2003 AD DNS with BIND as enterprise DNS

I'm about at my wits end trying to find a white paper or something that tells
me how to handle Reverse Lookup zones with 2003 AD intergrated DNS using BIND
9.x as enterprise DNS.

Enterprise DNS (BIND 9.x) = company.com
Empty root (AD integrated) = ad.company.com
Corporate (AD integrated) = subdom.ad.company.com

I have the forward lookups working as I conditionally forward on
subdom.ad.company.com 'All other DNS domains' to the enterprise DNS servers.
But how can I handle the reverse lookups? I want to hand out the subdom DNS
servers to all the Windows servers and clients so that they query the subdom
DNS servers first. Then anything that they don't know about hand up to the
Enterprise DNS servers. We wanted to segregate all the DDNS entries and
cacheing down at the subdom.ad.company.com level and not mess up the
enterprise DNS servers. We also don't want the enterprise DNS admins to have
to make manual entries all the time for all the stuff going on down in the AD
world.

Has anyone crossed this bridge before? I would really like to hear how you
handled this as our cofiguration seems what I would think most corporations
would have in place. Thanks.

 

Never tried this, msyelf. Would delegating the RDNS to your AD DCs be a big
deal? What about making the AD DCs secondaries for your reverse zones?

--
--
Brian Desmond
Windows Server MVP
12.il.us

Http://www.briandesmond.com

 

Brian,

Thanks for the responses.

If we handled all PTR records on AD DNS in subdom.ad.company.com it would
'break' our non-Windows based backup server. Our backup server needs all the
PTR records to lookup the backup clients (servers). There might be other
apps that use the PTR records as well so we are leary to move it all to the
AD DNS. It seems a little safer security-wise to have BIND as the eDNS too.

Making the AD DNS secondary for the Reverse zone is great for all the stuff
that is currently listed in BIND. However I'll loose any dynamic updates for
the workstations that would register with the AD DNS in
subdom.ad.company.com. We need to be able to update it. What I need is a
secondary zone that supports dyamic updates

If you have any other ideas please post them. I'm getting desperate. I'm
thinking about scheduling exports and imports.

B

 

What about delegating the reverse zone from BIND to AD DNS? Your backup
software will goto BIND and just be referred to AD DNS for the lookup.

You might be able to get your DHCP to do a DDNS registration in BIND
otherwise.

--
--
Brian Desmond
Windows Server MVP
12.il.us

Http://www.briandesmond.com

 

Rebecca,

Thanks for the response. See my comments inserted below:

I'm not sure I understand where you are going with what you wrote above. As
of right now, my forward lookup zone for subdom.ad.company.com conditionally
forwards 'All other DNS domains' to the DNS servers (BIND) at company.com.
This works just fine. Currently I do not have any reverse zones defined at
subdom.ad.compay.com and if I do an NSLOOKUP from subdom.ad.company.com of a
box on company.com it locates it on the BIND servers. So my latest idea is
to get the DHCP servers to dynamically update the Reverse zone on the BIND
servers. Since there is no reverse zone when clients look at DNS in
subdom.ad.company.com it should go to the BIND servers that have the current
info. So we'll see if that works.

I want the clients to point to subdom.ad.company.com

I'm not sure if we are on the same page here but forward lookups work just
fine from the subdom.ad.company.com domain (AD integrated) to the compay.com
domain (BIND 9.x).

I guess the goal would be to not muddy the enterprise DNS if possible. In
other words, keep all the dynamic stuff that goes on with AD down in
subdom.ad.compay.com. Redundancy is not the issue I have plenty of servers.

I don't see anywhere to get the attachments so I guess I'm just too dumb.
If it is not too much trouble send the attachments to this address. I'll
delete this address after I get the files as it is a disposable address.



Thanks.

B

 

Hello,

Sorry, I try to explain more clearly.

I mean the Forward lookup zone can forward the request to the parent domain
is because parent domain and child domain has different domain name.
Forward lookup zone depends on the domain name.

Reverse Lookup zone will not forward the request from child domain to
parent domain, which is because Reverse Lookup zone use subnet to judge it.
If the parent domain and the child domain are in the same subnet, "Forwards
'All other DNS domains' " will not forward the reverse request to the
parent domain.

Therefore, your original goal cannot be achieved if parent and child are in
the same subnet.
However, the idea that you retain the copy on parent DC seems good. Once
the child DNS is down, the client still can get response from parent DC.

Attached jpg files.

Further questions, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.