2003 AD DNS with BIND as enterprise DNS

Discussion in 'Server Migration' started by B, Sep 9, 2004.

  1. B

    B Guest

    I'm about at my wits end trying to find a white paper or something that tells
    me how to handle Reverse Lookup zones with 2003 AD intergrated DNS using BIND
    9.x as enterprise DNS.

    Enterprise DNS (BIND 9.x) = company.com
    Empty root (AD integrated) = ad.company.com
    Corporate (AD integrated) = subdom.ad.company.com

    I have the forward lookups working as I conditionally forward on
    subdom.ad.company.com 'All other DNS domains' to the enterprise DNS servers.
    But how can I handle the reverse lookups? I want to hand out the subdom DNS
    servers to all the Windows servers and clients so that they query the subdom
    DNS servers first. Then anything that they don't know about hand up to the
    Enterprise DNS servers. We wanted to segregate all the DDNS entries and
    cacheing down at the subdom.ad.company.com level and not mess up the
    enterprise DNS servers. We also don't want the enterprise DNS admins to have
    to make manual entries all the time for all the stuff going on down in the AD

    Has anyone crossed this bridge before? I would really like to hear how you
    handled this as our cofiguration seems what I would think most corporations
    would have in place. Thanks.
    B, Sep 9, 2004
    1. Advertisements

  2. Never tried this, msyelf. Would delegating the RDNS to your AD DCs be a big
    deal? What about making the AD DCs secondaries for your reverse zones?

    Brian Desmond
    Windows Server MVP

    Brian Desmond [MVP], Sep 11, 2004
    1. Advertisements

  3. B

    B Guest


    Thanks for the responses.

    If we handled all PTR records on AD DNS in subdom.ad.company.com it would
    'break' our non-Windows based backup server. Our backup server needs all the
    PTR records to lookup the backup clients (servers). There might be other
    apps that use the PTR records as well so we are leary to move it all to the
    AD DNS. It seems a little safer security-wise to have BIND as the eDNS too.

    Making the AD DNS secondary for the Reverse zone is great for all the stuff
    that is currently listed in BIND. However I'll loose any dynamic updates for
    the workstations that would register with the AD DNS in
    subdom.ad.company.com. We need to be able to update it. What I need is a
    secondary zone that supports dyamic updates :)

    If you have any other ideas please post them. I'm getting desperate. I'm
    thinking about scheduling exports and imports.

    B, Sep 13, 2004
  4. What about delegating the reverse zone from BIND to AD DNS? Your backup
    software will goto BIND and just be referred to AD DNS for the lookup.

    You might be able to get your DHCP to do a DDNS registration in BIND

    Brian Desmond
    Windows Server MVP

    Brian Desmond [MVP], Sep 14, 2004
  5. B

    B Guest


    Thanks for the response. See my comments inserted below:

    I'm not sure I understand where you are going with what you wrote above. As
    of right now, my forward lookup zone for subdom.ad.company.com conditionally
    forwards 'All other DNS domains' to the DNS servers (BIND) at company.com.
    This works just fine. Currently I do not have any reverse zones defined at
    subdom.ad.compay.com and if I do an NSLOOKUP from subdom.ad.company.com of a
    box on company.com it locates it on the BIND servers. So my latest idea is
    to get the DHCP servers to dynamically update the Reverse zone on the BIND
    servers. Since there is no reverse zone when clients look at DNS in
    subdom.ad.company.com it should go to the BIND servers that have the current
    info. So we'll see if that works.
    I want the clients to point to subdom.ad.company.com
    I'm not sure if we are on the same page here but forward lookups work just
    fine from the subdom.ad.company.com domain (AD integrated) to the compay.com
    domain (BIND 9.x).
    I guess the goal would be to not muddy the enterprise DNS if possible. In
    other words, keep all the dynamic stuff that goes on with AD down in
    subdom.ad.compay.com. Redundancy is not the issue I have plenty of servers.
    I don't see anywhere to get the attachments so I guess I'm just too dumb.
    If it is not too much trouble send the attachments to this address. I'll
    delete this address after I get the files as it is a disposable address.


    B, Sep 14, 2004
  6. Hello,

    Sorry, I try to explain more clearly.

    I mean the Forward lookup zone can forward the request to the parent domain
    is because parent domain and child domain has different domain name.
    Forward lookup zone depends on the domain name.

    Reverse Lookup zone will not forward the request from child domain to
    parent domain, which is because Reverse Lookup zone use subnet to judge it.
    If the parent domain and the child domain are in the same subnet, "Forwards
    'All other DNS domains' " will not forward the reverse request to the
    parent domain.

    Therefore, your original goal cannot be achieved if parent and child are in
    the same subnet.
    However, the idea that you retain the copy on parent DC seems good. Once
    the child DNS is down, the client still can get response from parent DC.

    Attached jpg files.

    Further questions, let us get in touch!

    Best regards,

    Rebecca Chen


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security


    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Rebecca Chen [MSFT], Sep 15, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.