Solved

DNS root domain, child domain and Correct IP settings

Posted on 2009-05-11
6
1,680 Views
Last Modified: 2012-05-06
Hi Experts,

I wanted to make sure that i got the following setup right.

I have 1 root domain and 1 child domain, both are split in 2 sites, Internal and DMZ as follows:

rootdomain.com
DMZ
root-dc1
root-dc2
Internal
root-dc3
root-dc4

child.rootdomain.com
DMZ
child-dc1
child-dc2
Internal
child-dc3
child-dc4

I have AD integrated DNS service configured on all 8 servers, DNS delegation has been assigned to child and my DNS looks like so:
Forward Lookup Zone
_msdcs.root.com - replicates forest wide
root.com - replicates to all root.com DCs (in the root domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
1.1.10.in-addr.arpa - replicates forest wide
1.2.10.in-addr.arpa - replicates forest wide
etc

On child.root.com
Forward Lookup Zone
_msdcs.root.com - replicates forest wide (same as root.com)
child.root.com - replicates to all child DCs (in the child domain only)
_msdcs
_sites
_tcp
_udp
DomainDNSZones
Reverse Lookup Zone
same as root.com

My questions are 2:
1. What is the correct TCP/IP Primary/Secondary DNS configuration for each DC
In root.com :
I have each root.com DC pointed to itself as primary then pointed to a DC in the same site as secondary, ex: root-dc1 primary DNS is its own IP, secondary is the IP of root-dc2, root-dc2 is pointed to itself as Primary DNS IP, secondary is root-dc1. The forwarding on all root DCs is set to our external DNS server IP.

In child.root.com
I have each child.root.com DC pointed pointed to itself as primary DNS IP and secondary is the DC IP in the same site. Basically same setup as root.com only the forwarding is setup to point to my DMZ root.com DCs on all of my child.root.com DCs

Is this the correct setup, or do i need to have all of my DCs pointed to 2 sets of root domain DNs servers, that is the TCP/IP settings on each DC i am talking about?

2. Does the above _msdcs setup look right, does each domain being root and child need to have the sub domain _msdcs provided the fact that i have _msdcs.root.com replicated forest wide?

Let me know your input on that. It would be greatly appreciated. Thanks.
0
Comment
Question by:vaworx
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24359445

1. Any operating DNS server within the current domain. What you have sounds great.

2. Yes, it looks good. The child will have it's own version of _mdcs, that will contain information about DCs and services in the current domain.

The forwarding sounds good. You've provided resolution down the tree through the delegation, and up the tree through forwarding.

If root.com was empty except for DCs I would make root.com forest integrated. Doesn't sound like that is the case here though?

Chris
0
 

Author Comment

by:vaworx
ID: 24359560
Correct, under root.com i have devicenames.root.com or servernames.root.com that are not Windows boxes or i have CNAMEs to web servers in child.root.com so they can resolve as server.root.com CNAME server.child.root.com where the A record is.

So i guess i did the right thing?

Kind of proud about it because this was an actual move from BIND to Windows DNS where in the previous setup there was only one zone for root.com and no child.root.com. Oh was that fun fun :D
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24359802
Let me give you a more generic answer, just to understand the mechanism.

Child domains (from the DNS side) are handled like subdomains. They can handled (in general) on root level as well as on subdomain level. Important for a correct setting is, that you can resolve all names of the forrest on all clients (if needed including external names).

The sense of delegation is, that you make another DNS (= admin) responsible for local DNS setup and name resolving. If the subdomain should be responsible for itself (not handled by the root), you can add a delegation which points from your root domain to a subdomain DNS server. Request to the root domain DNS are then forwarded to the delegated server and not direcly resolved bay the root DNS. In the other direction, your subdomain must be able to resolve the root domain.

If you want to delegate the resposibility for DNS to the subdomain, this domain is responsible for itself. That means, that the clients and servers on these subdomain are all pointing to their associated DNS (of the subdomain). By using recursion / forwarders, you allow your subdomain to resolve up the hierarchie and to resolve names, which are not belonging to the own domain.

From the MS DNS perspective, DNS is also used to provide and distribute additional settings, which are used only by windows. These settings are starting with an underscore and are usually set automatically, if you join the domain.  Also MS DNS supports the automatic registration of clients whith their corresponding DNS.  If the clients (and server) are pointing to the subdomain DNS, they will register also with this DNS.

Make sure, that also the reverse zones are registered correctly and hosted on the correct DNS. As long as they are resolvable, this should work. As I can see, you host your reverse DNS on root level. But the correct setting depends a little bit from your IP subnetting of the root and child domains. Reverse DNS settings can also be delegated if needed.  So you can setup the root as a B-net and delegate subnets to a C-net IP space.  

The second DNS server is only touched, if the first is not available. That means, the first and the second DNS server are within the same subdomain.

1.) Usually, the DNS of an DC is pointing (and only)  to itself. This causes longer boot times, as the DNS service is not available in the first boot sequence. If you set up two DNS servers at the DC NIC, the first DNS will fail and the server will swich over to the second DNS. This will result into the fact, that the second DNS will be used for futher DNS lookups as the own server is timed out before. This can be a trick to speed up DC booting, but has the lack, that DNS traffic of the DC will pass the network rather then using the local DNS. The same effect would take place, if you set the DNS servers accross each other. So DC1 points tp DNS2 and DC2 point to DC1. In that case, I would always put the own DNS as seond DNS to have a fallback back to the own server, otherwise you run into issues under heavy netwrok load, as DNS requests may time out.

2.) As I said, these settings are usually set automatically. From the logical site, they looks correct, as these settings provide the MS services (like DC, roles) for the subdomain.  Replication of the root values to the childs makes the root services available to the childs and in the other direction, the delegation settings should forward requests to the child domain. In this constallation, aa request should be resolvable in any direction.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:vaworx
ID: 24360648
Hi Bembi,

I actually have all my reverse lookup zones to replicate accross the entire forest hence they are available at all times to root.com and child.root.com
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24362198

> So i guess i did the right thing?

I would say so, yes :)

Chris
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24362299
> I actually have all...
Yes, if you can resolve them reverse from anywhere, it it o.k. so far. As I said, reverse zones depends a little bit on the IP address spaces. But both methods are valid in general.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now