DNS Redesign Issue

Discussion in 'DNS Server' started by Jason1320, Aug 17, 2006.

  1. Jason1320

    Jason1320 Guest

    I am trying to redesign DNS for a company I just joinedbut I have come across
    an issue that I'm not sure how to get around.

    Currently we have one root domain in a single AD forest. Under that root we
    have 9 child domians, all one layer below the root. All DC's are 2003.

    DNS is setup as follows. The root domain contains one DNS server with a
    single primary zone of company.com. Each child domain has a secondary "copy"
    of this zone on at least one server in the domain. Within the primary zone
    there are folders for each domains subdomain. (Example: dallas.company.com)
    Each domain controller is configured to write back to the primary zone to
    make updates.

    What I would like to do is create AD intergrated zones for each domain and
    deligate athority from the primary zone, company.com. The problem that I am
    running in to is how to get the data from the subdomains out of the primary
    zone, company.com, and in to the newly created AD intergrated zone. I only
    want the information that is critical to each domain. (i.e. for
    dallas.company.com I only want the information below the dallas folder in
    company.com.)

    Any suggestions?

    Thank you,

    Jason
     
    Jason1320, Aug 17, 2006
    #1
    1. Advertisements

  2. Jason1320

    Jorge Silva Guest

    Hi
    Hoooo my GOD so many domains, did you had any especial reason to make 10
    domains?
    Basically you need to create a tld DNS domain make it AD Integrated, and
    delegate the child zone to the other DCs in sub domains, by delegating the
    zones the tld domain knows where to find the NS for these domains, the
    problem should come how the child domains resolve the tld domain, and there
    several methods for this, but you're replicating the tld to the child
    domains so you need not to worried about that.

    Check:

    Best practices for DNS client settings in Windows 2000 Server and in Windows
    Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&sd=RMVP

    HOW TO Create a Child Domain in Active Directory and Delegate the DNS
    Namespace to the Child Domain
    http://support.microsoft.com/default.aspx?scid=kb;en-us;255248&sd=RMVP
    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Aug 17, 2006
    #2
    1. Advertisements

  3. Jason1320

    Jason1320 Guest

    I plan to use stub zones in the top level domains. The issue I am having is
    getting the dns data from dallas.company.com in the tld domain to the newly
    created ad intergrated zone. I would like to do this without manually
    recreating each record.

    Thanks,

    Jason
     
    Jason1320, Aug 17, 2006
    #3
  4. Jason1320

    Jorge Silva Guest

    the dallas.company.com is a child domain right?
    you can in newly created ad intergrated zone pointing to the tld or create a
    stubzone on the domain and replicate it accross that new domain.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Aug 18, 2006
    #4
  5. Jason1320

    Jason McKee Guest

    The stub zone idea would work but it is not ideal for my situation. If I
    create stub zones for each domain then I have no fault tolence in the case
    that a link between the sites goes down.

    Your other idea wasn't clear but I think you are suggesting that I
    intergrate company.com in to the AD and replicate it across the forest. I
    have thought of this as well and plan to use it as a worst case senario.
    Ideally what I want to do though is extract the DNS information for
    city.company.com from the company.com zone and import it in to a new
    city.company.com zone.

    This is a tough problem and I appreciate all the help!

    Thank you,

    Jason
     
    Jason McKee, Aug 18, 2006
    #5
  6. Jason1320

    Jorge Silva Guest

    As I already told you there are many possible configurations, for this to
    work, the most common is to delegate the child zones on tld to each child
    domain.

    In each child domain you can choose by different type of possible
    configurations:

    -If you configure Forwarding ("All other Domains" option - pointing to tld)
    all queries will go to tld DNS server (including Internet resolution
    queries), if the link with tld is down then queries will fail for domains
    but the DNS server will attempt to use its root hints to resolve the queries
    (unless you select the option don't use recursion for this domain).

