DNS 2003 challenge question!

Discussion in 'DNS Server' started by DMI, Aug 31, 2004.

  1. DMI

    DMI Guest

    Our company has three (d1.com,d2.com,d3.com) NT 4.0
    domains and we are converting them into a single 2003 AD
    (AD1.com). I added a new server with 2003 and I installed
    in it AD with DNS. The AD1 and d1 domains are located in
    the same network 192.168.20.x.
    d2 is located in 192.168.10.x and
    d3 is in 192.168.30.x
    To complicate matters our public domain name is dminc.com
    and this is also use as the name for our mail server.

    Question: How do I setup my DNS? The AD1 is the first
    server in my forest. How do I define the other 3 zones
    (d1.com,d2.com,d3.com) and the public domain name
    (dminc.com) in my DNS server.

    If you are a genius or have any comments on how to do
    this, please advise.

    Thank you very much for your help!
     
    DMI, Aug 31, 2004
    #1
    1. Advertisements

  2. DMI

    Sharad Naik Guest

    You say you are converting all three in to a single AD, then you ask how
    d1.com d2.com etc. should be added in DNS.
    So it seems that, you will not remove those 3 NT DCs. / also not upgrade
    them to 2003. Is this correct?
    Can you elaborate how exactly you are creating the forest. You gave
    expamples d1.com. d2.com ...AD1.com
    If you can give the actual FQDN then it will be more clear. (Like if they
    will be child domains or not etc.)
    If it is just like d1.com and d2.com etc. then with 1 win2003 and 3 NT
    servers, then you mostly should do trust relationship between domains.
    (For which you should either add another 2 NICs for other 2 subnets or,
    change the subnet of the AD to 192.168.x.x)

    You should explain what exactly you want to achieve, a diagram showing the
    tree with respective subnets etc. will be helpful.

    Further having a different public domain dmnic.com does not at all
    complicates the matter, on the contraray it makes the matter less
    complicated.
    If you are not running the web server / public server in house, you don't
    have to add any zones/records in your DNS for your web site/ mail server.
    If you are running them locally then just at the FQDN of the respective
    hosts, pointing to the private IP of the respective hosts.

    Sharad
     
    Sharad Naik, Aug 31, 2004
    #2
    1. Advertisements

  3. In

    Create the missing records in your local DNS server i.e. www, mail, or
    whatever and give them the IP of the public sites. You cannot access by
    domain name, that record must point to the DC for group policies and DFS
    shares, the SYSVOL share is a DFS share at \\dnsdomain\sysvol group policies
    are deeper into the share at \\dnsdomain\sysvol\dnsdomain\policies do not
    use your ISP's DNS in any position.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 31, 2004
    #3
  4. DMI

    Sharad Naik Guest

    Best solution is, if it is still possible, uninstall AD and then
    again install giving different unique domain name which will not match yours
    or any other registered public domain.
    Please see the link below:

    http://support.microsoft.com/default.aspx?kbid=254680

    The AD server it self and all the clients of the AD MUST always point to the
    private IP of the AD server itself
    for DNS (tcp/ip properties.) Do not even add ISP's DNS as alternative DNS
    Server.

    If you can not rename the AD, then you will have to create delegations for
    all public records those exist
    for your public domain. (www.domain.com, mail.domain.com ftp.domain.com
    etc.).
    In your DNS right click on zone domain.com and select new delegation. enter
    the delegated child as ' www '
    click on next. on the next page add the names servers of your ISP who is
    hosting your public DNS records.
    Enter the FQDN of those names serverd and their respective ip addresses.
    Follow same procedure for other recrods, mail, ftp etc. if any.

    Sharad
     
    Sharad Naik, Sep 1, 2004
    #4
  5. DMI

    Roger Abell Guest

    I agree Kevin, given where OP is at now, this is the best
    solution for him to move forward.
    I would like to emphasize, after the records are added for the
    public resources to the internal zone, the temp addition of the
    external DNS server made to the DNS Tcp/Ip settings _must_
    be removed. The only place use of external DNS servers is
    acceptible when the AD supporting DNS zone if private would
    be as a Forwarder.
    I do know you stated this, but it was as a quick phrase that may
    not have fully sunk in with the OP preoccupied with the other
    aspects.
     
    Roger Abell, Sep 1, 2004
    #5
  6. DMI

    DMI Guest

    Try creating a WWW record in your internal DNS that points
    to the public IP address where the www.D1.com is located.

    Thanks!
     
    DMI, Sep 1, 2004
    #6
  7. DMI

    Sharad Naik Guest

    I too fully agree with Kevin & you both.
    However the OP asked for a permanent solution
    and I thought Delgation would be better that adding the host recrods.

