1 DNS for 2000AD,2003AD and NT servers.. setup q??

Discussion in 'DNS Server' started by Rob, Mar 24, 2005.

  1. Rob

    Rob Guest

    i am trying to set up a DNS server for all of my testing domains to use..
    both 2000 and 2003 are active directory native.. i want to have the dhcp give
    out only one DNS IP (server a).. i currently am using a 2000 AD domain with
    DNS (server a).. the DNS is listening on a secondary nic.. i want that IP for
    all DNS requests... how do i set up or change my current AD DNS (servers
    b,c,d) servers to use that one?? do I still need to have each DC see itself
    first then use that address in the forwarder?? since my users switch DCs many
    times in a day i want to get away from them having to enter the new DNS IP
    for each individual domains.. i want one and only one to handle all requests.

    on the other DCs server b,c,d do i need to have the server a IP in the
    network as the only DNS?? Do i setup the other servers (b,c,d) as forwarders
    to server a?? will each AD domain react and authenticate properly not being
    pointed to from member servers on each respective domain??

    what is the best way to approach this..

    server a ... 2000 ad native (W/DNS on second NIC)
    server b... 2003 ad native
    server c... NT dc..
    server d...2000 ad native

    workstations... d,e,f,etc....


    thanks in advance..

    r
     
    Rob, Mar 24, 2005
    #1
    1. Advertisements

  2. See inline below...
    It's usually problematic to have a multihomed DNS server (or domain
    controller for that matter) due to the additional administrative overhead
    you have to deal with. I believe that is one of the reasons you haven't got
    any responses yet to this post.
    I'm not sure what you are asking here. Change it in the server's IP
    properties is the immediate answer if I understand your question.
    What's recommended best practice is to actually have a partner DC/DNS
    (that's in the same site) be the first in the list, and itself as second to
    eliminate possible errors during bootup and the "DNS Becomes an Island"
    issue.
    I don't understand this part. Are you saying different DNS servers have
    different content (zone names) in each one? If so, that is not best practice
    for an internal DNS infrastructure. Depending on what you are trying to do,
    and if the zones are internal zones, it is best practice (and ensures
    everything is resolvable in the infrastructure) to have each DNS server have
    the same exact content on them. If it is a child zone, use of delegation or
    stubs would be appropriate. Since I don't know your infrastructure, that is
    the best I can tell you.
    No, best to have at least two.
    Forwarding only forwards zones queries it is not authorative for. Like I
    said, copies of the zone on each is prudent to ensure AD functionality and
    the whole infrastructure is resolvable by using any one of your DNS servers.
    Otherwise, there's a design issue one needs to address to ensure this fact.
    I have no idea. This depends on whether these domains are in the same forest
    or different forests. Ideally, if child domains, delegate the child domain
    name from the parent zone to the child DNS servers, then set a forwarder
    from the child back to the parent, then set a forwarder from the parent to
    the ISP's.

    If they are in different forests, and you are using Win2003 DNS, you can set
    a conditional forwarder just for that zone.

    In closing, if these servers or domains are part of the same forest, make
    sure they all have the same content, or use delegations.

    255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
    DNS Namespace to the Child Domain:
    http://support.microsoft.com/?id=255248

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Paramount: What's up with taking Enterprise off the air??
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Mar 28, 2005
    #2
    1. Advertisements

  3. Rob

    Rob Guest

    ace.. let me clarify a bit.. i know that i sent you on a goose chase..

    i have a testing env.that has a dc for each OS.. each one is its own
    forest.. the testers change their testing machines between say a native 2000
    to a native 2003 domain regularly.. and nt to those 2 as well... with AD
    domains the members need to see the specific DC as the first DNS correct??
    whats happening right now is as they change to each domain they need to add
    the DC's ipaddress in the network DNS properties.. I am trying to have this
    'dumbed down' enough to where they do not have to do this step.. inturn i
    will have dhcp send one common DNS server adn have all the DC's look for that
    one.. with AD DNS needs to be running on each DC so what i need to know is
    how to best accomplish this.. i see what you mean with the forwarders.. i
    have the main DNS as a forwarder to the ISP.. how do i interconnect the DC's
    DNS's to each other so that they replicate and authenticate as one..

    thanks
    r
     
    Rob, Mar 28, 2005
    #3
  4. Rob

    Rob Guest

    my setup...

