| Author |
Message |
Gera
Guest
|
 Posted:
Tue Jan 11, 2005 8:55 pm Post subject:
Child AD domain zone - delegate from root DC or not? |
|
|
Let's say, I have a test forest setup of root DC and two child domains with
their own DC. All with Windows 2003 Server. Traffic and users amount are near
low. Child domains are in different geogr. sites, and fault tolerance is
important. In a actual deployment every domain will have a pair of DCs.
First child domain I installed without delegating child zone from the root
server, set forwarder to root DCand everything seems to be ok. Of course,
child DNS server is not autorithative for his own domains' namespace.
Second child domain I installed as by Q255248. Also set forwarder to root
DC, converted to AD-integrated zone and everything seems to be ok as well.
And of course, child DNS server now is autorithative for his own domains'
namespace.
The question is: is it absolutely necessary to use delegation and what will
be the consequences of the first method and second method, which I probably
can't forecast now?
The only difference I can see now is that using second method I do not need
to set forwarder to the root DC and can set it to our ISP address (as
primary).
Thanks
Gera |
|
| Back to top |
|
 |
Herb Martin
Guest
|
| Posted:
Tue Jan 11, 2005 9:58 pm Post subject:
Re: Child AD domain zone - delegate from root DC or not? |
|
|
"Gera" <Gera@discussions.microsoft.com> wrote in message
news:AFFA5B6E-7199-4074-8649-65144B626BC1@microsoft.com...
| Quote: | Let's say, I have a test forest setup of root DC and two child domains
with
their own DC. All with Windows 2003 Server. Traffic and users amount are
near
low.
|
One then wonders what forced the multiple domains...?
| Quote: | Child domains are in different geogr. sites, and fault tolerance is
important. In a actual deployment every domain will have a pair of DCs.
|
Ok. Every site will need (at least one of the DC to be) a GC.
| Quote: | First child domain I installed without delegating child zone from the root
server,
|
Do you mean in DNS? If so that is going to cause
your problems and is easily fixed even now.
Were you to mean in AD, then it would not be a child
domain.
| Quote: | set forwarder to root DCand everything seems to be ok.
Of course,
child DNS server is not autorithative for his own domains' namespace.
|
All Primary and Secondary DNS servers are authoritative
for the zones they hold.
What type of DNS server is on each zone?
Technically the DNS server that supports an AD zone
does not have to be "in that zone" -- in fact it COULD
be a BIND server running on Unix or even a workstation
machine (not recommended but it works.)
The key is if your machines can properly resolve using
it, and furthermore if the DCs (etc.) can register themselves
DYNAMICALLY.
The zone must be DYNAMIC, the Primary (or AD-integrated
DNS servers) REACHABLE.
| Quote: | Second child domain I installed as by Q255248. Also set forwarder to root
DC, converted to AD-integrated zone and everything seems to be ok as well.
And of course, child DNS server now is autorithative for his own domains'
namespace.
The question is: is it absolutely necessary to use delegation and what
will
be the consequences of the first method and second method, which I
probably
can't forecast now?
|
Mostly it looks goofy (if it works).
Really there are simple and more logical ways to do this
but as above the DNS server for a domain does not have
to even be a Microsoft machine.
| Quote: | The only difference I can see now is that using second method I do not
need
to set forwarder to the root DC and can set it to our ISP address (as
primary).
|
Well, it isn't usually to use the "forwarder" setting for
an internal hierarchy IF you also wish to resolve
Internet names (unless the forwarders are in a chain
due to WANs layout) but in Win2003s you can use
CONDITIONAl forwarding to forward for internal
names (the DNS at the top of the internal name tree,
or trees) and then retain the GENERAL forwarding
for the (rest of the world of the) Internet.
You can call me if you wish and I will help you
think through what will serve you best and where
you resolutions and registrations are really going.
Even if the above works (as you have it), you may
experience odd problems when a WAN line is out
but I cannot tell that without a bit more specificity.
