DNS Design Question--revisited

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Follow-up question to designing a dns structure:

I have several locations, but most locations have very few users (6 - 24).
I'm currently using primary/secondary zones, as several locations have
netware dns, that I'll use as secondary dns servers in those locations. Our
current structure is one forward lookup zone (domain.com), with our first dc
setup as the primary and additional dc's added as secondary...I can hear the
groans already....Reverse zones are setup, with each location acting as
primary for it's zone. If I were to create child zones for each of the
locations, making them primary for their zones, I would setup each of these
remote locations to forward to the 'main' location/dns server, correct? And
it would have forwarding setup to forward queries to our isp for external
addresses, correct? We have about 200 users company wide.

All ideas, comments, suggestions are welcome.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> Follow-up question to designing a dns structure:
>
> I have several locations, but most locations have very few users (6 -
> 24). I'm currently using primary/secondary zones, as several
> locations have netware dns, that I'll use as secondary dns servers in
> those locations. Our current structure is one forward lookup zone
> (domain.com), with our first dc setup as the primary and additional
> dc's added as secondary...I can hear the groans already....Reverse
> zones are setup, with each location acting as primary for it's zone.
> If I were to create child zones for each of the locations, making
> them primary for their zones, I would setup each of these remote
> locations to forward to the 'main' location/dns server, correct? And
> it would have forwarding setup to forward queries to our isp for
> external addresses, correct? We have about 200 users company wide.
>
> All ideas, comments, suggestions are welcome.

Are these locations different domain names? If not, there is not reason to
create a zone for each location. If they are child domains, you can use
delegations from the parent to the child DNS servers, then set a forwarder
from the child DNS to the parent DNS, then set a forwarder from the parent
to the ISP's.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248

btw- Netware DNS does not support AD's required SRV records. I believe their
latest version does support it, and I am assuming you are not using the
latest version. It's best to stick with MS DNS for AD since you have more
options, and the zone is secured by using AD Integrated zones and allowing
only Secure Updates (which Netware, even the latest version), does NOT
support.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Ace,

Thanks for the reply. All locations are NOT seperate domains. From my
understanding, I think the only reason to create seperate forward lookkup
zones for these locations would be the number of records--sound about right?

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:esRyfJ1MFHA.2252@TK2MSFTNGP15.phx.gbl...
> C Hall wrote:
> > Follow-up question to designing a dns structure:
> >
> > I have several locations, but most locations have very few users (6 -
> > 24). I'm currently using primary/secondary zones, as several
> > locations have netware dns, that I'll use as secondary dns servers in
> > those locations. Our current structure is one forward lookup zone
> > (domain.com), with our first dc setup as the primary and additional
> > dc's added as secondary...I can hear the groans already....Reverse
> > zones are setup, with each location acting as primary for it's zone.
> > If I were to create child zones for each of the locations, making
> > them primary for their zones, I would setup each of these remote
> > locations to forward to the 'main' location/dns server, correct? And
> > it would have forwarding setup to forward queries to our isp for
> > external addresses, correct? We have about 200 users company wide.
> >
> > All ideas, comments, suggestions are welcome.
>
> Are these locations different domain names? If not, there is not reason to
> create a zone for each location. If they are child domains, you can use
> delegations from the parent to the child DNS servers, then set a forwarder
> from the child DNS to the parent DNS, then set a forwarder from the parent
> to the ISP's.
>
> 255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
> DNS Namespace to the Child Domain:
> http://support.microsoft.com/?id=255248
>
> btw- Netware DNS does not support AD's required SRV records. I believe
their
> latest version does support it, and I am assuming you are not using the
> latest version. It's best to stick with MS DNS for AD since you have more
> options, and the zone is secured by using AD Integrated zones and allowing
> only Secure Updates (which Netware, even the latest version), does NOT
> support.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Paramount: What's up with taking Enterprise off the air??
> Infinite Diversities in Infinite Combinations.
> =================================
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

What about the reverse zones? Should each server have a copy of all the
reverse zones? Or just it's own?