    Server A... Win2000 AD DC Forest.. IP 10.x.x.1 (open IP address)
    *2nd nic as 10.x.x.100 (DNS listening on this one.. register in DNS
    unchecked,DNS forwarder to ISP)

    Server B.. WIn2003 AD DC (forest).. 10.x.x.5
    Server C... WINNT DC (NT bush)... 10.x.x.10

    Workstation A...any OS.. multiple domains..

    when Workstations are added to AD domains the workstatioin DNS setting has
    to be (current) changed to DC IP.. ie: workstation added to Server A the DNS
    is 10.x.x.1.. when added to Server B DNS setting has to be changed to
    10.x.x.5.. i want to have any DC change and the ONLY DNS setting i want to
    see is Server A..

    hope that clears it up a bit..

    r
     
    Rob, Mar 28, 2005
    #4
  5. I must say it is difficult to read your reply because it is all one BIG
    paragraph using grammatical shortcuts.

    Nonetheless, from what I can gather you are just concerned with getting all
    the DCs (each in their own separate forests) to be able to resolve each
    other. I believe I mentioned to get this to work is either point ALL of them
    to one DNS server that will remain as a constant for all the machines. The
    other way to do it is on each DNS server, create a Secondary zone of all the
    zones on each server, and allow zone transfers.

    In your situation, I think using one server as a constant will be the better
    bet, since it is always changing.

    Ace
     
    Ace Fekay [MVP], Mar 29, 2005
    #5

  6. Yes, I think it clears it up a bit. Maybe my suggestion to use ONE DNS
    server for everything will be the better solution.

    Ace
     
    Ace Fekay [MVP], Mar 29, 2005
    #6
  7. Rob

    Rob Guest

    Ace..

    thats exactly what i am trying to acomplish.. my post was a 'how do i do it?
    '... what do i have to do to the other AD domain server dns's to point or use
    one dns.

    now that i have cleared up the current view what should i do to move this to
    one dns ?? what do i have to watch for.. i know that i will have the base
    DNS (the one that i want to point other to) forwarding out to internet... how
    do i set up the other dns's so that they use that one..

    thanks

    r
     
    Rob, Mar 29, 2005
    #7
  8. Rob

    Rob Guest

    looking back on your first post..

    """I have no idea. This depends on whether these domains are in the same
    forest
    or different forests. Ideally, if child domains, delegate the child domain
    name from the parent zone to the child DNS servers, then set a forwarder
    from the child back to the parent, then set a forwarder from the parent to
    the ISP's."""

    are these considered to be child DNS servers even if they are in their own
    forest??
     
    Rob, Mar 29, 2005
    #8
  9. If the domains are child domains, such as:

    parent: domain.com
    child: miami.domain.com
    child: philly.domain.com
    etc

    Then the city names I depicted are child domains if they were promoted as a
    new domain controller in a new domain in an existing tree in an existing
    forest.

    If they are in different forests, no they are not.

    Ace
     
    Ace Fekay [MVP], Mar 30, 2005
    #9
  10. 1. Pick a DNS server.
    2. On this server, create secondary zones of ALL the zones that exist on the
    other servers..
    3. Allow them to transfer,
    4. Confirm they've transferred
    5. Make the zones either Primary or AD Integrated.
    6. Allow Dynamic Updates on each zone.
    7. Go to ALL of your servers and use ONLY this server's IP for their DNS
    settings (no others).
    8. Done.

    Ace





    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Paramount: What's up with taking Enterprise off the air??
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Mar 30, 2005
    #10
  11. Rob

    Rob Guest

    ace.. first, thanks for working on this with me... but thats just what i have
    been saying from the beginning.. they are their own forests...how do i link
    them to 1 DNS server if in separate forests.. not children...

    r
     
    Rob, Mar 30, 2005
    #11
  12. Rob

    ptwilliams Guest

    Ace answered this further up. You have one DNS server hold multiple zones.
    So lets say server01 is authorative for abc.com, you also configure server01
    to hold def.com, xyz.net, etc. as secondary zones. All you need then, is
    the correct suffixes configured at the client end. Which can now be
    accomplished via GPO -if you update the .adm files with the XP ones...


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
     
    ptwilliams, Mar 30, 2005
    #12
  13. Rob

    Rob Guest

    ok got it.. i guess it got lost up there.. so many changes going on..

    on the secondary zone DNS's do i point 'server01' as the primary?? or is it
    still itself in each AD domain forest with 'server01' as the secondary...??

    r
     
    Rob, Mar 30, 2005
    #13
  14. Rob

    ptwilliams Guest

    Yes, the latter.

    The 'primary' (they're all AD-I remember ;-) stays the same, and server01
    simply holds a secondary copy.

    Note. Depending on the version of Windows you might have to tweak the zone
    transfers. Personally, I'd set it so that zone transfers are only allowed
    to: and then add the IP address of this server. Remember that AD-I doesn't
    require zone transfers, and it is recommended not to notify AD-I servers of
    changes. Zone transfers are *only* for secondary DNS servers.