(phone is on my website LearnQuick.Com)
--
Herb Martin
|
|
| Back to top |
|
|
Gera
Guest
|
| Posted:
Tue Jan 11, 2005 11:47 pm Post subject:
Re: Child AD domain zone - delegate from root DC or not? |
|
|
Hello
| Quote: | Let's say, I have a test forest setup of root DC and two child domains with
their own DC. All with Windows 2003 Server. Traffic and users amount are
near low.
One then wonders what forced the multiple domains...?
There were some reasons, like distributed administration and geogr. placement. |
| Quote: | Child domains are in different geogr. sites, and fault tolerance is
important. In a actual deployment every domain will have a pair of DCs.
Ok. Every site will need (at least one of the DC to be) a GC.
Sure they are. |
| Quote: | First child domain I installed without delegating child zone from the root
server,
Do you mean in DNS? If so that is going to cause your problems and is easily
fixed even now.
Yes, I mean DNS child zone. And this is only a test setup. |
| Quote: | Were you to mean in AD, then it would not be a child domain.
set forwarder to root DCand everything seems to be ok.
Of course,
child DNS server is not autorithative for his own domains' namespace.
All Primary and Secondary DNS servers are authoritative
for the zones they hold.
I only mean, that child DC doesn't hold the zone, (because not delegated) so |
it is not authoritative. Or am I wrong?....
| Quote: | What type of DNS server is on each zone?
The same Win2003 server's DNS services. |
| Quote: | Technically the DNS server that supports an AD zone
does not have to be "in that zone" -- in fact it COULD
be a BIND server running on Unix or even a workstation
machine (not recommended but it works.)
The key is if your machines can properly resolve using
it, and furthermore if the DCs (etc.) can register themselves
DYNAMICALLY.
The zone must be DYNAMIC, the Primary (or AD-integrated
DNS servers) REACHABLE.
Second child domain I installed as by Q255248. Also set forwarder to root
DC, converted to AD-integrated zone and everything seems to be ok as well.
And of course, child DNS server now is autorithative for his own domains'
namespace.
The question is: is it absolutely necessary to use delegation and what will
be the consequences of the first method and second method, which I
probably can't forecast now?
Mostly it looks goofy (if it works).
Looks goofy what? First method or second? |
Which way is better?
| Quote: | Really there are simple and more logical ways to do this
but as above the DNS server for a domain does not have
to even be a Microsoft machine.
What are these ways, in short? |
| Quote: | The only difference I can see now is that using second method I do not need
to set forwarder to the root DC and can set it to our ISP address (as primary).
Well, it isn't usually to use the "forwarder" setting for
an internal hierarchy IF you also wish to resolve Internet names
What is the right way? |
| Quote: | (unless the forwarders are in a chain due to WANs layout)
No, access to the internet is possible from any site. |
| Quote: | but in Win2003s you can use
CONDITIONAl forwarding to forward for internal
names (the DNS at the top of the internal name tree,
or trees) and then retain the GENERAL forwarding
for the (rest of the world of the) Internet.
Yes, I know about this feature but still need to read and test it more. |
It may really help.
| Quote: | You can call me if you wish and I will help you
think through what will serve you best and where
you resolutions and registrations are really going.
Thanks for this, but I am located too far to call... |
| Quote: | Even if the above works (as you have it), you may
experience odd problems when a WAN line is out
but I cannot tell that without a bit more specificity.
|
The main concern for me now is to delegate child zone as per MS
recomendation or not to delegate. And it is interesting to realize the
consequences of such decisions.
Thanks,
G. |
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Wed Jan 12, 2005 1:08 am Post subject:
Re: Child AD domain zone - delegate from root DC or not? |
|
|
"Gera" <Gera@discussions.microsoft.com> wrote in message
news:0BE5D746-9613-4CF6-83EC-8EA58FD4A97E@microsoft.com...
| Quote: | Hello
Let's say, I have a test forest setup of root DC and two child domains
with
their own DC. All with Windows 2003 Server. Traffic and users amount
are
near low.
One then wonders what forced the multiple domains...?
There were some reasons, like distributed administration and geogr.
placement. |
Mere geography is not a reason (usually).
