Solved

Active Directory forest trust DNS recomendation

Posted on 2013-01-08
6
1,357 Views
Last Modified: 2013-01-10
EE,

I'm labing a forest trust before implementing in real world. I have 2k3-R2 to 2k8-R2 two way trust and am trying to pick the best DNS method between stub zones, a secondary zone using the other domains DNS server or a forwarder

We currently use forwarders to resolve internet names so is it a bad idea to use an additional forwarder (of the destination forest) to resolve cross forest DNS names and authentication requests ?

I want to use an integrated stub zone but this seems messy as well being that we'd have to replicate that across hundreds of DCs and domains in the forest.

Is there a feataure within these that I'm missing to make this easier or less intrusive of a design change?

Thanks again
0
Comment
Question by:snyderkv
6 Comments
 
LVL 5

Assisted Solution

by:msallam
msallam earned 166 total points
ID: 38757850
I do not have much experience with trusts, but I think the main issue you are running is the DNS name resolution. I mean, the segregation between internet and internal name resolution.

If my assumption is right, then you can you can use "Conditional Forwarding" - provided you are not using a namespace intersecting with the any names on the internet.

You can read about configuring conditional forwarding here:

Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Windows Server 2003
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/5112303
http://support.microsoft.com/kb/304491

Let us know how it goes.
0
 

Author Comment

by:snyderkv
ID: 38757911
Msallam,

Good info, I'll test in my lab. But wanted to ask, it seems like the difference is simply that I can integrate these forwarders into AD instead of just a single DC like standard forwarders, but if I try to reach google, wouldn't it still try and ask across the forest?
0
 
LVL 21

Assisted Solution

by:RK
RK earned 167 total points
ID: 38759093
Hi,

If it is a single DC then you can use without adding a forwarders but when you access internet from a client machine this doesn't work. So, it always good to add DNS forwarders which can be forward your external DNS queries.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:snyderkv
ID: 38759808
Rad, I'm confused, we have hundreds of DCs that use standard forwarders for internet queries, so I didn't think it was a great idea to add a cross forest DNS entry into the mix. Will a conditional forwarder act any different or is it the same?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 167 total points
ID: 38764306
Whereas normal forwarders (the ones you typically use for Internet name resolution) will forward any query that the server is not authoritative for, conditional forwarders are domain-specific: they only forward queries for certain domains.

For example, assume your two domains are named domain1.local and domain2.local.  You create a conditional forwarder on domain1.local's DNS servers.  The first thing you have to specify is the domain to which this conditional forwarder applies.  In this case, you'd specify domain2.local.  Then you'd specify the list of DNS servers that are authoritative for domain2.local.  Once that's done, any query for a record in domain2.local that comes into domain1.local's DNS server will be forwarded to one of domain2.local's DNS servers.  You would then want to do the opposite: configure another conditional forwarder for domain1.local on domain2.local's DNS servers so that folks in domain2.local can resolve names in domain1.local.

These conditional forwarders won't interfere with your other (Internet) forwarders in any way, since they're only used for the domains you specify.  Also note that you can store conditional forwarders in AD and configure a replication scheme (i.e., assign them to a directory partition) just like you would with an AD-integrated zone, so you don't have to configure them manually on every DNS server you have.
0
 

Author Closing Comment

by:snyderkv
ID: 38765655
Great thanks Dave for the clarification and everyone else. I'll test it out now
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question