DNS in 2003 Domain

[bassaddict]

All,
I'm fairly new to DNS in a 2003 domain. I've been tasked with making
the DNS more efficient and seeing what can be done to improve it. The
domain was migrated from a Win 2000 domain. I've been looking at the
DNS structure we currently have, and been reading up on MS's site
regarding the _msdcs bits.

At the moment, we have a structure in DNS as such:

Under the Forward Lookup Zone, we have DOMAIN.com, under DOMAIN.com
there are 4 folders/containers called _msdcs, _sites, _tcp, _udp,
DomainDnsZones, ForestDnsZones.

What I cant get my head around is whether this layout is correct. On
MS's site (http://tinyurl.com/ap2ym) it states the _msdcs part as
_msdcs.forestname and talks about going into its properties etc, but
there is no properties tab for _msdcs.

There is no Application Directory partition set up as yet. Our root
domain controller is 2003, but we have a mixture of 2000 and 2003
DC's.

Can anyone inform me about what the DNS layout structure should look
like now we're on a 2003 domain, and how it can be optimised. At
present our DNS works, but it hasnt been touched since we upgraded to
2003.

Any help greatly appreciated.

 

[Ace Fekay [MVP]]

In

All,
I'm fairly new to DNS in a 2003 domain. I've been tasked with making
the DNS more efficient and seeing what can be done to improve it. The
domain was migrated from a Win 2000 domain. I've been looking at the
DNS structure we currently have, and been reading up on MS's site
regarding the _msdcs bits.

At the moment, we have a structure in DNS as such:

Under the Forward Lookup Zone, we have DOMAIN.com, under DOMAIN.com
there are 4 folders/containers called _msdcs, _sites, _tcp, _udp,
DomainDnsZones, ForestDnsZones.

What I cant get my head around is whether this layout is correct. On
MS's site (http://tinyurl.com/ap2ym) it states the _msdcs part as
_msdcs.forestname and talks about going into its properties etc, but
there is no properties tab for _msdcs.

There is no Application Directory partition set up as yet. Our root
domain controller is 2003, but we have a mixture of 2000 and 2003
DC's.

Can anyone inform me about what the DNS layout structure should look
like now we're on a 2003 domain, and how it can be optimised. At
present our DNS works, but it hasnt been touched since we upgraded to
2003.

Any help greatly appreciated.

In addition to Jorge's reply, the _msdcs zone under your domain.com zone is
delegated to your own server, thus why it should show up as a completely
separate name space. If it doesn't, then there's an issue. That zone needs
to be available everywhere in the forest and it;s replication scope is set
to the ForestDnsZones app partition to be available as such. But if you are
in a mixed environment, that zone is not available on a Win2000 DC.

It would be easier to move your DNS services to only the Win2003 server and
uninstall DNS off the Win2000 servers, to handle this function. If you are
looking at the DNS zones on a Win2000 DNS console, those Win2003 properties
will not be available hence a possible part of the confusion.

Look at it under Win2003 and let us know if that zone exists. If they do
not, follow that article you posted to fix it.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[bassaddict]

Hey

Thanks to both of you for your replies. Let me just clarify the
existing set up. Our Forest Root is 2003, and we have a mixture of Win
2000 and Win 2003 DCs and DNS Servers. All of our 15 branch offices
have 2 DNS servers / DC's, one being Win 2000 and one being Win 2003.
Each server points to itself for lookups and then to the Forest Root
which is located at head office. Is this good practice?

On our 2003 DNS servers, the option to create a default application
directory partition is available (but not on the 2000 DNS boxes). Am i
correct in thinking to set this up though, all DNS servers should be
running on 2003? In my proposal, I am recommending upgrading all 2000
to 2003 DNS and using Application Directory Partition to improve
replication, but does the Forest Functional level need to be raised to
2003?

Underneath our ForwardLookupZone, we have our domain (lets call it
domain.com) Underneath here, we have the default _msdcs, _sites, _tcp,
_udp, DomainDnsZones and ForestDnsZones. The DNS is active directory
integrated and uses forwarders to the forest root without recursion for
the domain, and then the Forest Root forwards WITH recursion to the ISP
DNS servers.

From one of our Win 2000 boxes, the same subdomains as above exist and
all replicate to each other.

So are you saying the Application Directory replication is not
available on 2000 DOMAINS or DCs/DNS servers? Because the option is
there to create one from one of our 2003 DNS servers.

