|
|
I'm looking over a 2003 forest that was set up by someone else and I
found that the forward lookup zones are not configured the way I'm
used to seeing them. I'm used to seeing a subdomain get configured
within the parent domain. So, east.contoso.com would be created and
configured within/under the contoso.com (parent) domain.
like this:
contoso.com
east.contoso.com
west.contoso.com
However, this server has the parent domain (contoso.com) as well as
the child domains (east.contoso.com, west.contoso.com, etc) configured
as peer domains within the lookup zone.
like this:
contoso.com
->east.contoso.com
->west.contoso.com
First, is this considered to be incorrect? I ask because if you're
logged on to, say, west.contoso.com, you can't resolve a host that's
in the east.contoso.com zone unless you use the host's fqdn.
Appreciate any insight into this-
|
|
In news:1179452415.197597.156440[ at ]y80g2000hsf.googlegroups.com,
MandG <gscanga[ at ]gmail.com> typed:
[Quoted Text] > I'm looking over a 2003 forest that was set up by someone else and I
> found that the forward lookup zones are not configured the way I'm
> used to seeing them. I'm used to seeing a subdomain get configured
> within the parent domain. So, east.contoso.com would be created and
> configured within/under the contoso.com (parent) domain.
>
> like this:
> contoso.com
> east.contoso.com
> west.contoso.com
>
> However, this server has the parent domain (contoso.com) as well as
> the child domains (east.contoso.com, west.contoso.com, etc) configured
> as peer domains within the lookup zone.
>
> like this:
> contoso.com
> ->east.contoso.com
> ->west.contoso.com
>
> First, is this considered to be incorrect? I ask because if you're
> logged on to, say, west.contoso.com, you can't resolve a host that's
> in the east.contoso.com zone unless you use the host's fqdn.
>
> Appreciate any insight into this-
Oranges and apples, but they are still fruit. Some like to do it one way,
some the other. Me? I prefer a single parent with the child zones under it.
You can easily remove the child zones and leave the contoso.com zone and the
child zones will appear under it. The one that autoregister will show, but
the statics one you will need to put back in.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
|
|
"MandG" <gscanga[ at ]gmail.com> wrote in message
news:1179452415.197597.156440[ at ]y80g2000hsf.googlegroups.com...
[Quoted Text] > I'm looking over a 2003 forest that was set up by someone else and I
> found that the forward lookup zones are not configured the way I'm
> used to seeing them. I'm used to seeing a subdomain get configured
> within the parent domain. So, east.contoso.com would be created and
> configured within/under the contoso.com (parent) domain.
In some sense they always are (i.e., the DNS sense) but whether you
hold those zones on the parent, delegate them to the child (traditional),
or use one of the new Win2003 only methods is a choice (e.g., Stub,
Conditional Forwarding, or Forest-Wide DNS-DC AD Integration.)
> like this:
> contoso.com
> east.contoso.com
> west.contoso.com
>
> However, this server has the parent domain (contoso.com) as well as
> the child domains (east.contoso.com, west.contoso.com, etc) configured
> as peer domains within the lookup zone.
Nothing wrong with this even if it is non-traditional.
> like this:
> contoso.com
> ->east.contoso.com
> ->west.contoso.com
>
> First, is this considered to be incorrect?
No.
> I ask because if you're
> logged on to, say, west.contoso.com, you can't resolve a host that's
> in the east.contoso.com zone unless you use the host's fqdn.
That would not be true if the above as well as the CLIENT PATH to
the zones is functioning correctly.
(All of) The DNS servers used by the DNS Clients must be able to resolve
both their own (AD support) DNS zone as well as any zone in the Forest
or trust relationship.
As long as that is true -- the rest is about efficiency and convenience.
> Appreciate any insight into this-
Does it work?
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
|
|
Read inline please.
