DNS Config

[caddo65590]

Hi All,
I have 3 domains, 2 win2k domains and 1 NT4 domain.
The win2k domains all have its own dns servers. The NT4 domain uses our
external dns (ISP).
All 3 domains have their own internal clients
What would be the best dns setup for the internal clients in all three
domains so each client can communicate and map drives irrespective of the
domains?
Bidirectional trust exist among all 3 domains

 

[SaltPeter]

Hi All,
I have 3 domains, 2 win2k domains and 1 NT4 domain.
The win2k domains all have its own dns servers. The NT4 domain uses our
external dns (ISP).
All 3 domains have their own internal clients
What would be the best dns setup for the internal clients in all three
domains so each client can communicate and map drives irrespective of the
domains?
Bidirectional trust exist among all 3 domains

A bi-directional trust between 3 domains is an example of a Mesh trust
configuration. It's a network configuration type that is documented in the
older NT4 domain models (others included Single-Master Domain model,
Multi-Master Domain model, etc). The formula to calculate the total number
of trusts required in a mesh is n(n-1) (example: 10 domains in a mesh need
90 trusts). The reason for the situation is due to NT4's flat, 2
dimensional, non-transitive Netbios architecture. Imagine going through 180
manual trusted+trusting steps just to create a simple 10 domain mesh.

This situation is exactly why W2K was created with DNS as the method of name
resolution. DNS supports hierarchy and DNS delegation.

Since W2K supports hierarchy and transitive trusts, a much better solution
is to create a parent /child domain tree and create a manual trust between
parent root and the NT4 domain. The advantages in such a structure include
the ability to delegate dns partitions (dns zones) and operate a domain
based on fully qualified domain names.

You can configure a root DNS in parent domain (with DNS forwarders) and
delegate a secondary zone in both the child W2K domain and the NT4 trusted
domain. You could even choose to have one DNS server serve the whole forest
without ever having a client using an external ISP DNS server directly. It
just doesn't make sense to be using a DNS server that can't resolve
internally in a private namespace.

 

[caddo65590]

Thanks Salt for your ideth explanation.
The domains we are are talking about here are entirely separate and putting
them together in the same forest or so is not an option.
All we need is to create an external trust between these domains in each
direction so users irrespective of which domains they belong to can
authenticate and use resources from other domains.
At the moment the trusts are setup but users cannot authenticate and use
resources in other domains unless they connect to the resource as a user in
that domain containing the resource.
Any ideas why that is so??

 

[SaltPeter]

Thanks Salt for your ideth explanation.
The domains we are are talking about here are entirely separate and putting
them together in the same forest or so is not an option.
All we need is to create an external trust between these domains in each
direction so users irrespective of which domains they belong to can
authenticate and use resources from other domains.
At the moment the trusts are setup but users cannot authenticate and use
resources in other domains unless they connect to the resource as a user in
that domain containing the resource.
Any ideas why that is so??

This might be caused by GPO settings, inconsistent encryption levels (128
bit/56bit), or a problem with how users from one domain are given rights and
permissions on the trusting resource domain.

The rule for giving trusted users access to local resources is UGLP. Users
go in Global groups, Global groups go in Local groups, Local groups are
assigned Permissions to a resource. The same applies for a trusted-trusting
relationship (never give a global group permissions to a resource). In
trusted domain, place users in a global group (this group will be crossing
the trust), place the trusted global group in a trusting local group. Share
the trusting domain's resource and give permissions to local group (external
global member inherits permissions). Not to mention that both share
permissions and ntfs permissions apply in the case the latter is used.

On a W2K domain, the following sections in one of your GPOs might force
encryption or NTLMv2 authentication when those aren't supported in trusting
domain.
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
LAN Manager authentication level, etc...

There are a few more issues that will prevent crossing the trust.
Unfortunately, not enough info was offered to pin it down. example:
Trusted Domains Do Not Appear in the Available List for Domain Logon
http://support.microsoft.com/?kbid=310611