Windows 2000 Active Directory DNS problem?

[Merlin]

I am looking for some advice about AD DNS. Heres a quick outline of my
setup.

Root domain (dns name xyz.com)
Domain controller and DNS server is on IP 192.168.7.1
DNS server has forward lookups for 3 child domains site1.xyz.com,
site2.xyz.com, site3.xyz.com
Each lookup zone has the appropriate 4 _xxx ad sub folders
There are also a number of reverse lookup zones

Domain: site1.xyz.com
Has a DNS server/dc on 192.168.8.1
DNS server has a forward lookup zone for site1.xyz.com and the appropriate
_xxx ad folders

Domain: site2.xyz.com
Has a DNS server/dc on 192.168.9.1
DNS server has a forward lookup zone for site2.xyz.com and the appropriate
_xxx ad folders

Domain: site3.xyz.com
Has a DNS server/dc on 192.168.10.1
DNS server has a forward lookup zone for site2.xyz.com and the appropriate
_xxx ad folders

Heres what I need. The three sites/child domains are in physical different
locations miles apart, but there are a number of users who are based at one
site but need to connect to the domains at the other sites.
ie. A client who is based at site1, needs to connect to the domain site2. At
the moment his DNS points to 192.168.9.1 (secondary of 192.168.7.1). I
would like this user to be able to register in a forward lookup zone of
site2.xyz.com on the DNS server on site2. This should keep the network
traffic lower and if there is a problem with the link they can still
register in DNS.

The problem is, when I create a forward lookup zone for site2 or site3 on
the site1 dns server, the _xxx ad sub folders don't appear and they can't
see peole who are registered in the site2 zone on the site2 dns server.
Also, I have setup a load of reverse lookup zones on the root dns, is it
possible to replicate those down to the 3 child domains?

I am sure it should be possible to have each dns server with a
site1.xyz.com, site2.xyz.com and site3.xyz.com forwrd lookup zone that is
replicated between all servers but I can't seem to work out how to make it
work...

If I haven't totally lost everyone with my descriptions above, I would
really appreciate some help/advice.

Cheers
Joe

 

[Roger Abell [MVP]]

How best to do what you are after depends on whether you
are running a W2k or W2k3 AD.
In W2k, with each of the 4 domains being primary of the forward
zone for their own domain, you must use secondary zone transfers
to get copies of their zone on the DNS servers of the other domains.
You need to get the forestroot zone to all others (at least parts of
it, but let us just say you need it at them, assuming there are times
when the sites are not well-connected.). In the root DNS you need
to properly delegate the 3 child zones to the child domain DNS
services. This assumes you want to stay closely to what you
have in place now. With W2k DNS you cannot have copies of a
zone shared into a different domain except by use of secondary
zone transfers.

A machine will always register where the primary for its zone
exists. Maybe that answers your part about trying to control
where that travelling machine registers.

If you are using W2k3 AD you should look into using the DNSzones
application partitions and then selectively enlisting the DNS servers
into the ForestDNSzones and the different DomainDNSzones.

 

[Kevin D. Goodknecht [MVP]]

In Merlin <[email protected]> posted a question
Then Kevin replied below:
: I am looking for some advice about AD DNS. Heres a quick outline of my
: setup.
:
: Root domain (dns name xyz.com)
: Domain controller and DNS server is on IP 192.168.7.1
: DNS server has forward lookups for 3 child domains site1.xyz.com,
: site2.xyz.com, site3.xyz.com
: Each lookup zone has the appropriate 4 _xxx ad sub folders
: There are also a number of reverse lookup zones
:
: Domain: site1.xyz.com
: Has a DNS server/dc on 192.168.8.1
: DNS server has a forward lookup zone for site1.xyz.com and the
: appropriate _xxx ad folders
:
: Domain: site2.xyz.com
: Has a DNS server/dc on 192.168.9.1
: DNS server has a forward lookup zone for site2.xyz.com and the
: appropriate _xxx ad folders
:
: Domain: site3.xyz.com
: Has a DNS server/dc on 192.168.10.1
: DNS server has a forward lookup zone for site2.xyz.com and the
: appropriate _xxx ad folders
:
: Heres what I need. The three sites/child domains are in physical
: different locations miles apart, but there are a number of users who
: are based at one site but need to connect to the domains at the other
: sites.
: ie. A client who is based at site1, needs to connect to the domain
: site2. At the moment his DNS points to 192.168.9.1 (secondary of
: 192.168.7.1). I would like this user to be able to register in a
: forward lookup zone of site2.xyz.com on the DNS server on site2. This
: should keep the network traffic lower and if there is a problem with
: the link they can still register in DNS.
:
: The problem is, when I create a forward lookup zone for site2 or
: site3 on the site1 dns server, the _xxx ad sub folders don't appear
: and they can't see peole who are registered in the site2 zone on the
: site2 dns server. Also, I have setup a load of reverse lookup zones
: on the root dns, is it possible to replicate those down to the 3
: child domains?
:
: I am sure it should be possible to have each dns server with a
: site1.xyz.com, site2.xyz.com and site3.xyz.com forwrd lookup zone
: that is replicated between all servers but I can't seem to work out
: how to make it work...
:
: If I haven't totally lost everyone with my descriptions above, I would
: really appreciate some help/advice.
:
: Cheers
: Joe

In the parent zone "xyz.com" create three delegations "site1", "site2" and
"site3" point these delegations to the appropriate DNS server for these
domains. Then the DNS servers in each of these sites should forward to the
DNS servers for the parent.
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248&FR=1

You can alternately put a secondary of the parent zone on each of the child
DNS servers, but you may get runtime errors logged in the event log of the
child DNS servers, due to the continuous zone transfers. IMO, if you can
afford the extra hardware I would place a parent DC at each location for the
best results.
In fact if you can place a parent DC at each location, you can keep all DNS
zones on the parent DC and not even have DNS on the child DCs because the
zones for all domains will be replicated to all sites through the parent
DCs. You also need to take into consideration your Global Catalog server,
especially if you have Exchange 2000. If the Global Catalog is not available
Exchange will not start, if the Global Catalog is not available users will
be unable to logon the first time to each machine or after their cached
credentials have expired. DCPROMO only makes the first DC in the forrest a
Global Catalog, so IMO you should have a GC at each site. Parent DCs are a
natural for this, since the GC DNS "A" record is only created in the parent
zone at gc._msdcs.<dnsdomainname>