How to configure DNS in a forest

[Thomas Olsen]

Hi

We have a Windows 2000 installation configured as a forest with a root
domain (ROOT.INT) and two sub-domains (A.ROOT.INT & B.ROOT.INT).
In one site, we have two DCs for the ROOT.INT domain, two DCs for A.ROOT.INT
and one DC for B.ROOT.INT.

In that site, all client computers are member of A.ROOT.INT domain.

How should DNS be configured for the clients to be able to resolve IP
address for DNS name records in ROOT.INT AND B.ROOT.INT?
On my A.ROOT.INT servers, do I have to add the ROOT.INT DCs and the
B.ROOT.INT DCs as DNS root hints or should the A.ROOT.INT DCs automatically
forward any unknown requests to ROOT.INT or B.ROOT.INT DCs?

I assume that I should publish the A.ROOT.INT servers as DNS servers for
clients?

Are there any best practice documents from Microsoft that describes this
scenario?

Some help is appreciated.

Thanks.

/Thomas O

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi

We have a Windows 2000 installation configured as a forest with a root
domain (ROOT.INT) and two sub-domains (A.ROOT.INT & B.ROOT.INT).
In one site, we have two DCs for the ROOT.INT domain, two DCs for
A.ROOT.INT and one DC for B.ROOT.INT.

In that site, all client computers are member of A.ROOT.INT domain.

How should DNS be configured for the clients to be able to resolve IP
address for DNS name records in ROOT.INT AND B.ROOT.INT?
On my A.ROOT.INT servers, do I have to add the ROOT.INT DCs and the
B.ROOT.INT DCs as DNS root hints or should the A.ROOT.INT DCs
automatically forward any unknown requests to ROOT.INT or B.ROOT.INT
DCs?

I assume that I should publish the A.ROOT.INT servers as DNS servers
for clients?

Are there any best practice documents from Microsoft that describes
this scenario?

Under Win2k the way to resolve this is to use Secondary zones on the DNS
servers for the other domain. (A on B and B on A)

 

[Thomas Olsen]

Hi Kevin

Thanks for your reply.

We do like you suggest today, but we think it is kind of messy and not as
streamlined as we would like it to be.
Since we already have 2 DCs for domain A, 1 DC for domain B and 2 DCs for
domain ROOT in one site, we hoped that it was possible to utilize each of
the DCs DNS better without using zone transfer.

So setting up root hints on domain A for domains B and ROOT is not possible?

Thanks.

/Thomas O

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin

Thanks for your reply.

We do like you suggest today, but we think it is kind of messy and
not as streamlined as we would like it to be.
Since we already have 2 DCs for domain A, 1 DC for domain B and 2 DCs
for domain ROOT in one site, we hoped that it was possible to utilize
each of the DCs DNS better without using zone transfer.

So setting up root hints on domain A for domains B and ROOT is not
possible?

No, it is not possible, since DNS will only ask for referrals from the Root
servers which are authoritative over the "." root domain.
Win2k3 makes it easier through the use of conditional forwarders or stub
zones, neither of these are supported by Win2k.
If you add these DNS servers to the Root hints it just messes up all
resolution since they aren't root servers.

 

[Thomas Olsen]

Hi Kevin

I got another tip as well.

On DCs in A.ROOT.INT, set up forwarding to ROOT.INT DCs. By doing this, you
will be able to resolve DNS records in both ROOT.INT and B.ROOT.INT
(B.ROOT.INT DNS is delegated from ROOT.INT) as well as B.ROOT.INT.

The only issues we see is that if we have none-AD integrated zones in
B.ROOT.INT, it has to be transferred to ROOT.INT, since the delegation is
only for the B.ROOT.INT AD integrated zone.

Any comments to this setup?

Thanks.

/Thomas O

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin

I got another tip as well.

On DCs in A.ROOT.INT, set up forwarding to ROOT.INT DCs. By doing
this, you will be able to resolve DNS records in both ROOT.INT and
B.ROOT.INT (B.ROOT.INT DNS is delegated from ROOT.INT) as well as
B.ROOT.INT.

I see, I missed the Root.int domain in the original post. This does make a
difference, what you do is forward both the A.ROOT.INT and the B.ROOT.INT to
the ROOT.INT DNS. Then delegate both A and B in the ROOT.INT zone. You will
also need to check the box "Do not use recursion" on the A and B.ROOT.INT
DNS servers to prevent them from using root hints. In this case, only the
ROOT.INT DNS servers should forward to the ISP and be able to use Root
Hints.

The only issues we see is that if we have none-AD integrated zones in
B.ROOT.INT, it has to be transferred to ROOT.INT, since the
delegation is only for the B.ROOT.INT AD integrated zone.

Whether B.ROOT.INT is AD integrated or not has no relevance for the
delegation.

 

[Thomas Olsen]

Could or will it be a problem if I don't check the "Do not use recursion"
box on the child domain DCs and make them also use root hints?

Regarding none-AD integrated zones, I may have not been clear enough.
What I meant was as follows:

We have a couple of standard secondary zones from a completely different
domain on our B.ROOT.INT DCs. Even if I configure forwarders from A.ROOT.INT
to either ROOT.INT or B.ROOT.INT, I am not able to resolve any names in
those standard secondary zones from a computer in A.ROOT.INT domain.
ROOT.INT has delegated B.ROOT.INT but not the other standard secondary
zones.

I did a test, and it works if I also transfer those standard secondary zones
to ROOT.INT DCs.

/Thomas O

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Could or will it be a problem if I don't check the "Do not use
recursion" box on the child domain DCs and make them also use root
hints?

Regarding none-AD integrated zones, I may have not been clear enough.
What I meant was as follows:

We have a couple of standard secondary zones from a completely
different domain on our B.ROOT.INT DCs. Even if I configure
forwarders from A.ROOT.INT to either ROOT.INT or B.ROOT.INT, I am not
able to resolve any names in those standard secondary zones from a
computer in A.ROOT.INT domain. ROOT.INT has delegated B.ROOT.INT but
not the other standard secondary zones.

Yes, you were not clear about this. The only cure is to put the secondary
zones on at least the Root.int DNS so it can be found from all DNS servers.
(Or upgrade to Win2k3)

I did a test, and it works if I also transfer those standard
secondary zones to ROOT.INT DCs.

This makes perfect sense to me. There is no other way to do it but put a
secondary copy on the root DNS. (You could also put a secondary copy on all
DNS servers.)