DNS multiple domains

[eddy]

Hi
I'm looking for the best way to implement DNS on the
scenario below:-

I will have 3 domains setup running Win2000. 9 servers in
each domain and 3DC's that will be providing a service to
an external client who will access this through our
switches and firewalls.
I am considering setting up a root domain with 3 child
domains. How would I implement DNS so that there's names
resolution within all domains?
what would be the best approach?

Please advise if you can

 

[Herb Martin]

Hi
I'm looking for the best way to implement DNS on the
scenario below:-

I will have 3 domains setup running Win2000. 9 servers in
each domain and 3DC's that will be providing a service to
an external client who will access this through our
switches and firewalls.
I am considering setting up a root domain with 3 child
domains. How would I implement DNS so that there's names
resolution within all domains?
what would be the best approach?

First, that's a lot of domains for most folks, but you didn't ask for
suggestions on your domain design.

It sounds like 4 domains are planned rather than three. You will
need DNS for each domain -- dynamic DNS and it will serve
you best if it is on Windows, on the DCs in fact.

More importantly, it will be much easier to configure if you use
Win2003 (the current and mature version) than Win2000 since
you are just starting.

Win2003 DNS has some of the most important improvements,
targeted at some of the problems you will face.

You also didn't mention if you will be resolving public Internet
names -- my guess is yes, and this will cause you problems in
setting up both a true internal hierarch and also resolving the public
hierarchy.

Your DNS servers must be able to resolve from the highest level
down to service client requests AND they must be able to resolve
from the root of the Internet down to resolve those names.

Two hierarchies can be searched but it causes some problems,
irritating at best, difficult at worst.

Make sure each DNS server can find the "top of your DNS tree"
and search downwards, delegate from each level to each child
DNS server.

Configure all internal clients to use the internal DNS server (set)
ONLY which can do the above and find the right dynamic servers
within that hierarchy.
[/QUOTE]

 

[eddy]

Herb,..

yes,..

I'll have a parent domain and 2 child domains on Win200,
no option for Win2003 company politics.
Internet users and an external company will access the
resources on these domains/servers.

We will not have any outbound request to the internet.
Should I configure 2 DNS AD integardted servers on the
parent domain and one 1 DNS AD integrated on each child
domain.
I'm OK with DNS on a single domain but have not worked
with it on mutliple domains.

Please advise best stratergy
much appreciated

 

[Ace Fekay [MVP]]

In

Herb,..

yes,..

I'll have a parent domain and 2 child domains on Win200,
no option for Win2003 company politics.
Internet users and an external company will access the
resources on these domains/servers.

We will not have any outbound request to the internet.
Should I configure 2 DNS AD integardted servers on the
parent domain and one 1 DNS AD integrated on each child
domain.
I'm OK with DNS on a single domain but have not worked
with it on mutliple domains.

Please advise best stratergy
much appreciated

In addition to Herb's post, delegation is your key here:

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248

Basically says from the Root domain DNS server, under the root zone, such as
domain.com, you delegate the child zone to the DNS server in the child
domains, by rt-clikcing the zone name, new delegation, type inthe child
domain name, then type in the IP addresses of the DNS servers in the child.

Then from each child DNS server, configure a forwarder back to the Root
domain's DNS server. If you want internet resolution, configure a forwarder
from the Root DNS to the ISP.

You can make the zones at the child DNS servers provided they're on DC's, AD
Integrated for their own domains.

Delegation ensures resolution throughout your internal infrastructure.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

I'll have a parent domain and 2 child domains on Win200,

no option for Win2003 company politics.

You really should work the politics here -- Win2003 is basically
Win2000 with a lot of bug fixes and some small but very important
features.

Win2000 is NT 5.0, Win2003 is NT 5.5; which is really pretty
accurate when thinking about them.

Internet users and an external company will access the
resources on these domains/servers.

We will not have any outbound request to the internet.

That makes this easy then. You can setup (at worst) an actual
internal "root" (Dot ".") zone -- on the existing parent domain
DNS servers probably -- and point the "root hints" of all the other
DNS servers hear.

For resolution, all DNS server need to find the common parent or
root. Each zone delegates the children downwards so that every zone
is findable from that root.

(The issue with also needing Internet resolution is that you must
effectively work through two hierarchies when you have a "bushy
tree" or "wide forest" internally. With only one internal domain this
is an issue. There are a variety of more or less satisfying ways to
deal with this issue of course.)

