mmccaws2
Guest
|
 Posted:
Fri Nov 04, 2005 9:50 am Post subject:
in a multiple AD Foretst pickle |
|
|
in a pickle
I'm in an company that houses multiple organizations that are funded
seperately, some paranoid, some technically challenged, and can't
agree on one AD Forest. So there are 6 AD Forests. Some want to do it
all, with regard to DNS/DDNS/DHCP, some want me to continue with my
bind based DNS and DHCP, since they don't want to deal with
administering DNS. ( unfortunately, us central network administrators
are allow to say 'form one AD Forest')
So currently I have the following scenario running:
primary domain name server (bind based) supports mainframe, unix, a
whole bunch of legacy, and to some degree 6 AD forests.
All the forests are on ADFORESTORGNAME.local substitue each org
acronym name for ADFORESTORGNAME
My primary domain name server is SOA for company.org. the
ADdomains.local are set up as stub zones. Each AD domain then provides
DNS for it's own users. (actually I'm not sure that all AD
administrators have setup thier users host machines to point to the AD
forest DNS server as first choice. I know originally they were all
instructed to point to the company.org DHCP server which provided the
setting to point to the company.org name servers.)
However what seems strange to me is that the AD hosts are setup to use
the Company.org DNS/DHCP nameservers as their first nameserver and get
the ip assignment. Then the profile updates it to their AD domain. So
in my DHCP list I see hosts registering from most of the
host.ADdomain.local. (can you think of why this is preferred)
Also what seems strange is that the AD forest administrators are not
creating stub entries for each other's AD forests. And, in most cases,
there is not a two-way trust setup, if any. (can you think of how this
might be advantagious)
I need to upgrade the DNS/DHCP application. So my problem is
restricted adminstrative and monetary problem, and I have the following
network issues to contend with
- we are using variable length subnet masking -- so I cannot cleanly
break each zone to a class C. I tend to want to stay with my central
DNS/DHCP server app since I can allocate as small a range of one ip
address to be administered by a specified LAN Administrator. I don't
know if ms 2003 dns server will allow that fine of administration.
- each AD forests have hosts that they need to register with
host.company.org
- each AD forest administrator wants the ease of DDNS but wants me to
do that without having access to their AD Forest.
- I need to make sure that each Forest doesn't accidently stomp on
host/ip address allocations that stops financial traffic, internet
access, or interferes with the other Forests. With AD forests the
administrators usually only stomp on their own users. But occasionally
they do something that gets all the forest administrators complaining.
So here is my two cents: setup a 2003 server to host a central.local
zone. Have all the willing AD forest point to this server for DHCP and
run their zones as stub zones. Also, have each AD DNS server configure
the other AD servers as stub zones. ( I believe I do this. However, If
it doesn't have two way trust, how does DDNS work between the AD forest
and central.local?)
Then company.org DNS server serves any static company.org host entries
and other domains that we host and have to resolve, and network
devices.
Obviously the critical stoppers are in the details. But as a general
approach I'm trying to poke holes to see what I'm missing.
Thanks
Mike |
|
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Mon Nov 07, 2005 9:22 am Post subject:
Re: in a multiple AD Foretst pickle |
|
|
mmccaws2 <mmccaws@comcast.net> wrote:
| Quote: | So here is my two cents: setup a 2003 server to host a central.local
zone. Have all the willing AD forest point to this server for DHCP
and run their zones as stub zones. Also, have each AD DNS server
configure the other AD servers as stub zones. ( I believe I do this.
However, If it doesn't have two way trust, how does DDNS work between
the AD forest and central.local?)
Then company.org DNS server serves any static company.org host entries
and other domains that we host and have to resolve, and network
devices.
Obviously the critical stoppers are in the details. But as a general
approach I'm trying to poke holes to see what I'm missing.
|
So I take it that you want to host secure DDNS zones for these other
forests?
All you need is multiple one way trusts, so that their DC will authenticate
the clients registering in your DNS, then set up a Stub zone on their DNS
servers pointing to your DNS servers as the Authoritative DNS servers for
their domains.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in