Solved

Proper DNS configuration for single forest with multiple domains.

Posted on 2008-06-15
9
2,275 Views
Last Modified: 2010-09-13
Hello, I have inherited a network with some dns issues. I need some insight on how the dns servers should be configured. Here is what I have:

A root domain we will call root.local, it has 2 sub domains, sub1.root.local and sub2.root.local

Root.local and sub1.root.local are here in the data center, sub2.root.local is a remote location connected to the data center via VPN through a 10 Mb bonded pri.

There is one ADC (active directory controller) for root.local
There are 2 ADCs for sub1.root.local
There are 2 ADCs for sub2.root.local

The ADCs for sub2.root.local, one is at the remote location, on is in the local data center. (Mind you, I did not set the up.)

Currently, the remote location ADC dns in the tcp/ip config on the nic is pointed to the dns server on ADC DNS server for root.local in the data center. The DNS server  at the remote location seems to be setup as a standalone server, no forwarding. Just setup to use root server for lookup.  At this time, I do not know if its DNS is setup as AD integrated.

Here is the problem, when the WAN link went down, the remote users could not authenticate.  After doing my initial survey, it does appear that DNS is the culprit.  I have not setup DNS for multiple domains before, but it seems that the remote server should be looking to itself for dns.

What I need to know is how to properly setup the dns servers for root.local sub1.root.local and sub2.root.local so they communicate and replicate their information for the forest properly.

This is a pure server 2003 environment.

What I think: (Please tell me where I am wrong)
I think that the ADCs for root.local should be the primary DNS server, setting up the DNS server for sub1.root.local and sub2.root.local as secondary DNS servers, forwarding to the DNS server for root.local.  Or a possibly a conditional forward for local domain name lookups.

I guess what I dont understand is how the DNS servers replicate information to each other, rather than just forwarding requests. I have scoured the net and experts-exchange with no specific answer.

A crash course in how this works would be great, if I need to break this down into other questions just let me know.

Thanks,

chris
0
Comment
Question by:chris_nt
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 250 total points
ID: 21790720
your root DC's should be looking at themselves for DNS - in the case that you only have one, you should have it looking at itself only. You need to also ensure that the DNS Zones are AD integrated

At the root level, you have two options for name resolution for the child
1) Host a Stub zone forch child domain (this will require AD integrated Zones) http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
2) Create Delegation in the root Domain to the child domains
http://technet2.microsoft.com/windowsserver/en/library/c5a89307-803d-4af4-af6a-0754b82c49121033.mspx?mfr=true

I personally prefer a stub zone scenario as its not tied to any Name Servers in the child domain

For your Child domains, Again, they should be AD integrated Zones. Each DC should look at itself first, and the second DC as a secondary. These are the only entries that should be in the local TCP/IP configuration.

I would also include some conditional forwarding in the child domains, IF you need to have name resolution between the child domains. So dc.child1.local would forward all requests for child2.local through to the servers in the Second Child domain
And Dc1.Child2.local would forward all request for child1.local through to the servers in the first child domain

You can configure forwarding for all other request either out through your Root Domain OR you can forward externally. If you forward request externally, make sure you configure conditional forwarding for the root.local domain to the root Domains DNS Servers

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

make sure you also configure sites and services for the domains to control localised traffic
http://www.block.net.au/help/AD-Sites/

James
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 21791893

Hey Chris (and James :)),

Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local.

2. Configure Delegation

I prefer Delegation, I find it neater for multi-domain topologies; centralised vs de-centralised configuration.

The advantage of a centralised configuration such as Delegation is that you can add these to the root.local zone and you're done with it. Because of item 1 above child domains will receive correct paths to the other DNS Servers.

Stub Zones are marginally less configuration in some circumstances, but you'd need to add zones for each child domain (for each remote child domain). You also have the problem that you cannot just do that once at Root and set it to Forest-wide replication because of the existing zones on the child domain DNS Servers. The same applies for Conditional Forwarders in this scenario.

The disadvantage of Delegation is that you need to remember to modify the NS records for the delegation should a Child Domain DNS server change.

It's up to you which you go with in the end, the above is only my opinion on the subject.

3. Child Zones

Child Zones should be configured to replicate to all DNS Servers within their Domain. That loads the Zone Data into:

DC=DomainDNSZones,DC=childdomain,DC=root,DC=local

4. Configure Clients

Clients (including Servers) for each network should refer to DNS Servers for their local domain. This removes reliance on any indirect name resolution source and places it on the DCs they use for Authentication.

I assume you have more than one DC in each Domain (root and children)?

5. Configure Internet Name Resolution

You get quite a few choices about how this works. This is my preferred approach.

If a client site / child domain has a local connection to the internet, the DNS requests should be handled by the local DNS Server. That means that the DNS Server on the site should either Forward to an external DNS Server, or use Root Hints to resolve requests.

Conversely, if clients on a child domain must go through a hub site to get to the Internet then it would be beneficial for the Child Domain DNS Servers to Forward internet (all other domain) queries to the Root Domain DNS Servers.

This stands aside from the configuration from the domain.

HTH

Chris
0
 

Author Closing Comment

by:chris_nt
ID: 31467443
Thanks guys, I find each post equally informative, so I am splitting the points evenly.  

Thanks for your help and quick response.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21793990

Glad I / we could help out :)

Chris
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21797934
Hey Chris & Chris :)

Nice work old son - Chris Dent is probably our topmost DNS guru on the site - so heed his advice - taught me DNS for years :)
0
 

Expert Comment

by:dkaiserlt
ID: 33662600
Chris,

Per your advice, won't this allow the child domain admins full read/write access to the root dns zones? since it's now replicated to their dns servers?  Is fowarding a better option to configure on the child dns servers than replicating the root zone to all domain controllers forest wide?

"Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local"

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33662890

Yes it will. Your domain admins cannot be trusted? :)

You can maintain forwarders or even Stub Zones if you feel that more appropriate, I certainly appreciate that the method I use above may not be suitable in all cases.

Chris
0
 

Expert Comment

by:dkaiserlt
ID: 33663066
Thanks Chris for the speedy reply.  Are there any pros/cons with using either forwarders or stub zones?

I trust them all but you just never know.

All of our child domain admins have full rights to their domain controllers and dns servers but since they don't have access to the root ADUC then they shouldn't have access to manage the root dns zone either.  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33663242

Stub zones need a bit more on the network, TCP 53 and Zone Transfers available if I remember correctly. On the plus side they maintain themselves (or should). With conditional forwards you must remember to keep them up to date.

Chris
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now