through acquisitions, we are a single company (let's
call it "company.com"). I manage the USA domain and am initiating
the AD plan. I am proposing the following scenario for scalability:
Create empty dedicated forest root domain: forestroot.corp
Create new domain tree in above forest: us.company.com
*created with an upgrade to my NT4 PDC to Win2003
(Europe will eventually create new domain tree: eur.company.com)
*again as an upgrade to their NT4 PDC

Here are my concerns:
(1) Can I locate internal DNS on the forestroot.corp DC for itself
and the us.company.com domains or should I leave DNS on the
us.company.com DC as it is now (on the NT4 PDC)?
Click to expand...

Yes you can, so long as you set up trust between the two
domains(forestroot.corp and us.company.com) setting the namespace up this
way does not give you the same parent child DNS hierarchy as it would if the
parent was company.com and us.company.com.
(2) Should there be a 2nd forestroot.corp DC in Europe for redundancy?
Click to expand...
Yes, and it would be highly recommended. In fact if you do not run DNS on
the eu.company.com and us.company.com and only use the forrestroot.corp DC
for DNS if you make the zones AD integrated you will have DNS resolution for
both the us and eu domains without having to create secondary zones for the
other locally.
IMO, if you really want clean resolution in the forrest you should start
with a parent named company.com the create them as children like
us.company.com and eu.company.com. Let the parent DC host all DNS for all
three domains in one forward lookup zone named company.com. That zone would
be replicated throughout the enterprize so you can easily resolve Europe
form the US and vice-vesa plus will allow you to keep the same hierarcy
throughout the forrest.

(3) if #2 is yes, what traffic can I expect between these DC's?
Click to expand...

After the initial replication which could be rather large but after the
setup is done it will only repliacte the changed AD data.
(4) I know about extra DNS admin work for external lookups, but in
this case would anyone consider using a private internal namespace
such as "us.corp"?
Click to expand...

This is basically a political decision but corp is a legal TLD, not in the
ICAAN root but it does exist in the ORSC Root.

corp nameserver = NS10.AUTONO.NET
corp nameserver = ROOT3.AUTONO.NET
corp nameserver = NS10.ROOT-ZONE.NET
corp nameserver = A.TLD-SERVERS.NET
corp nameserver = B.TLD-SERVERS.NET
corp nameserver = NS.AUTONO.NET
NS10.AUTONO.NET internet address = 209.61.144.192
ROOT3.AUTONO.NET internet address = 195.11.229.188
NS10.ROOT-ZONE.NET internet address = 209.61.144.193
A.TLD-SERVERS.NET internet address = 209.48.2.15
B.TLD-SERVERS.NET internet address = 209.48.2.28
NS.AUTONO.NET internet address = 209.48.2.11
 
In

Yes you can, so long as you set up trust between the two
domains(forestroot.corp and us.company.com) setting the namespace up this
way does not give you the same parent child DNS hierarchy as it would if the
parent was company.com and us.company.com.
Click to expand...
Chris, you can't have a Win2000 Domain DNS on NT4, so when you create
the new forestroot, that will *have* to have a new DNS server.
Alternatively, you could move the DNS to a Win2000 standalone server
in the us.company.com domain before installing the forestroot.

Kevin, my ignorance I guess, but I don't see why trusts have to be set
up for so far as DNS is concerned. For interim access to resources,
yes, but not for DNS. I must be missing something?
Yes, and it would be highly recommended. In fact if you do not run DNS on
the eu.company.com and us.company.com and only use the forrestroot.corp DC
for DNS if you make the zones AD integrated you will have DNS resolution for
both the us and eu domains without having to create secondary zones for the
other locally.
Click to expand...

Kevin, I thought that AD Integrated DNS is only replicated *within* a
Domain. Am I wrong in this? Surely the treeroots (to coin a phrase),
being seperate Domain will not replicate DNS information with the
forestroot?
IMO, if you really want clean resolution in the forrest you should start
with a parent named company.com the create them as children like
us.company.com and eu.company.com. Let the parent DC host all DNS for all
three domains in one forward lookup zone named company.com. That zone would
be replicated throughout the enterprize so you can easily resolve Europe
form the US and vice-vesa plus will allow you to keep the same hierarcy
throughout the forrest.
Click to expand...
Having a "generic" forest root could protect somewhat against company
name changes, though.

Cheers,

Cliff
 
In
Enkidu said:
Chris, you can't have a Win2000 Domain DNS on NT4, so when you create
the new forestroot, that will *have* to have a new DNS server.
Alternatively, you could move the DNS to a Win2000 standalone server
in the us.company.com domain before installing the forestroot.

Kevin, my ignorance I guess, but I don't see why trusts have to be set
up for so far as DNS is concerned. For interim access to resources,
yes, but not for DNS. I must be missing something?

Kevin, I thought that AD Integrated DNS is only replicated *within* a
Domain. Am I wrong in this? Surely the treeroots (to coin a phrase),
being seperate Domain will not replicate DNS information with the
forestroot?