"C Hall" <someone@microsoft.com> wrote in message
news:ujNH%23$5MFHA.1476@TK2MSFTNGP09.phx.gbl...
> Ace,
>
> Thanks for the reply. All locations are NOT seperate domains. From my
> understanding, I think the only reason to create seperate forward lookkup
> zones for these locations would be the number of records--sound about
right?
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> message news:esRyfJ1MFHA.2252@TK2MSFTNGP15.phx.gbl...
> > C Hall wrote:
> > > Follow-up question to designing a dns structure:
> > >
> > > I have several locations, but most locations have very few users (6 -
> > > 24). I'm currently using primary/secondary zones, as several
> > > locations have netware dns, that I'll use as secondary dns servers in
> > > those locations. Our current structure is one forward lookup zone
> > > (domain.com), with our first dc setup as the primary and additional
> > > dc's added as secondary...I can hear the groans already....Reverse
> > > zones are setup, with each location acting as primary for it's zone.
> > > If I were to create child zones for each of the locations, making
> > > them primary for their zones, I would setup each of these remote
> > > locations to forward to the 'main' location/dns server, correct? And
> > > it would have forwarding setup to forward queries to our isp for
> > > external addresses, correct? We have about 200 users company wide.
> > >
> > > All ideas, comments, suggestions are welcome.
> >
> > Are these locations different domain names? If not, there is not reason
to
> > create a zone for each location. If they are child domains, you can use
> > delegations from the parent to the child DNS servers, then set a
forwarder
> > from the child DNS to the parent DNS, then set a forwarder from the
parent
> > to the ISP's.
> >
> > 255248 - HOW TO Create a Child Domain in Active Directory and Delegate
the
> > DNS Namespace to the Child Domain:
> > http://support.microsoft.com/?id=255248
> >
> > btw- Netware DNS does not support AD's required SRV records. I believe
> their
> > latest version does support it, and I am assuming you are not using the
> > latest version. It's best to stick with MS DNS for AD since you have
more
> > options, and the zone is secured by using AD Integrated zones and
allowing
> > only Secure Updates (which Netware, even the latest version), does NOT
> > support.
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> > Microsoft Windows MVP - Windows Server - Directory Services
> >
> > Paramount: What's up with taking Enterprise off the air??
> > Infinite Diversities in Infinite Combinations.
> > =================================
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Sorry for the hodge-podge replies...I keep getting interrupted...

In reference to you comments about netware:
We are using 5.1, so no, we're not running the latest & greatest. I do need
to have dns on those servers, however, as most of our locations have only
one netware server and I'm trying to get rid of IPX! Patui!! I'm not
intending to use them to replicate AD traffic. In cases where I have both
netware and win2k, I will be setting up dns on both servers just because not
all users in all locations are logging into the win2k domain. For the most
part, locations that run win2k dc's are doing so because we have application
serves also in those locations. Do you see any problems here? I wouldn't
setup a netware ip address in a w2k dc tcp/ip setting, just would have the
server configured for fault tolerance.

Thanks Ace.

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:esRyfJ1MFHA.2252@TK2MSFTNGP15.phx.gbl...
> C Hall wrote:
> > Follow-up question to designing a dns structure:
> >
> > I have several locations, but most locations have very few users (6 -
> > 24). I'm currently using primary/secondary zones, as several
> > locations have netware dns, that I'll use as secondary dns servers in
> > those locations. Our current structure is one forward lookup zone
> > (domain.com), with our first dc setup as the primary and additional
> > dc's added as secondary...I can hear the groans already....Reverse
> > zones are setup, with each location acting as primary for it's zone.
> > If I were to create child zones for each of the locations, making
> > them primary for their zones, I would setup each of these remote
> > locations to forward to the 'main' location/dns server, correct? And
> > it would have forwarding setup to forward queries to our isp for
> > external addresses, correct? We have about 200 users company wide.
> >
> > All ideas, comments, suggestions are welcome.
>
> Are these locations different domain names? If not, there is not reason to
> create a zone for each location. If they are child domains, you can use
> delegations from the parent to the child DNS servers, then set a forwarder
> from the child DNS to the parent DNS, then set a forwarder from the parent
> to the ISP's.
>
> 255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
> DNS Namespace to the Child Domain:
> http://support.microsoft.com/?id=255248
>
> btw- Netware DNS does not support AD's required SRV records. I believe
their
> latest version does support it, and I am assuming you are not using the
> latest version. It's best to stick with MS DNS for AD since you have more
> options, and the zone is secured by using AD Integrated zones and allowing
> only Secure Updates (which Netware, even the latest version), does NOT
> support.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Paramount: What's up with taking Enterprise off the air??
> Infinite Diversities in Infinite Combinations.
> =================================
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> Sorry for the hodge-podge replies...I keep getting interrupted...
>
> In reference to you comments about netware:
> We are using 5.1, so no, we're not running the latest & greatest. I
> do need to have dns on those servers, however, as most of our
> locations have only one netware server and I'm trying to get rid of
> IPX! Patui!! I'm not intending to use them to replicate AD traffic.
> In cases where I have both netware and win2k, I will be setting up
> dns on both servers just because not all users in all locations are
> logging into the win2k domain. For the most part, locations that run
> win2k dc's are doing so because we have application serves also in
> those locations. Do you see any problems here? I wouldn't setup a
> netware ip address in a w2k dc tcp/ip setting, just would have the
> server configured for fault tolerance.
>
> Thanks Ace.