In news:1179452415.197597.156440[ at ]y80g2000hsf.googlegroups.com,
MandG <gscanga[ at ]gmail.com> typed:
[Quoted Text] > like this:
> contoso.com
> ->east.contoso.com
> ->west.contoso.com
>
> First, is this considered to be incorrect? I ask because if you're
> logged on to, say, west.contoso.com, you can't resolve a host that's
> in the east.contoso.com zone unless you use the host's fqdn.
You need to look at your DNS suffix search list on all your clients. If
clients in east.contoso.com need to resolve hosts in west.contoso.com as
well as east.contoso.com and contoso.com, you need to make sure all
clients, regardless of domain, get all three names in the DNS suffix search
list. This can be done in a group policy, or by configuring each client
individually.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
|
|
Thanks for the tips guys-
Ace, if the current design doesn't have an affect on the dns
resolution, I'd just rather leave it intact.
Kevin, I did test out adding the domain suffix local on a client to
verify it solved the issue and it worked. However, I'm determined to
resolve (no pun intended) this on the dns server and prefer to keep
our gpo's to a minimum.
Herb, I'm leaning towards creating a stub zone but have a couple of
questions-
1) what would I name the stub? Doesn't this have to be the name of the
remote domain I'm trying to resolve to? ie, if I'm homed off of
east.contoso.com, and want to resolve some records from
west.contoso.com, wouldn't I need to name the stub "west.contoso.com"?
2) doesn't a stub essentially just introduce the ns record for the
domain I'm trying to resolve to? If so, why couldn't I just add those
ns records of the remote domain to the existing local zone?
Thanks again-
|
|
Thanks for the tips guys-
Ace, if the current design doesn't have an affect on the dns
resolution, I'd just rather leave it intact.
Kevin, I did test out adding the domain suffix local on a client to
verify it solved the issue and it worked. However, I'm determined to
resolve (no pun intended) this on the dns server and prefer to keep
our gpo's to a minimum.
Herb, I'm leaning towards creating a stub zone but have a couple of
questions-
1) what would I name the stub? Doesn't this have to be the name of the
remote domain I'm trying to resolve to? ie, if I'm homed off of
east.contoso.com, and want to resolve some records from
west.contoso.com, wouldn't I need to name the stub "west.contoso.com"?
2) doesn't a stub essentially just introduce the ns record for the
domain I'm trying to resolve to? If so, why couldn't I just add those
ns records of the remote domain to the existing local zone?
Thanks again-
|
|
"MandG" <gscanga[ at ]gmail.com> wrote in message
news:1179616590.371022.270380[ at ]l77g2000hsb.googlegroups.com...
[Quoted Text] > Thanks for the tips guys-
>
> Ace, if the current design doesn't have an affect on the dns
> resolution, I'd just rather leave it intact.
>
> Kevin, I did test out adding the domain suffix local on a client to
> verify it solved the issue and it worked. However, I'm determined to
> resolve (no pun intended) this on the dns server and prefer to keep
> our gpo's to a minimum.
>
> Herb, I'm leaning towards creating a stub zone but have a couple of
> questions-
>
> 1) what would I name the stub? Doesn't this have to be the name of the
> remote domain I'm trying to resolve to?
Yes, it is always a STUB for an existing domain. A Stub is basically a
"Secondary without most of the records" . You use a Stub MOSTLY
when you would use a Secondary BUT cannot afford to copy all of the
records. E.g., there are tens of thousands of records but DNS clients will
only lookup a few dozen DCs, email, and other key servers.
> ...ie, if I'm homed off of
> east.contoso.com, and want to resolve some records from
> west.contoso.com, wouldn't I need to name the stub "west.contoso.com"?
Yes. It is a server for THAT zone (or not.) Conditional Forwarding also
works. There are VERY slight differences in effect and features between
using Conditional Forwarding and using a Stub Zone.
> 2) doesn't a stub essentially just introduce the ns record for the
> domain I'm trying to resolve to?
Basically YES -- the SOA record, the NS records, AND the A records
(if needed) for the NS records.
> If so, why couldn't I just add those
> ns records of the remote domain to the existing local zone?
