Stub Zone

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello.

I have two sites, one in Detroit and one in Chicago. Each site is running
Windows 2000 Server, SP4. Both servers provide DNS services for the
respective site, forwarding reuests to third party DNS servers for all other
requests. The two sites are connected via a VPN, established using a
Smoothwall firewall deployed at each site.

I would like to establish a two-way trust between the sites, however due to
the network setup, neither site is capable of seeing the other via browsing.
You can, of course, map to specific resources as long as you know the IP
address of the box in question. It is my understanding that I could
facilitate site to site name resolution by utilizing stub zones on each sites
DNS server. However, it does not appear that Windows 2000 DNS supports stub
zones, though Windows 2003 DNS does.

Is it possible to configure Windows 2000 DNS to utilize stub zones? If not
is there another way to accomplish my goal? I will willingly admit to not
being a DNS guru, and would greatly appreciate any help.

Thanks!
 
In
JLP said:
Hello.

I have two sites, one in Detroit and one in Chicago. Each site is
running Windows 2000 Server, SP4. Both servers provide DNS services
for the respective site, forwarding reuests to third party DNS
servers for all other requests. The two sites are connected via a
VPN, established using a Smoothwall firewall deployed at each site.

I would like to establish a two-way trust between the sites, however
due to the network setup, neither site is capable of seeing the other
via browsing. You can, of course, map to specific resources as long
as you know the IP address of the box in question. It is my
understanding that I could facilitate site to site name resolution by
utilizing stub zones on each sites DNS server. However, it does not
appear that Windows 2000 DNS supports stub zones, though Windows 2003
DNS does.

Is it possible to configure Windows 2000 DNS to utilize stub zones?
If not is there another way to accomplish my goal? I will willingly
admit to not being a DNS guru, and would greatly appreciate any help.

Thanks!
Click to expand...

Stub zones are for specific scenarios that warrant such a configuration.
Stubs, although not supported in Win2000,which you have, is a preferred
alternate to using delegation for child domains.

If your two Sites are of the same domain, meaning both DCs in both sites
belong to the same domain, then I don't understand why you want to establish
a trust, since that is already created by default.

Maybe you can elaborate specifically on your infrastructure's configuration,
such as are they in the same domain, different domains in different forests,
or is one a child of the other, or if the same domain, are the zones AD
integrated, etc.

As for "browsing", such as in Network Neighborhood, that is based on the
Browser services, which relies on NetBIOS.However, NetBIOS does not traverse
routers. To achieve the ability for NetBIOS resolution to traverse, you will
need WINS. And yes, if the two sites are completely different domains in
different forests, then NTLM authentication (totally based on NetBIOS), will
be needed to construct a trust, herefore will *require* WINS.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
JLP said:
Hello.

I have two sites, one in Detroit and one in Chicago. Each site is
running Windows 2000 Server, SP4. Both servers provide DNS services
for the respective site, forwarding reuests to third party DNS
servers for all other requests. The two sites are connected via a
VPN, established using a Smoothwall firewall deployed at each site.

I would like to establish a two-way trust between the sites, however
due to the network setup, neither site is capable of seeing the other
via browsing. You can, of course, map to specific resources as long
as you know the IP address of the box in question. It is my
understanding that I could facilitate site to site name resolution by
utilizing stub zones on each sites DNS server. However, it does not
appear that Windows 2000 DNS supports stub zones, though Windows 2003
DNS does.

Is it possible to configure Windows 2000 DNS to utilize stub zones?
If not is there another way to accomplish my goal? I will willingly
admit to not being a DNS guru, and would greatly appreciate any help.
Click to expand...

Windows 2000 does not support stub zones, you will have to use secondary
zones.

For Network Places browsing that is not done through AD, you need a WINS
server at each site replicating with each other.

If you publish all your shared resources in Active Directory, you can get
away without using WINS. But, the shared resources must use FQDN, which is
pretty easy if you publish your shared resources in AD. Both Win2k and XP
allow easy searching of Active Directory for shared resources.

HOW TO Create a Container to List Printers in Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;303161

HOW TO Publish Printers in Active Directory in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;321837

How to View Printer Objects in Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;235925

Publishing a Printer in Windows Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;234619

Publishing a Shared Folder in Windows 2000 Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;234582
 
:

Stub zones are for specific scenarios that warrant such a configuration.
Stubs, although not supported in Win2000,which you have, is a preferred
alternate to using delegation for child domains.

If your two Sites are of the same domain, meaning both DCs in both sites
belong to the same domain, then I don't understand why you want to establish
a trust, since that is already created by default.

Maybe you can elaborate specifically on your infrastructure's configuration,
such as are they in the same domain, different domains in different forests,
or is one a child of the other, or if the same domain, are the zones AD
integrated, etc.

As for "browsing", such as in Network Neighborhood, that is based on the
Browser services, which relies on NetBIOS.However, NetBIOS does not traverse
routers. To achieve the ability for NetBIOS resolution to traverse, you will
need WINS. And yes, if the two sites are completely different domains in
different forests, then NTLM authentication (totally based on NetBIOS), will
be needed to construct a trust, herefore will *require* WINS.
Click to expand...

Hi Ace,

I guess I should have elaborated more regarding site configuation. The two
sites are running separate domains. This is not how I would have preferred
things as both sites are for the same company and should in fact be the same
domain. But, this is what I have in place. Both sites DNS servers are
integrated with Active Directory.

I was suspecting that I'd need to deploy WINS in order to get browsing to
work the way I'd like. No big deal there, though it would be nice if there
were a way to get Active Directory to do this without the need for WINS,
mainly because I believe the fewer services you need to run, the better off
you are. :-)

After reading your reply, I suspect that my best course of action is simply
to deploy WINS and leave DNS alone.

Thanks for your help.
 
:

Windows 2000 does not support stub zones, you will have to use secondary
zones.

For Network Places browsing that is not done through AD, you need a WINS
server at each site replicating with each other.

If you publish all your shared resources in Active Directory, you can get
away without using WINS. But, the shared resources must use FQDN, which is
pretty easy if you publish your shared resources in AD. Both Win2k and XP
allow easy searching of Active Directory for shared resources.

HOW TO Create a Container to List Printers in Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;303161

HOW TO Publish Printers in Active Directory in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;321837

How to View Printer Objects in Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;235925

Publishing a Printer in Windows Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;234619

Publishing a Shared Folder in Windows 2000 Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;234582
Click to expand...

Hi Kevin,


Thanks for replying. I'll give the linked Kbase articles a look.
 
In
JLP said:
:



Hi Ace,

I guess I should have elaborated more regarding site configuation.
The two sites are running separate domains. This is not how I would
have preferred things as both sites are for the same company and
should in fact be the same domain. But, this is what I have in
place. Both sites DNS servers are integrated with Active Directory.

I was suspecting that I'd need to deploy WINS in order to get
browsing to work the way I'd like. No big deal there, though it
would be nice if there were a way to get Active Directory to do this
without the need for WINS, mainly because I believe the fewer
services you need to run, the better off you are. :-)

After reading your reply, I suspect that my best course of action is
simply to deploy WINS and leave DNS alone.

Thanks for your help.
Click to expand...

WINS is the answer to cross subnet browsing. Browsing has nothing to do with
DNS.

As far as AD, Kevin mentioned publishing. This won't show up in the
neighborhood, but one can search AD for anything published.

But publishing, printers on a Win2000 or newer machine will auto-bpublish
when you share the printer. For other objects, such as shares, they would
need to be done manually or scripted.

Ace
 
Back
Top