vaworx
asked on
DNS root domain, child domain and Correct IP settings
Hi Experts,
I wanted to make sure that i got the following setup right.
I have 1 root domain and 1 child domain, both are split in 2 sites, Internal and DMZ as follows:
rootdomain.com
DMZ
root-dc1
root-dc2
Internal
root-dc3
root-dc4
child.rootdomain.com
DMZ
child-dc1
child-dc2
Internal
child-dc3
child-dc4
I have AD integrated DNS service configured on all 8 servers, DNS delegation has been assigned to child and my DNS looks like so:
Forward Lookup Zone
_msdcs.root.com - replicates forest wide
root.com - replicates to all root.com DCs (in the root domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
1.1.10.in-addr.arpa - replicates forest wide
1.2.10.in-addr.arpa - replicates forest wide
etc
On child.root.com
Forward Lookup Zone
_msdcs.root.com - replicates forest wide (same as root.com)
child.root.com - replicates to all child DCs (in the child domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
same as root.com
My questions are 2:
1. What is the correct TCP/IP Primary/Secondary DNS configuration for each DC
In root.com :
I have each root.com DC pointed to itself as primary then pointed to a DC in the same site as secondary, ex: root-dc1 primary DNS is its own IP, secondary is the IP of root-dc2, root-dc2 is pointed to itself as Primary DNS IP, secondary is root-dc1. The forwarding on all root DCs is set to our external DNS server IP.
In child.root.com
I have each child.root.com DC pointed pointed to itself as primary DNS IP and secondary is the DC IP in the same site. Basically same setup as root.com only the forwarding is setup to point to my DMZ root.com DCs on all of my child.root.com DCs
Is this the correct setup, or do i need to have all of my DCs pointed to 2 sets of root domain DNs servers, that is the TCP/IP settings on each DC i am talking about?
2. Does the above _msdcs setup look right, does each domain being root and child need to have the sub domain _msdcs provided the fact that i have _msdcs.root.com replicated forest wide?
Let me know your input on that. It would be greatly appreciated. Thanks.
I wanted to make sure that i got the following setup right.
I have 1 root domain and 1 child domain, both are split in 2 sites, Internal and DMZ as follows:
rootdomain.com
DMZ
root-dc1
root-dc2
Internal
root-dc3
root-dc4
child.rootdomain.com
DMZ
child-dc1
child-dc2
Internal
child-dc3
child-dc4
I have AD integrated DNS service configured on all 8 servers, DNS delegation has been assigned to child and my DNS looks like so:
Forward Lookup Zone
_msdcs.root.com - replicates forest wide
root.com - replicates to all root.com DCs (in the root domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
1.1.10.in-addr.arpa - replicates forest wide
1.2.10.in-addr.arpa - replicates forest wide
etc
On child.root.com
Forward Lookup Zone
_msdcs.root.com - replicates forest wide (same as root.com)
child.root.com - replicates to all child DCs (in the child domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
same as root.com
My questions are 2:
1. What is the correct TCP/IP Primary/Secondary DNS configuration for each DC
In root.com :
I have each root.com DC pointed to itself as primary then pointed to a DC in the same site as secondary, ex: root-dc1 primary DNS is its own IP, secondary is the IP of root-dc2, root-dc2 is pointed to itself as Primary DNS IP, secondary is root-dc1. The forwarding on all root DCs is set to our external DNS server IP.
In child.root.com
I have each child.root.com DC pointed pointed to itself as primary DNS IP and secondary is the DC IP in the same site. Basically same setup as root.com only the forwarding is setup to point to my DMZ root.com DCs on all of my child.root.com DCs
Is this the correct setup, or do i need to have all of my DCs pointed to 2 sets of root domain DNs servers, that is the TCP/IP settings on each DC i am talking about?
2. Does the above _msdcs setup look right, does each domain being root and child need to have the sub domain _msdcs provided the fact that i have _msdcs.root.com replicated forest wide?
Let me know your input on that. It would be greatly appreciated. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me give you a more generic answer, just to understand the mechanism.
Child domains (from the DNS side) are handled like subdomains. They can handled (in general) on root level as well as on subdomain level. Important for a correct setting is, that you can resolve all names of the forrest on all clients (if needed including external names).
The sense of delegation is, that you make another DNS (= admin) responsible for local DNS setup and name resolving. If the subdomain should be responsible for itself (not handled by the root), you can add a delegation which points from your root domain to a subdomain DNS server. Request to the root domain DNS are then forwarded to the delegated server and not direcly resolved bay the root DNS. In the other direction, your subdomain must be able to resolve the root domain.
If you want to delegate the resposibility for DNS to the subdomain, this domain is responsible for itself. That means, that the clients and servers on these subdomain are all pointing to their associated DNS (of the subdomain). By using recursion / forwarders, you allow your subdomain to resolve up the hierarchie and to resolve names, which are not belonging to the own domain.
From the MS DNS perspective, DNS is also used to provide and distribute additional settings, which are used only by windows. These settings are starting with an underscore and are usually set automatically, if you join the domain. Also MS DNS supports the automatic registration of clients whith their corresponding DNS. If the clients (and server) are pointing to the subdomain DNS, they will register also with this DNS.