Sorry if I sound like a beginner with DNS.... its because I am ! But I
appreciate how helpful you are.

Cheers

 

[bassaddict]

Oh and by the way, we have no Forest Root Domain, just a Domai
Controller that is the forest root for the whole domain. I am confusin
myself as I've been told that _msdcs.forestname should sit about th
DOMAIN.COM zone in DNS. But ours sits below. -

Still, anything else you can add?


-
bassaddic

 

[Ace Fekay [MVP]]

In

Hey

Thanks to both of you for your replies. Let me just clarify the
existing set up. Our Forest Root is 2003, and we have a mixture of Win
2000 and Win 2003 DCs and DNS Servers. All of our 15 branch offices
have 2 DNS servers / DC's, one being Win 2000 and one being Win 2003.
Each server points to itself for lookups and then to the Forest Root
which is located at head office. Is this good practice?

On our 2003 DNS servers, the option to create a default application
directory partition is available (but not on the 2000 DNS boxes). Am i
correct in thinking to set this up though, all DNS servers should be
running on 2003? In my proposal, I am recommending upgrading all 2000
to 2003 DNS and using Application Directory Partition to improve
replication, but does the Forest Functional level need to be raised to
2003?

Underneath our ForwardLookupZone, we have our domain (lets call it
domain.com) Underneath here, we have the default _msdcs, _sites, _tcp,
_udp, DomainDnsZones and ForestDnsZones. The DNS is active directory
integrated and uses forwarders to the forest root without recursion
for the domain, and then the Forest Root forwards WITH recursion to
the ISP DNS servers.

If you have a child domain, and are delegating the child namespace to the
child domain's DNS servers, then yes, you would forward from the child
domain's DNS to the parent domain's DNS.

OTHERWISE, if you only have ONE domain, DO NOT FORWARD TO EACH OTHER or to
any others in the same domain. This will cause a forwarding loop and you
will be bound with issues. Configuring as such is only for a delegation or
stub scenario with child domains. If you have only one domain, as indicated
in your more recent post, forward from each INDIVIDUAL DNS to the ISP. Allow
recursion.

From one of our Win 2000 boxes, the same subdomains as above exist and
all replicate to each other.

The folders underneath with the underscores in them (e.g. _msdcs, _tcp,
_upd, and _sites), as you call "subdomains" are actually the SRV records,
and not necessarily subdomains. These are the service location records that
a DC registers into DNS and is used to locate domain controller services.

So I'm not entirely sure what you mean by they "...all replicate with each
other". Zone data in any AD Integrated zone types, since they are stored in
the actual physical AD database, will replicate to other DC/DNS servers
along with the default AD replication cycle, since they are part of the AD
database. If the understanding is skewed meaning you thought they replicate
"with each other", then in a way, they do, but all the data is replicated
based on AD's replication process just because they are part of the
database.

So are you saying the Application Directory replication is not
available on 2000 DOMAINS or DCs/DNS servers? Because the option is
there to create one from one of our 2003 DNS servers.

The Application Partitions are not available for use by a Windows 2000
DC/DNS, albeit the partitions exist on such a machine, but it;s just that
you can't take advantage of the feature. The ability to use that feature is
only available by using Windows 2003 DC/DNS servers.

Sorry if I sound like a beginner with DNS.... its because I am ! But I
appreciate how helpful you are.

Cheers

No problem. The only way you'll find out is if you ask!

Ace

 

[Ace Fekay [MVP]]

In

Oh and by the way, we have no Forest Root Domain, just a Domain
Controller that is the forest root for the whole domain. I am
confusing myself as I've been told that _msdcs.forestname should sit
about the DOMAIN.COM zone in DNS. But ours sits below. -

Still, anything else you can add??

My take is to move DNS services to only Windows 2003 servers. Once that is
done, then all the features will be of benefit.

Keep in mind, when choosing replication scope, the bottom radio button is
the DomainNC partition, which is one of the three logical partitions in a
Win2000 domain database. That is the one you need to choose if you are in a
mixed environment. If you chose to set the scope to one of the above radio
buttons, then that zone will only be available on a Win2003 DC/DNS server.

Once you have moved all DNS services to your Win2003 DC/DNS servers, then
the _msdcs zone should appear as a separate namespace that is delegated from
itself under the domain.com zone, which in that case, the _msdcs zone will
now appear as a grayed out folder. If you look at the _msdcs.domain.com
zone, you will now find it's replication scope set to the Forest app
partition.

Ace