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
     
    ptwilliams, Mar 30, 2005
    #14
  15. Thanks PT!
    :)
     
    Ace Fekay [MVP], Mar 30, 2005
    #15
  16. Rob

    ptwilliams Guest

    ptwilliams, Mar 31, 2005
    #16
  17. Boy, if I tried to keep up with your time zone, I'll get jet lag.

    :)
     
    Ace Fekay [MVP], Apr 1, 2005
    #17
  18. Rob

    Rob Guest

    ace... or pt..

    i am looking at the following again and am lost at #5... i take it the
    zones that are mentioned being changed to primary or ad integ. are on the
    secondary dns servers.. correct.. not on my primary server.. i just created
    secondarys.. here's where i am lost.. on the other forest dns servers..
    aren't they already either primary or ad integ.??

    r

    1. Pick a DNS server.
    2. On this server, create secondary zones of ALL the zones that exist on the
    other servers..
    3. Allow them to transfer,
    4. Confirm they've transferred
    5. Make the zones either Primary or AD Integrated.
    6. Allow Dynamic Updates on each zone.
    7. Go to ALL of your servers and use ONLY this server's IP for their DNS
    settings (no others).
    8. Done.

    Ace
     
    Rob, Apr 5, 2005
    #18
  19. I believe we were trying to help you to ensure all your zones are resolvable
    by pointing to any DNS server in your infrastructure.

    When I said to make the zone AD Integrated or a Primary, I meant that this
    server and ONLY this server is going to be the ONLY one ALL your machines
    are going to be using for DNS in their IP properties. This was to your
    question of :
    Maybe a little background on what AD Integration means may help, unless I
    totally misunderstood your setup, which I am assuming your domains are
    different domains in different forests.

    All a DNS server does is store zone information available for query lookups.
    DNS server store the zone database in various locations. Some use a simple
    text file, I belive one of them use a database engine, such as Oracle (can't
    remember the name of it), and Windows 2000 and 2003 has the ability to store
    it in the actual AD database. The advantage is the zone being stored in the
    database, replicates along with the AD replication cycle, and can be
    available anywhere in the forest or the domain, depending on how you choose
    it's replication scope, which you have control over. But an AD Integrated
    zone "acts" and work exactly like a Primary zone. You can allow transfers
    from it to any secondaries. The only exception is on any DC/DNS server that
    has a copy of this zone, each DC/DNS server acts as it;s own primary, hence
    the multi-master advantage.

    If I remember correctly, you have different domains in different forests.
    Keep in mind, when you store a DNS zone as AD Integrated, it is stored in
    the Domain NC ('name container'), which is one of the three logical
    partitions in the AD database. This partition stores user accounts, computer
    accounts, etc, that belong to this specific domain. This portion of the
    database will ONLY replicate to other DCs of the same domain. Hence, why a
    username is only available in that specific domain. The other two
    partitions, the Schema partition and the Config container, are replicated to
    ALL DCs in that specific forest that the domain is part of, and the domain
    controller is part of that domain. So that predicates what exactly is
    replicated between DCs. DCs of a different forest do not replicate anything
    between them. You choose how to control the replication scope by choosing
    what partition it will be stored in.

    But If one of your zones is AD Integrated that is sitting on someother DNS
    server in someother domain that is in a different forest, that will have
    nothing to do with the DNS server you are choosing to use for everyone. If
    the zone is a secondary or primary zone, then it is stored as a text file in
    the system32\dns folder.

    There are two other ways Win2003 will allow you store zone data. These two
    are also AD Integrated, but they are stored in a different type of
    partition. The two additional partitions are the DomainDnsZones, and the
    ForestDnsZones. Their names indicate what sort of replication scope they
    have.

    So based on what you said earlier, I am assuming all of these domains are
    actually different domains that are part of different forests. Therefore,
    what I said to allow transfer from one of the other server to the server you
    chose to use, you need to allow that transfer, and it doesn't matter what
    the zone type is as long as it does not belong to that domain or forest.

    I hope that clears it up a bit.

    Ace
     
    Ace Fekay [MVP], Apr 6, 2005
    #19
  20. Rob

    Rob Guest

    ace.. this is great... thanks for all the help with this.. i got myself more
    confused than i needed to .. i have this structure up and running.. i believe
    that i have it set up.. i just dont know if i put some overkill in
    somewhere.. i wanted to keep it as basic as i can so that i can add more
    domains and forests as i go.. if i have it correct all i have to do going
    forward is add secondary zone on my main DNS to the new forests and allow
    transfers... if thats all there is i was obviously going way out of my way to
    acomplish this..

    r
     
    Rob, Apr 6, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.