    -If you configure Conditional Forwarding, you can have better control where
    queries will go, and if the link is down for any particular domain, that
    doesn't mean that other queries will fail as long as you have a link up with
    these domains.

    -For secondary and stub zones: the big advantage of stub zones is that
    they'll refresh automatically the NS records for that domain, and you don't
    need to allow zone transfer for stub zones to work, but all queries will be
    sent to NS for these domains. As for Secondary Zones all queries can be
    resolved locally, but you need to allow zone transfer on each zone.

    -For Active Directory Integrated Zones (require that the DNS is also a DC),
    you can always choose by replicate them across the domain or forest. This
    can have a significant impact on your replication traffic.
    --
    I hope that the information above helps you


    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Aug 18, 2006
    #6
  7. Jason1320

    Jason McKee Guest

    I agree. The question is how to get the domains for the child zones out of
    the single existing zone for company.com. You can't simply copy and paste
    it, and recreating all the records would take hours. And I don't want the
    whole company.com domain replicated to all the child domains.

    Thanks
    Jason McKee
    MCSE/MCSA (Messaging) 2003
     
    Jason McKee, Aug 19, 2006
    #7
  8. Jason1320

    Jorge Silva Guest

    Hi again
    Looks like you're out of sync so:
    I'm going to try to provide you a solution (but remember you can have
    different implanted solutions to achieve the same thing), if you desagree
    with something please let me know.

    You've 1 top Root Domain and several child domains.

    You want to design a DNS infrastructure for all domains.



    -Objectives are: availability of the name resolution for all domains in the
    forest, reduce administrative work configuring them, reduce the Replication
    traffic.

    -Ok, assuming that you've all DNS servers in DCs (Why on DCs, because you
    can benefit in terms of security, you can integrate it with AD, provide you
    less admin work and you can use replication to replicate the zones for
    existent DNS server in your network):

    -Generally the Root Domain is used only for administration; I don't know if
    this is your case, but generally the top root domain has few information on
    it, and is rarely changed in terms of changes, let's begin:

    1-Using Stub zones in the root or child domains isn't generally a good idea,
    why? Well Stub zones do not remove the requirement for delegations, Stub
    zone data doesn't transfer during zone transfers like delegation information
    does, so if the parent zone is transferred without delegation information,
    how will server find child zones?), So configuring Stub zones aren't an
    option here.


    -In the Top Root Domain you make the domain.tld and _msdcs.domain.tld AD
    Integrated. Because you only have Windows 2003 in your forest make sure that
    you have your FFL at Windows 2003, Why? - Because among other things you can
    benefit with replication (only changes are replicated). Next configure
    delegation, delegate each child domain to the correct server(s). Configure
    the replication scope of the Top Root Domain "domain.tld"and the
    "_msdcs.domain.tld" available across the forest. Why? - Well First we have
    availability, even if the link is down the name resolution works because all
    servers have a copy of that zone, including other CHILD domains NS records,
    so the servers can resolve the other child domains even if the link with the
    Top Root is down, Second we have less Admin work, because the zones will be
    transferred without any additional configuration, Third the
    _msdcs.domain.tld contain information about Global catalog and other
    domain/forest important records and they only exist in parent (root) DNS
    server (this zone contains information that IS ONLY AVAILABLE IN THE ROOT),
    so is always a good practice to replicate the root _msdcs.domain.tld across
    the forest.

    - So why not Primary Zone? - To much configuration to be done, is un-secure,
    you can't benefit of AD replication, to use it in child domains you would
    need to allow zone transfer each time that you add anew DNS server (which
    represents more admin work).

    - So why not Secondary Zone? - Well to have a secondary zone you must have a
    Primary Zone then you must configure that primary zone to allow zone
    transfers (more admin work each time that you add anew DNS server) and BTW
    Primary Zones are not secure as AD Integrated Zones, But Wait a minute. We
    can have AD Integrated Zone, and configure other DNS Servers with Secondary
    Zones. Sure, but you still need to allow Zone transfer each time that you
    Add a new DNS server (More Admin Work), so why not use Replication and leave
    all Admin work for Windows, and we never have to worry about configurations
    and stuff like that.