No problem.

One rule of thumb one must all remember is that in an AD environment, ALL
machines in the environment if they are to authenticate and use AD, they
must ONLY point to DNS servers that support AD's requirements or other
issues WILL occur. Your mix of backward level DNS servers that do not
support AD and W2k servers that do support AD is not a proper design and
will cause problems with your machines authentication and logging on to the
domain. There are many issues concerning this, besides what I mentioned, to
GPOs not working, long logon requests, can't use printers, etc, the list is
long. Any AD activity requires a DNS SRV record lookup to accomplish this
task, and the Netware machines do not support this.

Also, it is best practice no matter whether some users logon on to the
domain or not. You need to simplify your infrastructure. Too many variables.

I cannot see any problems if you just use your W2k DNS servers only and get
rid of the NW servers. You can't mix different DNS servers that do not
contain the same content on each server. The resolver service on a client
uses the DNS entries for fault tolerance. They check the first, if that
doesn't have the answer, it is considered an answer and won't check the
other.The only time it checks the second entry in IP properties is when the
first times out waiting for a response, and once it does it does not ask the
first one unless you restart the machine, provide a reg entry to alter this
behavior or restart the DNS Client service.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> Ace,
>
> Thanks for the reply. All locations are NOT seperate domains. From my
> understanding, I think the only reason to create seperate forward
> lookkup zones for these locations would be the number of
> records--sound about right?

If they are all one domain, then you can use DNS AD Integrated zones. They
are stored in the AD database and replicate along with it. Any W2k or S2k3
DC/DNS supports this feature. Secondaries are not required. Think about it,
the zone info on each need to be the same exact info, the same exact content
so no matter what DNS you use, they all have the same content or can
reference that content. I have never heard of creating separate zones for
each location when all the machines are part of the same domain. The domain
is just that, a domain and is autonomous and needs to available throughout
the infrastructure.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> What about the reverse zones? Should each server have a copy of all
> the reverse zones? Or just it's own?

All servers should have a copy of the reverse zone for each subnet so the
whole infrastructure can resolve itself.

See what I'm getting at? The whole infrastructure must be resolvable by
using DNS servers that have the same content or reference to that content.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Here's more info on the client side resolver and how it works. Maybe this
will help out.

Querying DNS Servers
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prjj_ipa_bsmz.asp

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Ace,

Okay...loud and clear. One thing about something you said earlier....you
mentioned getting rid of Netware...I can chose not to configure dns on
Netware, but removing it from all branches is not an option at this point. I
could configure zones for each location and have all clients point to the
nearest server, but that would mean queries across wan links. I understand
what you're saying about the incompatibilities with the dns versions (ms v.
netware), but I'm stuck with NW at the moment.

Comments?

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23VIvf3BNFHA.2464@TK2MSFTNGP10.phx.gbl...
> Here's more info on the client side resolver and how it works. Maybe this
> will help out.
>
> Querying DNS Servers
>
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prjj_ipa_bsmz.asp
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> Ace,
>
> Okay...loud and clear. One thing about something you said
> earlier....you mentioned getting rid of Netware...I can chose not to
> configure dns on Netware, but removing it from all branches is not an
> option at this point. I could configure zones for each location and
> have all clients point to the nearest server, but that would mean
> queries across wan links. I understand what you're saying about the
> incompatibilities with the dns versions (ms v. netware), but I'm
> stuck with NW at the moment.
>
> Comments?
>

Well, I meant to get rid of or disable the NW DNS services since the version
you are using cannot support AD's requirements. Choosing not to configure
DNS on the NW servers is the same thing that I was saying.

But that leads to this statement confusing me:
>...I can chose not to
> configure dns on Netware, but removing
> it from all branches is not an
> option at this point.