Distributed administration is usually available
through OUs and delegation.
| Quote: | Child domains are in different geogr. sites, and fault tolerance is
important. In a actual deployment every domain will have a pair of DCs.
Ok. Every site will need (at least one of the DC to be) a GC.
Sure they are.
|
| Quote: | First child domain I installed without delegating child zone from the
root
server,
Do you mean in DNS? If so that is going to cause your problems and is
easily
fixed even now.
Yes, I mean DNS child zone. And this is only a test setup.
|
Not a big issue then -- if you want to change DNS
that is easy; changing AD domain trees themselves is hard.
| Quote: | Were you to mean in AD, then it would not be a child domain.
set forwarder to root DCand everything seems to be ok.
Of course,
child DNS server is not autorithative for his own domains' namespace.
All Primary and Secondary DNS servers are authoritative
for the zones they hold.
I only mean, that child DC doesn't hold the zone, (because not delegated)
so
it is not authoritative. Or am I wrong?....
|
Correct. But if you mean it "doesn't hold the DNS
domain/zone", just say that. Too many people have
the mistaken impression that Secondaries are
not authoritative or that DCs much be DNS
servers. [not your fault]
| Quote: | What type of DNS server is on each zone?
The same Win2003 server's DNS services.
|
???
So your DNS server is a member of the parent (root)
AD domain -- and it holds all the zones.
You have no branch DNS servers? That is likely a
poor design.
| Quote: | Technically the DNS server that supports an AD zone
does not have to be "in that zone" -- in fact it COULD
be a BIND server running on Unix or even a workstation
machine (not recommended but it works.)
The key is if your machines can properly resolve using
it, and furthermore if the DCs (etc.) can register themselves
DYNAMICALLY.
The zone must be DYNAMIC, the Primary (or AD-integrated
DNS servers) REACHABLE.
Second child domain I installed as by Q255248. Also set forwarder to
root
DC, converted to AD-integrated zone and everything seems to be ok as
well.
And of course, child DNS server now is autorithative for his own
domains'
namespace.
The question is: is it absolutely necessary to use delegation and what
will
be the consequences of the first method and second method, which I
probably can't forecast now?
Mostly it looks goofy (if it works).
Looks goofy what? First method or second?
Which way is better?
|
Generally each Domain should have DNS servers for
the zone that supports it LOCAL to the DCs and to the
(majority of) their clients.
Those DNS servers are not required to be on the DCs
for that zone but it is usually hard to find a better place
for the first deployment.
After that is constructed, you can add additional
servers for that domain/zone either on the DCs or
other domains or even on regular servers if some
sites have no DCs. This latter is done for performance
and optimization.
| Quote: | Really there are simple and more logical ways to do this
but as above the DNS server for a domain does not have
to even be a Microsoft machine.
What are these ways, in short?
|
See previous.
One important key to DNS (with or without AD):
All zones should be considered SEPARATELY when
designing a solution.
The only near exception to this is during the actual
act of delegation where you are working on the parent
and delegating to the child DNS servers but really you
are only "thinking about one zone" even then.
Note that delegation itself is something you do because
the current parent server is not going to be the Primary
(etc.) DNS server for the new zone. You delegate because
the zone will be held on OTHER DNS servers or
administered by other DNS admins.
| Quote: | The only difference I can see now is that using second method I do not
need
to set forwarder to the root DC and can set it to our ISP address (as
primary).
Well, it isn't usually to use the "forwarder" setting for
an internal hierarchy IF you also wish to resolve Internet names
What is the right way?
|
"Right" is a relative term, GENERAL forwarding is
something I would seldom recommend internally.
Conditional forwarding CAN be an important design
element.
What is 'right' is what works, most efficiently and is
easy to understand and maintain.
With Win2003 we have three choices to deal with the
"other domains/zones" problems: (condidtional)
forwarding, stub zones, and secondaries.
Generally you DON'T have this problems FROM
the root/parent if you delegate, so I will say that
delegation is practically always correct (although
something else may function.)
| Quote: | (unless the forwarders are in a chain due to WANs layout)
No, access to the internet is possible from any site.
|
Then you don't have the "Single (general) forwarder"
problem which makes your choices more flexible.