    What About Internet Resolution? Well we have Forwarding for that, you can
    benefit of Forwarding to allow Internet resolution in each domain.

    Top Root is done.

    Time to Child Domains:

    -Child Domains: well because we already have the domain.tld,
    _msdcs.domain.tld and all forest delegations in the DNS server(s) across the
    forest, this means that the child domains can resolve all existent domains,
    GCs, Existent Sites configuration, etc. So now we only need to configure the
    child zone itself, nothing more. Make it AD Integrated, configure the
    replication scope to All DCs in the DOMAIN, and you're up and running.


    Related Links:

    How to Create a Child Domain in Active Directory and Delegate the DNS
    Namespace to the Child Domain

    http://support.microsoft.com/kb/255248/

    Conditional Forwarding in Windows Server 2003

    http://support.microsoft.com/default.aspx?scid=kb;en-us;304491

    How to configure DNS for Internet access in Windows Server 2003

    http://support.microsoft.com/kb/323380/

    --
    I hope that the information above helps you


    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Aug 20, 2006
    #8
  9. Jason1320

    Jason McKee Guest

    This is great information and I understand all these concepts but I think you
    are missing the point of what I am trying to do. In my top level domain I
    have one primary zone for company.com. That zone contains 9 sub domains
    (dallas.company.com, detroit.company.com, la.company.com, etc.) I want to
    delegate these domains but first I need to get the information out of the tld
    zone and into the primary zones that will be created in the child domains.
    If it were possible I would want to "cut" the Dallas folder from the
    company.com domain and paste it as the root of the child primary domain. I
    want to do this for all 9 sub domains. However this is not possible so I
    want to find the easiest way to do it without recreating all of the DNS
    records.

    Thank you,
    Jason McKee
    MCSE/MCSA (Messaging) 2003
     
    Jason McKee, Aug 21, 2006
    #9
  10. Jason1320

    Jason McKee Guest

    From another news group:

    From your description, my understanding on this issue is that you would
    like to change the current DNS design and create AD integrated zone for
    each subdomain.

    Unfortunately there's no efficient way to extract the domain information
    for dallas.company.com from the company.com zone. However, if you are using
    DHCP, clients should be able to dynamically and automatically
    register/update records with the configured DNS server, and you don't need
    to manually re-input everything.

    Considering the current situation, we suggest you follow the guideline
    below:

    1. Delete the current dallas(.company.com) and other subdomains on DNS
    server in the root domain
    2. On DNS server in the root domain, delegate dallas to DNS server in the
    child domain
    3. Create a child zone dallas on the DNS server in the child domain
    4. Configure all clients in the child domain to use DNS server in the child
    domain as Primary DNS server
    5. Add the parent (root) DNS server as a forwarder on the child DNS server.

    For more information, please refer to the following documents:

    255248 How To Create a Child Domain in Active Directory and Delegate the
    DNS Namespace to the Child Domain
    http://support.microsoft.com/kb/255248

    323418 How To Integrate DNS with an Existing DNS Infrastructure If Active
    Directory Is Enabled in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;323418

    How DNS Support for Active Directory Works
    http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae
    93-a8804e9ff2a11033.mspx?mfr=true
     
    Jason McKee, Aug 21, 2006
    #10
  11. Jason1320

    Jorge Silva Guest

    -Why you want to export the Zone? The records are automatically created as
    long as you allow Dynamic updates?

    -Using DNS console you can right-click the zone and export to a File,
    however with this exported file you can't create a zone.

    -To export a Zone and import that Zone in another DNS Server you need to use
    Dnscmd.

