non-microsoft DNS windows2003 (incognito)

[eric romero]

Hi all,

I have an AD forest 1 forest, 1tree , childdomains. Running on windows2003
(some child still on windows2000) using microsoft DNS. I anticipate mor
childomains are going to join this forest.

Please do yuo have any comments on replacing the current DNS & DHCP servers
(root and childomains) by a third-party software such Incognito ip/dns
commander.
Having in count that my forest is alerady running root+several childomains ,
how can I deploy the new non-microsoft dns.

Do you have any comments in general of replcaing the microsoft DNS by a
"compatible" dns. I am worry about future implications such as Adding new
childomains, removing/adding global catalogs on the root or childomains,
deploying exchange2003, monitoring replication all these tasks rely on
microsoft DNS, itis hard for me to prevent future behavior of all these
tasks (and some others I am not aware of) when a non-microsoft dns is in
place.

So far the advantage of going to the non-microasoft dns is that one of the
features of this third-party product is that it will block the assignmentof
dhcp ips to non-company pcs (i.e if a vendor comes in these new dhcp will
not assign an ip unless an admin authorize it.)

thx

 

[Ace Fekay [MVP]]

In

Hi all,

I have an AD forest 1 forest, 1tree , childdomains. Running on
windows2003 (some child still on windows2000) using microsoft DNS. I
anticipate mor childomains are going to join this forest.

Please do yuo have any comments on replacing the current DNS & DHCP
servers (root and childomains) by a third-party software such
Incognito ip/dns commander.
Having in count that my forest is alerady running root+several
childomains , how can I deploy the new non-microsoft dns.

Do you have any comments in general of replcaing the microsoft DNS by
a "compatible" dns. I am worry about future implications such as
Adding new childomains, removing/adding global catalogs on the root
or childomains, deploying exchange2003, monitoring replication all
these tasks rely on microsoft DNS, itis hard for me to prevent future
behavior of all these tasks (and some others I am not aware of) when
a non-microsoft dns is in place.

So far the advantage of going to the non-microasoft dns is that one
of the features of this third-party product is that it will block the
assignmentof dhcp ips to non-company pcs (i.e if a vendor comes in
these new dhcp will not assign an ip unless an admin authorize it.)

thx

If truly compatible with AD + AD's DNS requirements (SRV records), and DHCP
dynamic updates (not a requirement, but recommended), then there's no reason
not to go to it. What does the vendor say? Do they offer complete support
and a refund if anything goes wrong? I have never heard of that one you
mentioned, but have heard of success with MetaIP and QIP.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[eric romero]

so far the vendor does not offer documentation on how to deploy their
solution over an existent forest like mine (1 tree, multiple childs)
so do you think is it ok to just replace the core of AD (the DNS) by another
DNS ? i.e how can someone ensure that a future exchange2004 deployment will
work with a non-microsoft DNS?
i.e windows2003 has a feature called replication settings to be "To all DNS
servers in the Active Directory". if we replcae by a non-microsoft what are
we loosing in respect to that feature?

Could you please share with me any article saying what non-dns is ok to
replace the native MS dns?

thx again for you reply

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

so far the vendor does not offer documentation on how to deploy their
solution over an existent forest like mine (1 tree, multiple childs)
so do you think is it ok to just replace the core of AD (the DNS) by
another DNS ? i.e how can someone ensure that a future exchange2004
deployment will work with a non-microsoft DNS?
i.e windows2003 has a feature called replication settings to be "To
all DNS servers in the Active Directory". if we replcae by a
non-microsoft what are we loosing in respect to that feature?

Could you please share with me any article saying what non-dns is ok
to replace the native MS dns?

thx again for you reply

As for a 3rd party product integrating into the AD database, you really
really have to ask that company. If their product is AD (directory) aware,
then it will create it's necessary Schema attributes and classes upon
installation.

There are no articles I can share other than digging up AD's requirements
which are:

1. MUST support SRV records
2. Recommended to support Dynamic Updates
3. Recommended to support IXFR (incremental zone transfers).

Bind 4.9.7 supports SRV records. So therefore it will support AD. BUT, it
doesn't support Dynamic Updates, so you MUST manually create them.

