AD and DNS Question

Posted on 2009-07-09
Medium Priority
Last Modified: 2012-05-07

This is probably going to sound like a stupid question but I'm trying to get some opinions.  We have one AD Forest with one Child domain and DNS zones provided from a thirdparty solution.  The zones look like:


Clients are in the Child domain AD.  We've had a suggestion from one of our teams that we should take the DNS records for all servers and clients in the AD domain and place them into the Parent DNS Zone...  so all server/client entries would go from AD.PARENT.COM to PARENT.COM DNS Zone (they would still be in the "AD" Child Domain for authentication).  They would then disable DDNS on the "AD" Zone.

I have no idea why someone would want to do this (I think they're trying to simplify it by supporting only the parent zone and just leaving the AD servers and service records in the child), but I'm looking for technical reasons why you wouldn't want to.  

I'm wondering if this would cause any issues with Kerberos tickets etc, and does the domain use FQDN to contact clients (assuming the child domain would naturally think it's domain members would be in the same DNS zone)?

Is it best practice to use FQDN where possible or allow your search suffix to do the work?  Is it a stipulation that clients DNS records should exist in the same Zone as the AD they logon to?

Appreciate the help
Question by:Sinder255248
LVL 14

Accepted Solution

Wonko_the_Sane earned 1000 total points
ID: 24812986
I wouldn't do it... I also fail to see real advantages as opposed to a lot of headaches this can cause.

Read this:
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 24815185

I would consider dumping the entire forest down into the parent domain a more productive use of resources.

Running a disjointed name space is fine if you're completely happy with DNS / AD, which tends to make it pretty inadvisable for most places. I'd have trouble advising anyone actually do it intentionally unless they have very good cause.


Author Comment

ID: 24822747
Thanks for the replies on this, from what I take it's probably not a good idea.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question