    -C:\Dnscmd ServerName /ZoneExport child.domain.com Filename.dns (this file
    will be automatically created in DNS folder under System32, the File must
    have a .dns EXTENSION, the other problem with this is that you might need to
    change some information on that file, like for example the SOA owner, and/or
    the NS records, then you copy that file to the other DNS server, you can
    start by creating a new Primary zone then you have the option to give the
    name of the file that contains)

    http://technet2.microsoft.com/Windo...34a5-420e-aa6a-961ae5fa0f291033.mspx?mfr=true

    Attention you can only export and import a zone if that zone will be equal
    in the other DNS server, although you can export information to ONLY PART
    (like a delegation) you can't use that exported file you can't create a
    zone.

    *Using the Dns console:

    Right click the zone that you want to export and choose the option export
    list, save the file "Test01.txt".

    (Open the file and check the format)

    *Using Dnscmd

    Dnscmd ServerName /ZoneExport child.domain.com Test01.dns

    (Open the file and check the format)

    -Compare both...

    Now the real question here is why do you want to do that??? There's no need
    to have all this work, DNS can dynamically register this records if you
    allow it to do so. If you're concern about some manual created records you
    can export the zone using any of the above commands, and then just create a
    script with Dnscmd to create them automatically.

    Dnscmd [ServerName] /recordaddZoneNameNodeNameRRTypeRRData

    Check:

    http://technet2.microsoft.com/Windo...34a5-420e-aa6a-961ae5fa0f291033.mspx?mfr=true



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Aug 21, 2006
    #11
  12. Jason1320

    Jorge Silva Guest

    of course that the above statement was with Primary zones in mind, because
    as I alredy told you with AD Integrated Zones, this process is Auto.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

     
    Jorge Silva, Aug 21, 2006
    #12
  13. Jason1320

    Jorge Silva Guest

    of course that the above statement was with Primary zones in mind, because
    as I alredy told you with AD Integrated Zones, this process is Auto.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

     
    Jorge Silva, Aug 21, 2006
    #13
  14. Jason1320

    Jason1320 Guest

    We have hundreds of records for non-Windows servers and appliances. Most of
    these are unable to create their own records. There are also MX records,
    aliases, and SRV records that will not be automaticlly recreated. I need to
    do this as seamlessly as possible and missing anyone of these records would
    cause an outage.

    Thanks,

    Jason

     
    Jason1320, Aug 21, 2006
    #14
  15. Jason1320

    Jason1320 Guest

    I think I have my question answered in that I will have to manually create at
    least some of the records, not a problem. I just want to clear up one more
    thing before we close this thread.

    Currently all domain controllers point back to the TLD for either their
    primary or secondary DNS. This is because tbe TLD DNS server is the only
    writable NDS server right now. After I create the new AD primary zone in the
    child domain, deligate athority, and create the static records, do I want to
    set the new child domain DNS server as primary for the domain controllers?
    What about all the AD created records in the company.com domain? Should I
    run netdiag /fix and restart the netlogon service to recreate the records?
    (You had mentioned forwarders previously, but if the network connection fails
    there will be issues.)

    Thanks,

    Jason

     
    Jason1320, Aug 21, 2006
    #15
  16. Jason1320

    Jorge Silva Guest

    Inline
    -If you are going to create a new AD Integrated Zone in each child domain,
    then Yes, make sure that each DNS DC points to itself under Nic Preferred
    DNS settings. Also make sure that each child domain can resolve the TLD
    domain and the _msdcs.domain.tld at the Root domain. This can be done by
    several types of configuration, I already gave you what I think that would
    be the the best In My opinion.
    you can do that or stop and start the netlogon service, you can run dcdiag
    /test:dns to check if dns is Ok.
    There're many pp that like forwarding (myself incl.), however if the link
    drops, than you're not able to resolve anything at the root because you
    can't connect to the servers.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

     
    Jorge Silva, Aug 21, 2006
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.