Solved

Active Directory forest trust DNS recomendation

Posted on 2013-01-08
6
1,289 Views
Last Modified: 2013-01-10
EE,

I'm labing a forest trust before implementing in real world. I have 2k3-R2 to 2k8-R2 two way trust and am trying to pick the best DNS method between stub zones, a secondary zone using the other domains DNS server or a forwarder

We currently use forwarders to resolve internet names so is it a bad idea to use an additional forwarder (of the destination forest) to resolve cross forest DNS names and authentication requests ?

I want to use an integrated stub zone but this seems messy as well being that we'd have to replicate that across hundreds of DCs and domains in the forest.

Is there a feataure within these that I'm missing to make this easier or less intrusive of a design change?

Thanks again
0
Comment
Question by:snyderkv
6 Comments
 
LVL 5

Assisted Solution

by:msallam
msallam earned 166 total points
ID: 38757850
I do not have much experience with trusts, but I think the main issue you are running is the DNS name resolution. I mean, the segregation between internet and internal name resolution.

If my assumption is right, then you can you can use "Conditional Forwarding" - provided you are not using a namespace intersecting with the any names on the internet.

You can read about configuring conditional forwarding here:

Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Windows Server 2003
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/5112303
http://support.microsoft.com/kb/304491

Let us know how it goes.
0
 

Author Comment

by:snyderkv
ID: 38757911
Msallam,

Good info, I'll test in my lab. But wanted to ask, it seems like the difference is simply that I can integrate these forwarders into AD instead of just a single DC like standard forwarders, but if I try to reach google, wouldn't it still try and ask across the forest?
0
 
LVL 20

Assisted Solution

by:Radhakrishnan Rajayyan
Radhakrishnan Rajayyan earned 167 total points
ID: 38759093
Hi,

If it is a single DC then you can use without adding a forwarders but when you access internet from a client machine this doesn't work. So, it always good to add DNS forwarders which can be forward your external DNS queries.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:snyderkv
ID: 38759808
Rad, I'm confused, we have hundreds of DCs that use standard forwarders for internet queries, so I didn't think it was a great idea to add a cross forest DNS entry into the mix. Will a conditional forwarder act any different or is it the same?
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 167 total points
ID: 38764306
Whereas normal forwarders (the ones you typically use for Internet name resolution) will forward any query that the server is not authoritative for, conditional forwarders are domain-specific: they only forward queries for certain domains.

For example, assume your two domains are named domain1.local and domain2.local.  You create a conditional forwarder on domain1.local's DNS servers.  The first thing you have to specify is the domain to which this conditional forwarder applies.  In this case, you'd specify domain2.local.  Then you'd specify the list of DNS servers that are authoritative for domain2.local.  Once that's done, any query for a record in domain2.local that comes into domain1.local's DNS server will be forwarded to one of domain2.local's DNS servers.  You would then want to do the opposite: configure another conditional forwarder for domain1.local on domain2.local's DNS servers so that folks in domain2.local can resolve names in domain1.local.

These conditional forwarders won't interfere with your other (Internet) forwarders in any way, since they're only used for the domains you specify.  Also note that you can store conditional forwarders in AD and configure a replication scheme (i.e., assign them to a directory partition) just like you would with an AD-integrated zone, so you don't have to configure them manually on every DNS server you have.
0
 

Author Closing Comment

by:snyderkv
ID: 38765655
Great thanks Dave for the clarification and everyone else. I'll test it out now
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now