Make sure, that also the reverse zones are registered correctly and hosted on the correct DNS. As long as they are resolvable, this should work. As I can see, you host your reverse DNS on root level. But the correct setting depends a little bit from your IP subnetting of the root and child domains. Reverse DNS settings can also be delegated if needed. So you can setup the root as a B-net and delegate subnets to a C-net IP space.
The second DNS server is only touched, if the first is not available. That means, the first and the second DNS server are within the same subdomain.
1.) Usually, the DNS of an DC is pointing (and only) to itself. This causes longer boot times, as the DNS service is not available in the first boot sequence. If you set up two DNS servers at the DC NIC, the first DNS will fail and the server will swich over to the second DNS. This will result into the fact, that the second DNS will be used for futher DNS lookups as the own server is timed out before. This can be a trick to speed up DC booting, but has the lack, that DNS traffic of the DC will pass the network rather then using the local DNS. The same effect would take place, if you set the DNS servers accross each other. So DC1 points tp DNS2 and DC2 point to DC1. In that case, I would always put the own DNS as seond DNS to have a fallback back to the own server, otherwise you run into issues under heavy netwrok load, as DNS requests may time out.
2.) As I said, these settings are usually set automatically. From the logical site, they looks correct, as these settings provide the MS services (like DC, roles) for the subdomain. Replication of the root values to the childs makes the root services available to the childs and in the other direction, the delegation settings should forward requests to the child domain. In this constallation, aa request should be resolvable in any direction.
Child domains (from the DNS side) are handled like subdomains. They can handled (in general) on root level as well as on subdomain level. Important for a correct setting is, that you can resolve all names of the forrest on all clients (if needed including external names).
The sense of delegation is, that you make another DNS (= admin) responsible for local DNS setup and name resolving. If the subdomain should be responsible for itself (not handled by the root), you can add a delegation which points from your root domain to a subdomain DNS server. Request to the root domain DNS are then forwarded to the delegated server and not direcly resolved bay the root DNS. In the other direction, your subdomain must be able to resolve the root domain.
If you want to delegate the resposibility for DNS to the subdomain, this domain is responsible for itself. That means, that the clients and servers on these subdomain are all pointing to their associated DNS (of the subdomain). By using recursion / forwarders, you allow your subdomain to resolve up the hierarchie and to resolve names, which are not belonging to the own domain.
From the MS DNS perspective, DNS is also used to provide and distribute additional settings, which are used only by windows. These settings are starting with an underscore and are usually set automatically, if you join the domain. Also MS DNS supports the automatic registration of clients whith their corresponding DNS. If the clients (and server) are pointing to the subdomain DNS, they will register also with this DNS.
Make sure, that also the reverse zones are registered correctly and hosted on the correct DNS. As long as they are resolvable, this should work. As I can see, you host your reverse DNS on root level. But the correct setting depends a little bit from your IP subnetting of the root and child domains. Reverse DNS settings can also be delegated if needed. So you can setup the root as a B-net and delegate subnets to a C-net IP space.
The second DNS server is only touched, if the first is not available. That means, the first and the second DNS server are within the same subdomain.
1.) Usually, the DNS of an DC is pointing (and only) to itself. This causes longer boot times, as the DNS service is not available in the first boot sequence. If you set up two DNS servers at the DC NIC, the first DNS will fail and the server will swich over to the second DNS. This will result into the fact, that the second DNS will be used for futher DNS lookups as the own server is timed out before. This can be a trick to speed up DC booting, but has the lack, that DNS traffic of the DC will pass the network rather then using the local DNS. The same effect would take place, if you set the DNS servers accross each other. So DC1 points tp DNS2 and DC2 point to DC1. In that case, I would always put the own DNS as seond DNS to have a fallback back to the own server, otherwise you run into issues under heavy netwrok load, as DNS requests may time out.
2.) As I said, these settings are usually set automatically. From the logical site, they looks correct, as these settings provide the MS services (like DC, roles) for the subdomain. Replication of the root values to the childs makes the root services available to the childs and in the other direction, the delegation settings should forward requests to the child domain. In this constallation, aa request should be resolvable in any direction.
ASKER
Hi Bembi,
I actually have all my reverse lookup zones to replicate accross the entire forest hence they are available at all times to root.com and child.root.com
I actually have all my reverse lookup zones to replicate accross the entire forest hence they are available at all times to root.com and child.root.com
> So i guess i did the right thing?
I would say so, yes :)
Chris
> I actually have all...
Yes, if you can resolve them reverse from anywhere, it it o.k. so far. As I said, reverse zones depends a little bit on the IP address spaces. But both methods are valid in general.
Yes, if you can resolve them reverse from anywhere, it it o.k. so far. As I said, reverse zones depends a little bit on the IP address spaces. But both methods are valid in general.
ASKER
So i guess i did the right thing?
Kind of proud about it because this was an actual move from BIND to Windows DNS where in the previous setup there was only one zone for root.com and no child.root.com. Oh was that fun fun :D