Solved

Active Directory forest trust DNS recomendation

Posted on 2013-01-08
6
1,388 Views
Last Modified: 2013-01-10
EE,

I'm labing a forest trust before implementing in real world. I have 2k3-R2 to 2k8-R2 two way trust and am trying to pick the best DNS method between stub zones, a secondary zone using the other domains DNS server or a forwarder

We currently use forwarders to resolve internet names so is it a bad idea to use an additional forwarder (of the destination forest) to resolve cross forest DNS names and authentication requests ?

I want to use an integrated stub zone but this seems messy as well being that we'd have to replicate that across hundreds of DCs and domains in the forest.

Is there a feataure within these that I'm missing to make this easier or less intrusive of a design change?

Thanks again
0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Assisted Solution

by:msallam
msallam earned 166 total points
ID: 38757850
I do not have much experience with trusts, but I think the main issue you are running is the DNS name resolution. I mean, the segregation between internet and internal name resolution.

If my assumption is right, then you can you can use "Conditional Forwarding" - provided you are not using a namespace intersecting with the any names on the internet.

You can read about configuring conditional forwarding here:

Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Windows Server 2003
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/5112303
http://support.microsoft.com/kb/304491

Let us know how it goes.
0
 

Author Comment

by:snyderkv
ID: 38757911
Msallam,

Good info, I'll test in my lab. But wanted to ask, it seems like the difference is simply that I can integrate these forwarders into AD instead of just a single DC like standard forwarders, but if I try to reach google, wouldn't it still try and ask across the forest?
0
 
LVL 21

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 167 total points
ID: 38759093
Hi,

If it is a single DC then you can use without adding a forwarders but when you access internet from a client machine this doesn't work. So, it always good to add DNS forwarders which can be forward your external DNS queries.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:snyderkv
ID: 38759808
Rad, I'm confused, we have hundreds of DCs that use standard forwarders for internet queries, so I didn't think it was a great idea to add a cross forest DNS entry into the mix. Will a conditional forwarder act any different or is it the same?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 167 total points
ID: 38764306
Whereas normal forwarders (the ones you typically use for Internet name resolution) will forward any query that the server is not authoritative for, conditional forwarders are domain-specific: they only forward queries for certain domains.

For example, assume your two domains are named domain1.local and domain2.local.  You create a conditional forwarder on domain1.local's DNS servers.  The first thing you have to specify is the domain to which this conditional forwarder applies.  In this case, you'd specify domain2.local.  Then you'd specify the list of DNS servers that are authoritative for domain2.local.  Once that's done, any query for a record in domain2.local that comes into domain1.local's DNS server will be forwarded to one of domain2.local's DNS servers.  You would then want to do the opposite: configure another conditional forwarder for domain1.local on domain2.local's DNS servers so that folks in domain2.local can resolve names in domain1.local.

These conditional forwarders won't interfere with your other (Internet) forwarders in any way, since they're only used for the domains you specify.  Also note that you can store conditional forwarders in AD and configure a replication scheme (i.e., assign them to a directory partition) just like you would with an AD-integrated zone, so you don't have to configure them manually on every DNS server you have.
0
 

Author Closing Comment

by:snyderkv
ID: 38765655
Great thanks Dave for the clarification and everyone else. I'll test it out now
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question