Wouldn't make the machine resolve that zone. Where would you put
them? If you put them in the "remote domain zone" then you would be
leaving out all of the real records and make those TOTALLY unresolvable.
If you put them in some other zone, this would do NOTHING for finding that
"other remote zone".
Stubs zones are "partial zones" that are smart enough to know HOW to find
the rest of the records, and smart enough to know the rest of the records
EXIST on those other NS servers.
> Thanks again-
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
|
|
In news:1179616590.371022.270380[ at ]l77g2000hsb.googlegroups.com,
MandG <gscanga[ at ]gmail.com> typed:
[Quoted Text] > Thanks for the tips guys-
>
> Ace, if the current design doesn't have an affect on the dns
> resolution, I'd just rather leave it intact.
>
> Kevin, I did test out adding the domain suffix local on a client to
> verify it solved the issue and it worked. However, I'm determined to
> resolve (no pun intended) this on the dns server and prefer to keep
> our gpo's to a minimum.
>
> Herb, I'm leaning towards creating a stub zone but have a couple of
> questions-
>
> 1) what would I name the stub? Doesn't this have to be the name of the
> remote domain I'm trying to resolve to? ie, if I'm homed off of
> east.contoso.com, and want to resolve some records from
> west.contoso.com, wouldn't I need to name the stub "west.contoso.com"?
>
> 2) doesn't a stub essentially just introduce the ns record for the
> domain I'm trying to resolve to? If so, why couldn't I just add those
> ns records of the remote domain to the existing local zone?
>
> Thanks again-
The current design will not affect resolution.
As for stubs, are you attempting to change the design and incorporate a
delegation? By the looks of your design, all childs domains are already
hosted on one DNS server which tells me the parent and all child domains all
use the one DNS server. In this scenario, this is not a delegation and
therefore no stub zones is required. So the decision to use stubs will be
based soley on your intended design.
Ace
|
|
Read inline please.
In news:1179616590.371022.270380[ at ]l77g2000hsb.googlegroups.com,
MandG <gscanga[ at ]gmail.com> typed:
[Quoted Text] > Thanks for the tips guys-
>
> Ace, if the current design doesn't have an affect on the dns
> resolution, I'd just rather leave it intact.
>
> Kevin, I did test out adding the domain suffix local on a client to
> verify it solved the issue and it worked. However, I'm determined to
> resolve (no pun intended) this on the dns server and prefer to keep
> our gpo's to a minimum.
The only way you can do this at the server level is to use WINS lookups. You
can add all the stub zones, secondary zones or delegations you want, if a
particular host is found only in east.comtoso.com, the only way a client can
find that host, is to look in east.contoso.com. It won't find it looking in
contoso.com or west.contoso.com, that is what the DNS suffix search list is
for.
That said, if you are using WINS, you can add the WINS server's IP to any of
the zones listed in the DNS suffix search list. That way, a client looking
in west.contoso.com for a host named server3 that is in east.contoso.com,
can actually find server3 in west.comtoso.com if the DNS server is
configured to look in WINS for server3.
>
> Herb, I'm leaning towards creating a stub zone but have a couple of
> questions-
>
> 1) what would I name the stub? Doesn't this have to be the name of the
> remote domain I'm trying to resolve to? ie, if I'm homed off of
> east.contoso.com, and want to resolve some records from
> west.contoso.com, wouldn't I need to name the stub "west.contoso.com"?
A stub zone for west.comtoso.com may help the server resolve names in
west.comtoso.com, but the client has to know to look in west.comtoso.com to
find a host in that zone.
>
> 2) doesn't a stub essentially just introduce the ns record for the
> domain I'm trying to resolve to? If so, why couldn't I just add those
> ns records of the remote domain to the existing local zone?
You are completely missing the point, you are talking about resolving hosts
by their host (server1) name only. If a host, server1 is in
east.comtoso.com, a client looking in west.comtoso.com for server1 will not
find it.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
|
|
|