Does that make sense? So getting back to the product you want to use, just
make sure it supports at least #1 above. If it doesn't support #2 or #3,
well at least about #2, you'll be manually creating stuff. It's also nice
since using W2k3, that it would support Conditional Forwarding and Stub
Zones.

I checked their site for the product you mentioned and it does not say if it
supports it or not. It seems like its more for an ISP, such as cable or
other broadband and such because it supports DOCSIS:
http://www.incognito.com/products/IPCommander/overview.asp


I am not aware of their product nor haven't heard of it until now. If you're
not sure what you're buying or the vendor won't help, why don't you look
into something that's been industry proven for AD, such as MetaIP or QIP.
But as far as AD Integration for zone replication, you would really have to
discuss this with a tech pre-sales rep.

MetaIP:
http://www.metainfo.com/index.cfm/page/metaipenterprise

VitaQIP:
http://www.lucent.com/knowledge/doc...ntentId+0900940380017f5a-inLocaleId+1,00.html

A

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[eric romero]

thank you clearly your DNS knowledge is very good, mine is not.

what do I need to create manually if support dynamic updates is not a
feature.?
And how does this apply on an existent Ad forest with 15 childomains (in
different countries) and some other more to join. Do I need to manually
rneter the whole DNS structure?

thx
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

thank you clearly your DNS knowledge is very good, mine is not.

what do I need to create manually if support dynamic updates is not a
feature.?
And how does this apply on an existent Ad forest with 15 childomains
(in different countries) and some other more to join. Do I need to
manually rneter the whole DNS structure?

thx

Hi Eric,

If the product does not offer dynamic updates (which I'm sure it does but
you really have to check with them) then you need to go to each DC and get a
copy of the netlogon.dns file from system32\config and manually create the
entries. But for an infrastructure as large as yours, that would be nuts.

Honestly, call them up. I'm honestly sure they will be glad to setup a
conference call and you can ask them anything about the product and your
needs and whether it will work or not.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[eric romero]

Hi Ace,

Thanks for your reply is that the unique manual mod needed? I have several
childdomains and a root , If a childomain creates a new DC+GC then this is
the netlogon.dns I need to copy to all the DC which are also GC or to all
the DCs in general?

thx
-eric
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Hi Ace,

Thanks for your reply is that the unique manual mod needed? I have
several childdomains and a root , If a childomain creates a new DC+GC
then this is the netlogon.dns I need to copy to all the DC which are
also GC or to all the DCs in general?

thx
-eric

Actually NO. The netlogon.dns file is unique to each DC, whether a GC or
not. The netlogon service takes that data that it finds it its own AD
database on that specific server and the data about itself (such as whether
it is a GC itself or not) and registers that data into the zone name
specified in the Primary DNS Suffix. That is why the suffix, the zone and
the AD name must match. To do it manually you need to go to each individual
server and get this file and manually take the data out of each file and put
it into the zone. SOme of it is overlap, some of it is not. Each domain also
has it's own GUID id. So you just cannot copy from one to all.

See what I mean?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[eric romero]

Hi Ace,

Yes I understand that is out of my scope. I think I will vote for not
replacing the DNS (even if this accept Dynamic updates )

thx
-eric

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Hi Ace,

Yes I understand that is out of my scope. I think I will vote for not
replacing the DNS (even if this accept Dynamic updates )

thx
-eric

I wouldn't say out of your scope, but just complicates things if you had to
do it manually.

Good luck with whatever you decide!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

er> Please do yuo have any comments on replacing the current DNS & DHCP
servers
er> (root and childomains) by a third-party software such Incognito ip/dns
er> commander.

Having looked at DNS Commander's foolish and misleadingly documented
"DNS Lying" "feature", I would be very reluctant to believe outright
that DNS Commander provided correct DNS service. If the manufacturer
didn't understand that "DNS Lying" won't actually work as the
documentation implies it to work, one wonders what else it doesn't
understand about the DNS.

er> So far the advantage of going to the non-microasoft dns is that one
of the
er> features of this third-party product is that it will block the
assignmentof
er> dhcp ips to non-company pcs (i.e if a vendor comes in these new dhcp
will
er> not assign an ip unless an admin authorize it.)

That would be a feature of the DHCP server, not of the DNS server.