Solved

Active Directory forest trust DNS recomendation

Posted on 2013-01-08
6
1,440 Views
Last Modified: 2013-01-10
EE,

I'm labing a forest trust before implementing in real world. I have 2k3-R2 to 2k8-R2 two way trust and am trying to pick the best DNS method between stub zones, a secondary zone using the other domains DNS server or a forwarder

We currently use forwarders to resolve internet names so is it a bad idea to use an additional forwarder (of the destination forest) to resolve cross forest DNS names and authentication requests ?

I want to use an integrated stub zone but this seems messy as well being that we'd have to replicate that across hundreds of DCs and domains in the forest.

Is there a feataure within these that I'm missing to make this easier or less intrusive of a design change?

Thanks again
0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Assisted Solution

by:msallam
msallam earned 166 total points
ID: 38757850
I do not have much experience with trusts, but I think the main issue you are running is the DNS name resolution. I mean, the segregation between internet and internal name resolution.

If my assumption is right, then you can you can use "Conditional Forwarding" - provided you are not using a namespace intersecting with the any names on the internet.

You can read about configuring conditional forwarding here:

Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Windows Server 2003
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/5112303
http://support.microsoft.com/kb/304491

Let us know how it goes.
0
 

Author Comment

by:snyderkv
ID: 38757911
Msallam,

Good info, I'll test in my lab. But wanted to ask, it seems like the difference is simply that I can integrate these forwarders into AD instead of just a single DC like standard forwarders, but if I try to reach google, wouldn't it still try and ask across the forest?
0
 
LVL 21

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 167 total points
ID: 38759093
Hi,

If it is a single DC then you can use without adding a forwarders but when you access internet from a client machine this doesn't work. So, it always good to add DNS forwarders which can be forward your external DNS queries.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:snyderkv
ID: 38759808
Rad, I'm confused, we have hundreds of DCs that use standard forwarders for internet queries, so I didn't think it was a great idea to add a cross forest DNS entry into the mix. Will a conditional forwarder act any different or is it the same?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 167 total points
ID: 38764306
Whereas normal forwarders (the ones you typically use for Internet name resolution) will forward any query that the server is not authoritative for, conditional forwarders are domain-specific: they only forward queries for certain domains.

For example, assume your two domains are named domain1.local and domain2.local.  You create a conditional forwarder on domain1.local's DNS servers.  The first thing you have to specify is the domain to which this conditional forwarder applies.  In this case, you'd specify domain2.local.  Then you'd specify the list of DNS servers that are authoritative for domain2.local.  Once that's done, any query for a record in domain2.local that comes into domain1.local's DNS server will be forwarded to one of domain2.local's DNS servers.  You would then want to do the opposite: configure another conditional forwarder for domain1.local on domain2.local's DNS servers so that folks in domain2.local can resolve names in domain1.local.

These conditional forwarders won't interfere with your other (Internet) forwarders in any way, since they're only used for the domains you specify.  Also note that you can store conditional forwarders in AD and configure a replication scheme (i.e., assign them to a directory partition) just like you would with an AD-integrated zone, so you don't have to configure them manually on every DNS server you have.
0
 

Author Closing Comment

by:snyderkv
ID: 38765655
Great thanks Dave for the clarification and everyone else. I'll test it out now
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question