Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory forest trust DNS recomendation

Posted on 2013-01-08
6
Medium Priority
?
1,525 Views
Last Modified: 2013-01-10
EE,

I'm labing a forest trust before implementing in real world. I have 2k3-R2 to 2k8-R2 two way trust and am trying to pick the best DNS method between stub zones, a secondary zone using the other domains DNS server or a forwarder

We currently use forwarders to resolve internet names so is it a bad idea to use an additional forwarder (of the destination forest) to resolve cross forest DNS names and authentication requests ?

I want to use an integrated stub zone but this seems messy as well being that we'd have to replicate that across hundreds of DCs and domains in the forest.

Is there a feataure within these that I'm missing to make this easier or less intrusive of a design change?

Thanks again
0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Assisted Solution

by:msallam
msallam earned 664 total points
ID: 38757850
I do not have much experience with trusts, but I think the main issue you are running is the DNS name resolution. I mean, the segregation between internet and internal name resolution.

If my assumption is right, then you can you can use "Conditional Forwarding" - provided you are not using a namespace intersecting with the any names on the internet.

You can read about configuring conditional forwarding here:

Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Windows Server 2003
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/5112303
http://support.microsoft.com/kb/304491

Let us know how it goes.
0
 

Author Comment

by:snyderkv
ID: 38757911
Msallam,

Good info, I'll test in my lab. But wanted to ask, it seems like the difference is simply that I can integrate these forwarders into AD instead of just a single DC like standard forwarders, but if I try to reach google, wouldn't it still try and ask across the forest?
0
 
LVL 23

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 668 total points
ID: 38759093
Hi,

If it is a single DC then you can use without adding a forwarders but when you access internet from a client machine this doesn't work. So, it always good to add DNS forwarders which can be forward your external DNS queries.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:snyderkv
ID: 38759808
Rad, I'm confused, we have hundreds of DCs that use standard forwarders for internet queries, so I didn't think it was a great idea to add a cross forest DNS entry into the mix. Will a conditional forwarder act any different or is it the same?
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 668 total points
ID: 38764306
Whereas normal forwarders (the ones you typically use for Internet name resolution) will forward any query that the server is not authoritative for, conditional forwarders are domain-specific: they only forward queries for certain domains.

For example, assume your two domains are named domain1.local and domain2.local.  You create a conditional forwarder on domain1.local's DNS servers.  The first thing you have to specify is the domain to which this conditional forwarder applies.  In this case, you'd specify domain2.local.  Then you'd specify the list of DNS servers that are authoritative for domain2.local.  Once that's done, any query for a record in domain2.local that comes into domain1.local's DNS server will be forwarded to one of domain2.local's DNS servers.  You would then want to do the opposite: configure another conditional forwarder for domain1.local on domain2.local's DNS servers so that folks in domain2.local can resolve names in domain1.local.

These conditional forwarders won't interfere with your other (Internet) forwarders in any way, since they're only used for the domains you specify.  Also note that you can store conditional forwarders in AD and configure a replication scheme (i.e., assign them to a directory partition) just like you would with an AD-integrated zone, so you don't have to configure them manually on every DNS server you have.
0
 

Author Closing Comment

by:snyderkv
ID: 38765655
Great thanks Dave for the clarification and everyone else. I'll test it out now
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question