I would still tend to use conditional, stub, or secondaries
for clarity and for future changes (e.g., Internet access).
It just looks cleaner (i.e., less goofy. <grin>)
| Quote: | but in Win2003s you can use
CONDITIONAl forwarding to forward for internal
names (the DNS at the top of the internal name tree,
or trees) and then retain the GENERAL forwarding
for the (rest of the world of the) Internet.
Yes, I know about this feature but still need to read and test it more.
It may really help.
You can call me if you wish and I will help you
think through what will serve you best and where
you resolutions and registrations are really going.
Thanks for this, but I am located too far to call...
Even if the above works (as you have it), you may
experience odd problems when a WAN line is out
but I cannot tell that without a bit more specificity.
The main concern for me now is to delegate child zone as per MS
recomendation or not to delegate. And it is interesting to realize the
consequences of such decisions.
|
That is what is really important.
Also in Win2000 with Internet access, the (general)
forwarding method will not work (most of the time).
Win2000 only has one type/setting for forwarders
(all or nothing, I call this "general forwarding") and
it has no Stub zones.
Delegation is (almost) always right because that is
the normal DNS architecture, it is in fact what defines
Parent-Child relationships.
You STILL end up with the issue of getting (resolution)
FROM the children to levels higher in the tree, and thus
to siblings or even (not your case) to ADDITIONAL
trees in a multi-tree forest.
Delegate. |
|
| Back to top |
|
|
Gera
Guest
|
| Posted:
Wed Jan 12, 2005 6:09 pm Post subject:
Re: Child AD domain zone - delegate from root DC or not? |
|
|
[skip x4]
| Quote: | I only mean, that child DC doesn't hold the zone, (because not
delegated)
so
it is not authoritative. Or am I wrong?....
Correct. But if you mean it "doesn't hold the DNS
domain/zone", just say that. Too many people have
the mistaken impression that Secondaries are
not authoritative or that DCs much be DNS
servers. [not your fault]
What type of DNS server is on each zone?
The same Win2003 server's DNS services.
???
Each DC is also DNS server. MS DNS server. |
| Quote: | So your DNS server is a member of the parent (root)
AD domain -- and it holds all the zones.
You have no branch DNS servers? That is likely a
poor design.
Probably this is misunderstanding. Child domains have a DC, which is also a |
DNS server.
| Quote: | Generally each Domain should have DNS servers for
the zone that supports it LOCAL to the DCs and to the
(majority of) their clients.
That's the point I want to make sure. |
It's better to delegate and hold locally cause of dynamic updates and
general design.
| Quote: | Delegate.
Thanks a lot for this discussion, it made me sure about this design |
desicion.
G. |
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Wed Jan 12, 2005 11:49 pm Post subject:
Re: Child AD domain zone - delegate from root DC or not? |
|
|
| Quote: | What type of DNS server is on each zone?
The same Win2003 server's DNS services.
???
Each DC is also DNS server. MS DNS server.
|
Does it hold the zones for it's own domain?
If so, what type of zone is this (for it's own domain).
IF it is AD-integrated, what replication scope are
you using (same Domain DCs, DNS-DCs only etc.)
| Quote: | So your DNS server is a member of the parent (root)
AD domain -- and it holds all the zones.
You have no branch DNS servers? That is likely a
poor design.
Probably this is misunderstanding. Child domains have a DC, which is also
a
DNS server.
|
The do these hold the zone for that DC's AD domain?
| Quote: | Generally each Domain should have DNS servers for
the zone that supports it LOCAL to the DCs and to the
(majority of) their clients.
That's the point I want to make sure.
It's better to delegate and hold locally cause of dynamic updates and
general design.
|
Yes.
| Quote: | Delegate.
Thanks a lot for this discussion, it made me sure about this design
desicion.
|
Ok, although you might wish to call me to talk it
through. Phone number is on my web site:
http://www.LearnQuick.Com |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in