DC-Based DNS Not Hosting Main Zone

Greetings all,

Going over MS' documents, it's recommended that for sites that have 150
people or less to not use a Global Catalog and use Universal Group Caching
with a caching-only DNS server. Whenever I install DNS on a DC, it
automatically assumes management of the AD-integrated zone. Is it possible
to have DNS installed on a DC but have it caching-only, or do I have to have
an additional member server at the site to run caching-only DNS?

Just wondering what's possible - TIA!

- SB

Hello SB,

Depending on your connection speed between the sites i would make it always
GC, doesn't matter how many users are there. If you have installed AD integrated
zones on DNS this will replicate automatic to all DCs when they also be DNS
server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Greetings all,
>
> Going over MS' documents, it's recommended that for sites that have
> 150 people or less to not use a Global Catalog and use Universal Group
> Caching with a caching-only DNS server. Whenever I install DNS on a
> DC, it automatically assumes management of the AD-integrated zone. Is
> it possible to have DNS installed on a DC but have it caching-only, or
> do I have to have an additional member server at the site to run
> caching-only DNS?
>
> Just wondering what's possible - TIA!
>
> - SB
>

Hello Meinolf,

Thanks for your reply!

So, what about breaking the sites into their own DNS zones? At the moment
we have just one big AD-integrated zone and our topology is a star with all
major services at the hub. Would it lessen replication traffic to break out
each site into its own zone?

Cheers,

- SB

"Meinolf Weber [MVP-DS]" wrote:

> Hello SB,
>
> Depending on your connection speed between the sites i would make it always
> GC, doesn't matter how many users are there. If you have installed AD integrated
> zones on DNS this will replicate automatic to all DCs when they also be DNS
> server.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

You are lessining the replication traffic by using AD Integrated DNS.

Your sites should be defined by subnet, not DNS zones.

hth
DDS

"SB" <> wrote in message
news:3BE5B4DF-AB87-4517-BE4F-...
> Hello Meinolf,
>
> Thanks for your reply!
>
> So, what about breaking the sites into their own DNS zones? At the moment
> we have just one big AD-integrated zone and our topology is a star with
> all
> major services at the hub. Would it lessen replication traffic to break
> out
> each site into its own zone?
>
> Cheers,
>
> - SB
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello SB,
>>
>> Depending on your connection speed between the sites i would make it
>> always
>> GC, doesn't matter how many users are there. If you have installed AD
>> integrated
>> zones on DNS this will replicate automatic to all DCs when they also be
>> DNS
>> server.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

"SB" <> wrote in message news:F55E3DA7-36EF-4036-A0FD-...
> Greetings all,
>
> Going over MS' documents, it's recommended that for sites that have 150
> people or less to not use a Global Catalog and use Universal Group Caching
> with a caching-only DNS server. Whenever I install DNS on a DC, it
> automatically assumes management of the AD-integrated zone. Is it possible
> to have DNS installed on a DC but have it caching-only, or do I have to have
> an additional member server at the site to run caching-only DNS?
>
> Just wondering what's possible - TIA!
>
> - SB


In addition to Meinolf's suggestions, whereas if DNS is installed on a DC and the zone is AD integrated, then the zone automatically appears due to AD replication. So you would need to make it a member server if all you want is caching-only. To make it caching only, you simply install DNS, do not create any zones, and configure a forwarder to a DC/DNS in another site.

Also, if there is only one domain, all DCs should be a GC.