Do you mean you are not choosing to configure DNS on NW, and that means you
won't be using DNS, correct? Then what do you mean by removing it from all
branches? Meaning DNS or the NW servers themselves?

What I'm trying to say, simplify your DNS infrastructure. Don't mix DNS
services that either do not support your infrastructure (even though AD is
not used throughout your network), or that do not contain the same content
(all your zones). With all due respect, leaving it the way it is, is a
sloppy design that will lead to problems and complicating resolution in your
network (such as what you are trying to get help on now). Simplify it. Do
yourself a favor. Go to the highest possible denominator, and in this case,
based on what the future needs are and that is to support AD, use what
supports AD. If you dont want to use W2k DNS, then you can use BIND 8.2.3 or
newer, but for your sake, whatever you use, retire the NW DNS servers since
they do not support your requirements.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

> Well, I meant to get rid of or disable the NW DNS services since the
version
> you are using cannot support AD's requirements. Choosing not to
configure
> DNS on the NW servers is the same thing that I was saying.
>
> But that leads to this statement confusing me:
> >...I can chose not to
> > configure dns on Netware, but removing
> > it from all branches is not an
> > option at this point.
>
> Do you mean you are not choosing to configure DNS on NW, and that
means you
> won't be using DNS, correct? Then what do you mean by removing it from
all
> branches? Meaning DNS or the NW servers themselves?

What I meant above is this: I inherited a Netware network with dns not
ever fully configured. A couple of branches had dns, most did not. But
we were running IPX/SPX and the related services. We started adding w2k
servers as applications that were needed, needed w2k. This led to domain
controllers. Which led to this present situation. Before moving forward,
I wanted to get a clear picture of what I needed to do, hence this post.

>leaving it the way it is, is a sloppy design that will lead to problems
and complicating resolution in your
> network (such as what you are trying to get help on now).
I agree and now understand where problems would come from.


>If you dont want to use W2k DNS, then you can use BIND 8.2.3 or
> newer, but for your sake, whatever you use, retire the NW DNS servers
since
> they do not support your requirements.

> Ace

Thanks again, Ace.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
>> Well, I meant to get rid of or disable the NW DNS services since the
>> version you are using cannot support AD's requirements. Choosing not
>> to configure DNS on the NW servers is the same thing that I was
>> saying.
>>
>> But that leads to this statement confusing me:
>>> ...I can chose not to
>>> configure dns on Netware, but removing
>>> it from all branches is not an
>>> option at this point.
>>
>> Do you mean you are not choosing to configure DNS on NW, and that
>> means you won't be using DNS, correct? Then what do you mean by
>> removing it from all branches? Meaning DNS or the NW servers
>> themselves?
>
> What I meant above is this: I inherited a Netware network with dns not
> ever fully configured. A couple of branches had dns, most did not. But
> we were running IPX/SPX and the related services. We started adding
> w2k servers as applications that were needed, needed w2k. This led to
> domain controllers. Which led to this present situation. Before
> moving forward, I wanted to get a clear picture of what I needed to
> do, hence this post.
>
>> leaving it the way it is, is a sloppy design that will lead to
>> problems
> and complicating resolution in your
>> network (such as what you are trying to get help on now).
> I agree and now understand where problems would come from.
>
>
>> If you dont want to use W2k DNS, then you can use BIND 8.2.3 or
>> newer, but for your sake, whatever you use, retire the NW DNS
>> servers since they do not support your requirements.
>
>> Ace
>
> Thanks again, Ace.


That's one of the most difficults things to handle when someone gets a
network handed down that needs work to update it. I wish you well. I hope I
was clear, but not too straightforward.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I've done some reading about dns--"DNS and BIND", O'Reilly--it's a bit
different when you're in the trenches. Thanks for all your input.
Chris
> That's one of the most difficults things to handle when someone gets a
> network handed down that needs work to update it. I wish you well. I hope
I
> was clear, but not too straightforward.
>
> Ace
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

C Hall wrote:
> I've done some reading about dns--"DNS and BIND", O'Reilly--it's a bit
> different when you're in the trenches. Thanks for all your input.
> Chris
>> That's one of the most difficults things to handle when someone gets
>> a network handed down that needs work to update it. I wish you well.
>> I hope I was clear, but not too straightforward.
>>
>> Ace



That's a good book. My pleasure for the help. Good luck.

Ace