Solved

AD and DNS Question

Posted on 2009-07-09
3
270 Views
Last Modified: 2012-05-07
Hi,

This is probably going to sound like a stupid question but I'm trying to get some opinions.  We have one AD Forest with one Child domain and DNS zones provided from a thirdparty solution.  The zones look like:

AD.PARENT.COM

Clients are in the Child domain AD.  We've had a suggestion from one of our teams that we should take the DNS records for all servers and clients in the AD domain and place them into the Parent DNS Zone...  so all server/client entries would go from AD.PARENT.COM to PARENT.COM DNS Zone (they would still be in the "AD" Child Domain for authentication).  They would then disable DDNS on the "AD" Zone.

I have no idea why someone would want to do this (I think they're trying to simplify it by supporting only the parent zone and just leaving the AD servers and service records in the child), but I'm looking for technical reasons why you wouldn't want to.  

I'm wondering if this would cause any issues with Kerberos tickets etc, and does the domain use FQDN to contact clients (assuming the child domain would naturally think it's domain members would be in the same DNS zone)?

Is it best practice to use FQDN where possible or allow your search suffix to do the work?  Is it a stipulation that clients DNS records should exist in the same Zone as the AD they logon to?

Appreciate the help
0
Comment
Question by:Sinder255248
3 Comments
 
LVL 14

Accepted Solution

by:
Wonko_the_Sane earned 250 total points
ID: 24812986
I wouldn't do it... I also fail to see real advantages as opposed to a lot of headaches this can cause.

Read this:
http://technet.microsoft.com/en-us/library/cc773264(WS.10).aspx
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 24815185

I would consider dumping the entire forest down into the parent domain a more productive use of resources.

Running a disjointed name space is fine if you're completely happy with DNS / AD, which tends to make it pretty inadvisable for most places. I'd have trouble advising anyone actually do it intentionally unless they have very good cause.

Chris
0
 
LVL 8

Author Comment

by:Sinder255248
ID: 24822747
Thanks for the replies on this, from what I take it's probably not a good idea.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Home Optimum Online Internet timeout problems. DNS issue? 36 950
Exchange 2013 Message Loop 7 31
automatic login 1 20
active directory 17 35
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now