Should I configure 2 DNS AD integardted servers on the
parent domain and one 1 DNS AD integrated on each child
domain.

Generally, I would configure at least 2 per domain -- especially
if I had 2+ DCs per domain. AD integrated is best.

If you only have a small number of DCs, then just make them ALL
DNS servers -- with AD integrated they are holding the records
anyway. (They just aren't useful if you don't create the AD integrated
DNS zone.)

Note: If I had dozens of DCs then I would not follow this recommendation,
certainly not automatically.

I'm OK with DNS on a single domain but have not worked
with it on mutliple domains.

Understood, that is what I meant by "more research" -- you're doing it and
that was not a criticism, just a likely fact of life for you, as it was or
will be

Please advise best stratergy much appreciated

Simple delegation with each DNS server pointing to the TOP of the hierarchy,
nominally a "root" zone, will work for you. Change the root hints of each
DNS to point to the top of your hierarchy ("."-Root zone or top level common
parent.)

And put the Primary (actually you're going to use AD integrated in place of
a primary) on the DNS servers of the respective domains (not on the parent.)

Point the clients -- including the DCs -- NICs to the INTERNAL DNS only.
(you can point all of the clients to the top parent/root, or to the
respective DNS
for the domain if you set it up correctly as described above.)

Call me if you aren't straight on this. My phone is on my web site -
LearnQuick.Com
(I am used to helping people.)

 

[Herb Martin]

In addition to Herb's post, delegation is your key here:

Good info but there are (at least) TWO KEYS:

Delegation AND a common ROOT with all the DNS servers
able to find that root (root hints) instead of the default
Internet
root or some other choice.

 

[eddy]

Many thanks Ace and Herb,...

Making more sense, I´ll put some designs together based on
what you have said.

Thanks

eddy

 

[Herb Martin]

Herb tried calling but couldn't get through.

I hope you were dialing the wrong number because both my lines
are working fine -- send me an email with the number you used
(I don't really want to broadcast it even though it's on the web site.)

Anyway, next question is....If those domains were seprate instead of

Parent/child...how would you implement DNS.

Same principle. You would have separate trees (I presume this is what you
mean.)
So you would have to find a common parent -- worst case you can always make
the "." (root) domain like the Internet does.

I'm thinking along the lines of Primary/seconday per domain on 2 DNS

servers. How would I get names resolution for the other domains....for
example:- 3 seperate domains.....

1) live production
2) testing
3) support

First, never make a Windows 2000+ domain without at least "two labels"
or "two tags", e.g., domain.com NOT just domain.

Assuming they were all .com , you could find a common root at Com or
at the more typical "." (root is called DOT)

If I had these domains and setup DNS AD integrated on them,...then there

would be names resolution within each domain for that domain. If on the
testing domain I wanted names resolution of al the servers and desktops in
the support domain and live production domain,..would I have to setup
forwarders and add support domain and live Prod domian IP's in the
forwarder list. (note disabling recursion).

Forwarders won't work for this. You need to use the "root hints" pointing
to the servers that hold the "Common Parent" domain (root.)

I would of course setup trust relationships between the domians.

Trusts are irrelevant to this. DNS doesn't require or use trusts.
DNS is about FINDING the top of the hierarchy and working
your way down through the trees.

Another choice: With only three domains, evern DNS server could
hold a secondary for the OTHER TWO zones (in addition to it's own
zones.) Then ANY DC would be authoritative for all zones.

This is only practical for a "small" number of zones -- 3 or 4, it gets
very messy by about 10.

Win2003 has some alternatives here, including conditional forwarding.

--
Herb Martin

Herb tried calling but couldn't get through.

Anyway, next question is....If those domains were seprate instead of

Parent/child...how would you implement DNS.

I'm thinking along the lines of Primary/seconday per domain on 2 DNS

servers. How would I get names resolution for the other domains....for
example:- 3 seperate domains.....

1) live production
2) testing
3) support
If I had these domains and setup DNS AD integrated on them,...then there

would be names resolution within each domain for that domain. If on the
testing domain I wanted names resolution of al the servers and desktops in
the support domain and live production domain,..would I have to setup
forwarders and add support domain and live Prod domian IP's in the
forwarder list. (note disabling recursion).