Having a "generic" forest root could protect somewhat against company
name changes, though.

Cheers,

Cliff
Click to expand...
You are correct, it would only replicate within the same domain. That is why
I said use the forrestroot domain for DNS for all domains. Then the DNS
records for all domains are in one domain, just have a forestroot at all
locations just to handle DNS for you.
It would be much easier to have interconnectivity between the domains. Even
if nobody authenticates to the forrestroot domain it would be responsible
for DNS replication and could act as the global catalog for each location.
It could also host forrest wide shares.

Am I making more sense now?
 
Kevin D. Goodknecht said:
In
You are correct, it would only replicate within the same domain. That is why
I said use the forrestroot domain for DNS for all domains. Then the DNS
records for all domains are in one domain, just have a forestroot at all
locations just to handle DNS for you.
It would be much easier to have interconnectivity between the domains. Even
if nobody authenticates to the forrestroot domain it would be responsible
for DNS replication and could act as the global catalog for each location.
It could also host forrest wide shares.

Am I making more sense now?
Click to expand...

Thanks for the info guys. First, Kevin, I don't see why I have to have a
trust between the 2 domains either...I thought this was implicitly
transitive. And, the reason I didn't want the top level company.com as the
forestroot domain is for company name changes or acquisitions/mergers...this
has happened 3 times since I started with the company. I understand
breaking off one of the trees into a separate entity would be easy with the
generic forestroot domain.

Second, Cliff, I wasn't referring to running DNS on NT4. I meant my NT4 PDC
currently runs the internal DNS services and when I upgrade the machine, I
would reinstall DNS to maintain continuity.

Now, if I use my forestroot DC for all DNS, do I have to precreate the DNS
zones there for the new trees (us.company.com and eur.company.com) or will
they be automatically created during the promotion? Also, I read awhile
back about changing the DNS suffix to the new domain prior to upgrading NT4
so that DNS properly registers the records...is this still proper
procedure/recommendation? (in my test lab, it seemed to help because
without doing this, all my DDNS records reflected the FQDN of the server
with it's previous NT4 domain name.)

Thanks again!

Chris
 
In
Chris said:
Thanks for the info guys. First, Kevin, I don't see why I have to
have a trust between the 2 domains either...I thought this was
implicitly transitive.
Click to expand...
Well, yes it is if at DCPROMO you select new domain in a existing forrest.

And, the reason I didn't want the top level
company.com as the forestroot domain is for company name changes or
acquisitions/mergers...this has happened 3 times since I started with
the company. I understand breaking off one of the trees into a
separate entity would be easy with the generic forestroot domain.

Second, Cliff, I wasn't referring to running DNS on NT4. I meant my
NT4 PDC currently runs the internal DNS services and when I upgrade
the machine, I would reinstall DNS to maintain continuity.

Now, if I use my forestroot DC for all DNS, do I have to precreate
the DNS zones there for the new trees (us.company.com and
eur.company.com) or will they be automatically created during the
promotion?
Click to expand...
You would only need to create the zone, DDNS will create the records for
you, if you have dynamic updates allowed. But the nice thing about doing it
this way is so the zones are replicated throughout all DCs in the domain. If
all Domains are using the DCs in this domain you won't have to come back and
ask how to get the European domain to resolve the US domain.

Also, I read awhile back about changing the DNS suffix to
the new domain prior to upgrading NT4 so that DNS properly registers
the records...is this still proper procedure/recommendation?
Click to expand...
You will need to change the suffix on the NT4 machines before you upgrade,
change it to the DNS name of the planned Win2k Domain. This will make sure
the machine has the proper Primary DNS suffix after the upgrade and prevents
a disjointed name space after DCPROMO.

(in my
test lab, it seemed to help because without doing this, all my DDNS
records reflected the FQDN of the server with it's previous NT4
domain name.)
Click to expand...

Yes this will cause problems, whatever the domain suffix is in TCP/IP on NT4
before upgrade Win2k "adopts" as its Primary DNS suffix.
 
In
You are correct, it would only replicate within the same domain. That is why
I said use the forrestroot domain for DNS for all domains. Then the DNS
records for all domains are in one domain, just have a forestroot at all
locations just to handle DNS for you.
It would be much easier to have interconnectivity between the domains. Even
if nobody authenticates to the forrestroot domain it would be responsible
for DNS replication and could act as the global catalog for each location.
It could also host forrest wide shares.
Click to expand...
Yeah, I was thinking of the "Branch Office" sceanario, where the BO
would be unlikely to have more than one or maybe two DCs. In such a
scenario having a forestroot DC for DNS as well would probably not be
optimal. A standard secondary (on the DC at the location would
probably work).

Now I come to think of it, the original scenario seems to imply a
bigger setup than a simple BO at each location.

Cheers,

Cliff
 
Back
Top