Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2311
  • Last Modified:

Proper DNS configuration for single forest with multiple domains.

Hello, I have inherited a network with some dns issues. I need some insight on how the dns servers should be configured. Here is what I have:

A root domain we will call root.local, it has 2 sub domains, sub1.root.local and sub2.root.local

Root.local and sub1.root.local are here in the data center, sub2.root.local is a remote location connected to the data center via VPN through a 10 Mb bonded pri.

There is one ADC (active directory controller) for root.local
There are 2 ADCs for sub1.root.local
There are 2 ADCs for sub2.root.local

The ADCs for sub2.root.local, one is at the remote location, on is in the local data center. (Mind you, I did not set the up.)

Currently, the remote location ADC dns in the tcp/ip config on the nic is pointed to the dns server on ADC DNS server for root.local in the data center. The DNS server  at the remote location seems to be setup as a standalone server, no forwarding. Just setup to use root server for lookup.  At this time, I do not know if its DNS is setup as AD integrated.

Here is the problem, when the WAN link went down, the remote users could not authenticate.  After doing my initial survey, it does appear that DNS is the culprit.  I have not setup DNS for multiple domains before, but it seems that the remote server should be looking to itself for dns.

What I need to know is how to properly setup the dns servers for root.local sub1.root.local and sub2.root.local so they communicate and replicate their information for the forest properly.

This is a pure server 2003 environment.

What I think: (Please tell me where I am wrong)
I think that the ADCs for root.local should be the primary DNS server, setting up the DNS server for sub1.root.local and sub2.root.local as secondary DNS servers, forwarding to the DNS server for root.local.  Or a possibly a conditional forward for local domain name lookups.

I guess what I dont understand is how the DNS servers replicate information to each other, rather than just forwarding requests. I have scoured the net and experts-exchange with no specific answer.

A crash course in how this works would be great, if I need to break this down into other questions just let me know.

Thanks,

chris
0
chris_nt
Asked:
chris_nt
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
Jay_Jay70Commented:
your root DC's should be looking at themselves for DNS - in the case that you only have one, you should have it looking at itself only. You need to also ensure that the DNS Zones are AD integrated

At the root level, you have two options for name resolution for the child
1) Host a Stub zone forch child domain (this will require AD integrated Zones) http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
2) Create Delegation in the root Domain to the child domains
http://technet2.microsoft.com/windowsserver/en/library/c5a89307-803d-4af4-af6a-0754b82c49121033.mspx?mfr=true

I personally prefer a stub zone scenario as its not tied to any Name Servers in the child domain

For your Child domains, Again, they should be AD integrated Zones. Each DC should look at itself first, and the second DC as a secondary. These are the only entries that should be in the local TCP/IP configuration.

I would also include some conditional forwarding in the child domains, IF you need to have name resolution between the child domains. So dc.child1.local would forward all requests for child2.local through to the servers in the Second Child domain
And Dc1.Child2.local would forward all request for child1.local through to the servers in the first child domain

You can configure forwarding for all other request either out through your Root Domain OR you can forward externally. If you forward request externally, make sure you configure conditional forwarding for the root.local domain to the root Domains DNS Servers

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

make sure you also configure sites and services for the domains to control localised traffic
http://www.block.net.au/help/AD-Sites/

James
0
 
Chris DentPowerShell DeveloperCommented:

Hey Chris (and James :)),

Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local.

2. Configure Delegation

I prefer Delegation, I find it neater for multi-domain topologies; centralised vs de-centralised configuration.

The advantage of a centralised configuration such as Delegation is that you can add these to the root.local zone and you're done with it. Because of item 1 above child domains will receive correct paths to the other DNS Servers.

Stub Zones are marginally less configuration in some circumstances, but you'd need to add zones for each child domain (for each remote child domain). You also have the problem that you cannot just do that once at Root and set it to Forest-wide replication because of the existing zones on the child domain DNS Servers. The same applies for Conditional Forwarders in this scenario.

The disadvantage of Delegation is that you need to remember to modify the NS records for the delegation should a Child Domain DNS server change.

It's up to you which you go with in the end, the above is only my opinion on the subject.

3. Child Zones

Child Zones should be configured to replicate to all DNS Servers within their Domain. That loads the Zone Data into:

DC=DomainDNSZones,DC=childdomain,DC=root,DC=local

4. Configure Clients

Clients (including Servers) for each network should refer to DNS Servers for their local domain. This removes reliance on any indirect name resolution source and places it on the DCs they use for Authentication.

I assume you have more than one DC in each Domain (root and children)?

5. Configure Internet Name Resolution

You get quite a few choices about how this works. This is my preferred approach.

If a client site / child domain has a local connection to the internet, the DNS requests should be handled by the local DNS Server. That means that the DNS Server on the site should either Forward to an external DNS Server, or use Root Hints to resolve requests.

Conversely, if clients on a child domain must go through a hub site to get to the Internet then it would be beneficial for the Child Domain DNS Servers to Forward internet (all other domain) queries to the Root Domain DNS Servers.

This stands aside from the configuration from the domain.

HTH

Chris
0
 
chris_ntAuthor Commented:
Thanks guys, I find each post equally informative, so I am splitting the points evenly.  

Thanks for your help and quick response.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
Chris DentPowerShell DeveloperCommented:

Glad I / we could help out :)

Chris
0
 
Jay_Jay70Commented:
Hey Chris & Chris :)

Nice work old son - Chris Dent is probably our topmost DNS guru on the site - so heed his advice - taught me DNS for years :)
0
 
dkaiserltCommented:
Chris,

Per your advice, won't this allow the child domain admins full read/write access to the root dns zones? since it's now replicated to their dns servers?  Is fowarding a better option to configure on the child dns servers than replicating the root zone to all domain controllers forest wide?

"Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local"

0
 
Chris DentPowerShell DeveloperCommented:

Yes it will. Your domain admins cannot be trusted? :)

You can maintain forwarders or even Stub Zones if you feel that more appropriate, I certainly appreciate that the method I use above may not be suitable in all cases.

Chris
0
 
dkaiserltCommented:
Thanks Chris for the speedy reply.  Are there any pros/cons with using either forwarders or stub zones?

I trust them all but you just never know.

All of our child domain admins have full rights to their domain controllers and dns servers but since they don't have access to the root ADUC then they shouldn't have access to manage the root dns zone either.  
0
 
Chris DentPowerShell DeveloperCommented:

Stub zones need a bit more on the network, TCP 53 and Zone Transfers available if I remember correctly. On the plus side they maintain themselves (or should). With conditional forwards you must remember to keep them up to date.

Chris
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now