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs"
http://msmvps.com/blogs/ulfbsimonwei.../08/37975.aspx

Infrastructure Master Education:
"Global catalog and infrastructure master role conflicts only when there are more than one Domain in the Frost. We don’t need to worry about single Domain situation." - Mervyn Zhang, MSFT
http://social.answers.microsoft.com/...1-8416bd1d4591

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Hello SB,

No, you don't have to create additional zones for the site. They still belong
to the same domain as the main site. As Danny said AD sites and services
have to reflect the site topology.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Meinolf,
>
> Thanks for your reply!
>
> So, what about breaking the sites into their own DNS zones? At the
> moment we have just one big AD-integrated zone and our topology is a
> star with all major services at the hub. Would it lessen replication
> traffic to break out each site into its own zone?
>
> Cheers,
>
> - SB
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello SB,
>>
>> Depending on your connection speed between the sites i would make it
>> always GC, doesn't matter how many users are there. If you have
>> installed AD integrated zones on DNS this will replicate automatic to
>> all DCs when they also be DNS server.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

"SB" <> wrote in message news:3BE5B4DF-AB87-4517-BE4F-...
> Hello Meinolf,
>
> Thanks for your reply!
>
> So, what about breaking the sites into their own DNS zones? At the moment
> we have just one big AD-integrated zone and our topology is a star with all
> major services at the hub. Would it lessen replication traffic to break out
> each site into its own zone?
>

Hello SB,

If you breakdown your sites based on DNS zones, you will be adding a complication with extrememe administrative overhead to get the machines, especially the DCs, to properly register in the zone they belong in. AD requires DNS to work, specifiically SRV and other records that get registered into its own zone. This data is for other DCs and clients to 'find' the domain controllers for certain services required for logon, authentication, replication, etc. If you alter this default functionality with what you are proposing, it requires additional work to make sure the DCs register into their own default zone, as well as the clients, despite the fact there will be an additional zone you've created for the site, besides a full understanding of the client side resolver algorith (DCs have client side resolvers, too), zone suffixes, what to register, what not to register, etc. So it's not as easy as it appears.

I do not recommend this design. I suggest to use AD OUs to organize your AD objects by the Location/Function design method, and not use DNS zones for this purpose.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Thanks for everyone for your replies!

I thought that if I created a separate zone for each site that would limit
DNS replication to all other sites; clients would lookup computers in the
other zones through that particular zone's own DNS server. I imagine that in
order for that to work I would have to use Primary and Secondary-style zones
instead of AD-Integrated which would greatly increase the management overhead
due to the complexity, not to mention dropping a degree of security.

I always find it interesting what people with real work experience say vs
the MS documents. Thanks again to everyone - stopping me from creating an
administrative nightmare.

Cheers!

- SB

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> Hello SB,
>
> If you breakdown your sites based on DNS zones, you will be adding a complication with extrememe administrative overhead to get the machines, especially the DCs, to properly register in the zone they belong in. AD requires DNS to work, specifiically SRV and other records that get registered into its own zone. This data is for other DCs and clients to 'find' the domain controllers for certain services required for logon, authentication, replication, etc. If you alter this default functionality with what you are proposing, it requires additional work to make sure the DCs register into their own default zone, as well as the clients, despite the fact there will be an additional zone you've created for the site, besides a full understanding of the client side resolver algorith (DCs have client side resolvers, too), zone suffixes, what to register, what not to register, etc. So it's not as easy as it appears.
>
> I do not recommend this design. I suggest to use AD OUs to organize your AD objects by the Location/Function design method, and not use DNS zones for this purpose.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>
>

"SB" <> wrote in message news:66F1DE41-E87F-4AB0-B362-...
> Thanks for everyone for your replies!
>
> I thought that if I created a separate zone for each site that would limit
> DNS replication to all other sites; clients would lookup computers in the
> other zones through that particular zone's own DNS server. I imagine that in
> order for that to work I would have to use Primary and Secondary-style zones
> instead of AD-Integrated which would greatly increase the management overhead
> due to the complexity, not to mention dropping a degree of security.
>
> I always find it interesting what people with real work experience say vs
> the MS documents. Thanks again to everyone - stopping me from creating an
> administrative nightmare.
>
> Cheers!
>
> - SB

Yep, well put. That's what it will wind up being! I remember one student stated his infrastructure was like that, and they had nothing but problems. I helped them straighten things out, removing tihs solution, after a lengthy talk with their IT staff.

Cheers!!

Ace