    Sharad
     
    Sharad Naik, Sep 1, 2004
    #7
  8. DMI

    DMI Guest

    Sharad - Thank you for your help.
    How do I upload a file into?
    The process is to add a new ADC (AD1.com) and have a two
    way relationship with all of the NT Dcs. Once this is
    working I should be able to get rid of each domain
    controller one at a time. In the mean time I would like
    to create in my DNS server(ADC) and primary zone for
    D1.com, D2.com and D3.com. In this way every computer in
    all of the domains will be able to find any other computer
    in any other domain.

    My domain ADC.com is found in the same network as one of
    the NT PDC domains (Network 192.168.20.x. Can we do this?
    Can we have two domains sharing the same network? Right
    now my ADC is composed by one computer, the server itself,
    SR1. As we add computers to this domain the list will
    grow. But until I add all of the computer to the new
    domain we must have the other NT PDC active.

    I have a diagram in a GIF format and I would like to
    attached it to this e-mail.

    Thank you once again for your help
     
    DMI, Sep 1, 2004
    #8
  9. In
    I agree delgations usually are more permanant, I was pointing out the
    problem with resolving his domain name. There are many users that try to
    access the public web site by only using the domain name, http://example.com
    Which is _not_ possible in AD. Your only choice is to set up a redirect so
    the DCs can redirect to http://www.example.com



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 1, 2004
    #9
  10. DMI

    Sharad Naik Guest

    Well at present, how the computers in one domain are able to find one in the
    other domain? Domain trust relationship I believe.

    Well, you can have the NT domain and the new 2003 AD in the same subnet.

    IMO (which is one of the possible suggestions), what you should do is as
    follows.

    Install win 2003 AD, with Domain Function Level - Win2000 mixed.

    Your NT domains must already be having trust relationshipes with each other.

    In win 2003 you add External Two-Way relationship between win 2003 and each
    of the NT domain.

    Subsequently, go on moving each client to Win 2003 AD directly.

    After all clients are moved to AD, remove the NTs, and if required raise the
    domain level function.

    Sharad
     
    Sharad Naik, Sep 1, 2004
    #10
  11. DMI

    Guest Guest

    Thank you once again for your help.

    I am doing what you are describing. The question I have
    is How do I set up the three NT domains and in the ADC
    DNS? In one of the Nt domains I have a Exchange server
    and I not able to detect the MX automatically.
    If you have any suggestions on how to do this please
    advise. Thank you!
    relationshipes with each other.
     
    Guest, Sep 1, 2004
    #11
  12. In
    Just to add, which has to be done on each DC.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Sep 4, 2004
    #12
  13. In
    I think the challenge is here is trying to understand exactly what you have,
    and what you;re trying to do, and with all due respect, the terminology
    being used and hiding the domain names is not helping.

    You stated "setup 3 NT domains"? You already have the 3 NT domains, correct?

    Easiest way is if you haven;t already created the new AD domain, or if you
    have, and have not started using it yet, demote it and promote it with a
    different DNS name, such as domain.local or domain.corp, instead of using
    the same as your external name. But keep in mind, that whatever NetBIOS
    domain you choose, that needs to be different than any of the domains
    currently in existence or conflicts will occur.

    Now that's out of the way, if you want to migrate the users from your 3 NT4
    domains, lets call them Domain1, Domain2, Domain3, create an OU for each of
    them in AD using those names. Then create a two-way trusts between each NT
    domain and the W2k3 domain. Then use ADMT to migrate each domain one by one
    into the new domain. When migrating Domain1, migrate the accounts into the
    Domain1 OU. This is called 'collapsing' an NT4 domain into an OU. Do this
    for all 3 domains to migrate them into the new single W2k3 AD domain.

    As for the MX record, (assuming you are running Exchange 2003), internally
    MX records are not required. MX records are used by mail servers to find
    other mail servers. Internally, your mail server is not communicating with
    any other mail server, but just with your own clients, and assumably using
    Outlook. so internally an MX is not needed. When your internal user is
    sending mail to someotherdomain.com, your mail serverf will query an
    external DNS thru the use of the forwarder configured in your DNS to find
    the MX record of that someotherdomain.com domain. Once it finds the record,
    it then resolves the IP, then it establishes an SMTP connection to that
    server and sends the mail. So you see, internally, it is NOT needed.

    For your mail server to receive and be authorative for the external domain
    name, configure the Recipient Policy with that name sufffix and point your
    EXTERNAL DNS server (assuming being hosted by your ISP) to point to YOUR
    Exchange server. If you are using NAT, point it to the external (WAN) IP of
    the NAT and configure a port forwarding rule for port 25 to be sent to the
    internal IP of your Exchange server.

    If this doesn't help, I apologize and please do elaborate where we need to
    focus on.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Sep 4, 2004
    #13
  14. In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&>
    wrote their comments
    Then Kevin replied below:
    Oh yes, Exactly!


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 4, 2004
    #14
  15. In
    :)

    Ace
     
    Ace Fekay [MVP], Sep 5, 2004
    #15
  16. DMI

    Sharad Naik Guest

    I got your point. And yes there are may users who want to aceess the site
    without 'www'.
    Sharad
     
    Sharad Naik, Sep 10, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.