Windows 2003 DNS & QIP DNS (Reverse Lookup)

[Guest]

Hello, I amlooking for any suggestions with using Windows DNS and QIP. I am
set with forward lookup zones and having my enterprise QIP DNS as a secondary
to the Windows DNS. My question is that my reverse lookup zones are broken.
I cannot use Windows Reverse to query a Unix machine and I cannot use QIP to
query a windows machine. All my windows boxes are running DHCP. My goal is
to use dynamic updates to update the reverse lookup record in QIP and
hopefully windows DNS. Not sure if this is even doable. I simply want to
get reverse DNS lookup's workgroups across platforms. We use QIP as the
enterprise DNS because we have alot of UNIX servers and workstations. Any
ideas would be great.

 

[Steve Duff [MVP]]

Your configuration kind of spells trouble. You need to decide
which DNS you want to use, and take out the secondary. QIP/BIND
cannot participate in AD multi-master replication, so there is
no 'two-way' street you can setup that will insure that DDNS updates
made to either server get propagated reliably to the other.

If your Windows machines are on their own subnet, I'd suggest
you consider using your Windows DNS as the primary (and only)
DNS for those machines, and then place a delegation on the QIP
farm for that reverse subnet and the zone. (A classless reverse
is a little more work, but can be done.) Alternatively you can
setup QIP as a secondary and perform zone pulls from the
Windows DNS.

As long as you configure the QIP servers to accept extended
syntax on the names, you are free to use that server for all DNS
and turn off Windows Server DNS entirely. You lose AD-integration/
replication and secure updates, but otherwise it will work fine.
If you want a simple topology to manage, that is a good way to go.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

Steve

What else would i loose if I went to QIP DNS. Would I have any issues with
AD replication or anything like that.

 

[Steve Duff [MVP]]

With any non-Windows DNS Server, you have no
participation in AD replication at all. AD will (and
must) still update the QIP server through DDNS.

The QIP servers must be configured to accept
dynamic updates from your network, and must be
configured to accept extended name syntax. Other
than that, no real issues.

The lack of AD replication for DNS is not usually
much of a problem unless your site is very large or
you have a complex domain topology. With one
DNS server and DC, it becomes almost a non-issue.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

My domain structure consist of 15 sites and about 29 domain controllers.
This is a nationwide domain. We use QIP for enterprise DNS because of all
the UNIX hardware. My Enterpise DNS admin wants to integrate the Windows DNS
with QIP but I was not sure of the issues with that. Do you recommend I do
that to resolve the Reverse Lookup problem I am having between os platform
and dns....

 

[Herb Martin]

My domain structure consist of 15 sites and about 29 domain controllers.
This is a nationwide domain. We use QIP for enterprise DNS because of all
the UNIX hardware. My Enterpise DNS admin wants to integrate the Windows DNS
with QIP but I was not sure of the issues with that.

Don't do it. Even though it is technically doable, you will
be very unhappy over time if you don't use a Windows DNS
server (set) for your AD DNS support zone(s.)

If you Unix admins are adamant and you share a zone then
you should ask them to DELEGATE you a child zone for
Windows -- if you already have your Windows 2000+ domains
it is too late to do this.

Do you recommend I do
that to resolve the Reverse Lookup problem I am having between os platform
and dns....

No. If you can get the admins to make the QIP dynamic
then you should be fine, as long as you DHCP (and other
clients) can resolve the QIP-held reverse zones (mostly
a recursion or fowarding issue).

My bet is you don't have resolution working for all possible
forward and reverse zones.

Also note: There is NO technical relationship between a
forward and a reverse zone. (All such relationships are
by human convention.)

 

[Guest]

Can you possibly tell me why you would recommend using QIP for DNS. I am
siding with you here but our "Standards" group will sure ask me why I comment
that I want to keep windows.

 

[Herb Martin]

I am in no way recommending QIP for Windows.

I mean MICROSOFT DNS.

 

[Ace Fekay [MVP]]

In

Can you possibly tell me why you would recommend using QIP for DNS.
I am siding with you here but our "Standards" group will sure ask me
why I comment that I want to keep windows.

I'm not sure but in many cases, DNS can be a political thing when it comes
to the "DNS" admins on the network. AD works ALOT easier with using MS DNS.
It needs no fancy config files or settings, it just works. If you can
delegate the zone from them, and forward back to the BIND servers for the
parent and all other zones, that seems to be your best bet. QIP is ok for
some solution, but I've heard quite a few nasty stories about getting it
config'ed to work seamlessly with AD.

A friend of mine works for a major uiversity in my area. They use BIND. FOr
their departments that use AD, they asked to have the system32\config folder
accessible to them so they can take the netlogon.dns file to use to populate
the required zones manually since they do not want 35,000 transient machines
registering into DNS. For those AD users, they need to get to resources on
the university's network, and they wanted the AD DNS domain name to be a
child of the network, but they don't allow anyone forwarding to it otherwise
imagine all the students abusing the DNS infrastructure (among other things
they attempt to abuse within the network). Their solution worked out fine,
but it requires a bit of manual work, but not that bad.


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Steve Duff [MVP]]

QIP is just BIND+ with some nice features added. It works
OK with AD if properly configured. They pay attention
to Windows domains (unlike the benign hostility of BIND).
If you can live without AD-integrated zones and secure updates
(either of which may even be in the newest cut - I haven't looked), then
it is hard to justify anything much on technical grounds.

However, regardless of platform, it is ALWAYS better to have local
admin control over the DNS server handling your AD domain.

The big reason is that sooner or later, things break in AD and AD
replication. And when they do, being able to drill down in DNS is
really a requirement to isolating what is going on.

So either your handle your own domain. Or you become an admin and
expert in QIP and/or your DNS admins become expert in solving AD problems.
Or sooner AD will break at the worst possible moment and you'll be
participating in an ugly, protracted, 'finger-pointing' exercise. We've all
been there.

From a technical standpoint, the main issue in down-delegating from
a parent server is to avoid forwarding loops. This is usually a solvable
design problem, but it requires co-ordination between your group
and your QIP group and likely some extra 'hair' on the QIP side.

It is a cleaner design and will be simpler for everyone if you just handle
your local zone and ship everything else upstream to the Vital box. In
this latter scenario I cannot see that a reverse delegation (classful or
classless) would be any kind of real problem, thought the DHCP
topology might be.This hierarchical configuration/ delegation is the
way DNS is designed to be used.

But if it is a matter of 'feifdoms,' when you find a solution to that problem,
please let me know

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.