|
|
Root domain clients cannot lookup child domain clients but child domain
clients can lookup root domain clients
I have 3 dns servers in the root domain and 1 in the child
The 2 zones are working fine and replicating between all servers
In the root zone a delegation on the child zone exists with all dns server
listed as name servers
I have a forwarder from the child dns server to one of the root domain dns
server (I guess this is why it works one way)
Should I create a forwarder to the root dns servers to the child root dns
server. Is this correct?
If not, any ideas?
|
|
"Guff Squirrel" <nospam[ at ]nospam.com> wrote in message
news:eiT0BMjKJHA.5232[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > I have a forwarder from the child dns server to one of the root domain dns
> server (I guess this is why it works one way)
No, that should not be there.
> Should I create a forwarder to the root dns servers to the child root dns
> server. Is this correct?
No. Then you end up creating a loop.
All Active Directory DNS Servers within a Forest (regardless of domain) all
are *already* aware of all of the Zones that exist within the
Forest,...assuming AD Replication works properly,...that is one of the
"jobs" of the Replication to keep maintained.
Get rid of the forwarder.
Clients should use only the DNS that is within their own Domain,...they
should not use the DNS in any of the other domains in the Forest because
their own DNS already posseses and is aware of all Zones in the Forest.
You should have 2 DNS in each Domain,...not 3 in one Domain and 1 in
another.
Each DNS,..in its TCP/IP Config,... should point first to itself and then
second to its Partner (hence, minimum 2 per domain), but it should not
include DNSs from other domains because the AD Replication already covers
that.
Forwarders should only point to *external* DNS Servers such as the ISP's DNS
for resolving Public Internet Names.
As always,...anyone with more experience is welcome to correct anything I
have in error. I don't see myself as a great AD expert but am willing to
learn.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
Actually, forwarding from child to parent or parent to child or from any
server that can't (shouldn't) go external is not a problem. And it is not a
requirement to forward to your ISP (or to anyone for that mater), if your
DNS server can (is allowed to) go outside and chase referrals. Clients
should typically use DNS servers in their own domain, but there is nothing
bad in pointing them to any DNS server who has knowledge of the zone
information for the client's domain (for example a DNS server in a root
domain). I wouldn't get rid of the forwarder, but I will NOT create
forwarding from the parent back to the child because then we will have the
loop that you mentioned.
I think there is some other configuration problem with the OP's DNS setup,
but his descriptions don't quite contain the information necessary to
provide a good diagnosis. My suspicion is that the root clients are looking
for clients in the child domain using netbios names. Unless the DNS suffix
list on the root clients contains the FQDN of the child domain, then they
will have a hard time locating those child domain computers.
The child domain computers are able to locate the root domain clients by
netbios name because (again, this is pure conjecture) the parent FQDN
(rootdomain.tld) is also part of the child FQDN (child.rootdomain.tld). This
is happening not simply because of forwarding, but because of DNS devolution
process.
If my suspicion is right, all that the OP needs to do is add
child.rootdomain.tld to the list of domain suffixes on the parent domain
clients. If these clients are XP and above, this can be done through a GPO
setting. If they are older than XP, then this will have to be done manually
or through scripting.
HTH
Deji
"Phillip Windell" <philwindell[ at ]hotmail.com> wrote in message
news:uJdDi8jKJHA.4324[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] > "Guff Squirrel" <nospam[ at ]nospam.com> wrote in message
> news:eiT0BMjKJHA.5232[ at ]TK2MSFTNGP02.phx.gbl...
>> I have a forwarder from the child dns server to one of the root domain
>> dns server (I guess this is why it works one way)
>
> No, that should not be there.
>
>> Should I create a forwarder to the root dns servers to the child root dns
>> server. Is this correct?
>
> No. Then you end up creating a loop.
>
> All Active Directory DNS Servers within a Forest (regardless of domain)
> all are *already* aware of all of the Zones that exist within the
> Forest,...assuming AD Replication works properly,...that is one of the
> "jobs" of the Replication to keep maintained.
>
> Get rid of the forwarder.
>
> Clients should use only the DNS that is within their own Domain,...they
> should not use the DNS in any of the other domains in the Forest because
> their own DNS already posseses and is aware of all Zones in the Forest.
>
> You should have 2 DNS in each Domain,...not 3 in one Domain and 1 in
> another.
> Each DNS,..in its TCP/IP Config,... should point first to itself and then
> second to its Partner (hence, minimum 2 per domain), but it should not
> include DNSs from other domains because the AD Replication already covers
> that.
>
> Forwarders should only point to *external* DNS Servers such as the ISP's
> DNS for resolving Public Internet Names.
>
> As always,...anyone with more experience is welcome to correct anything I
> have in error. I don't see myself as a great AD expert but am willing to
> learn.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
|
|
"A, Deji" <deji[ at ]akomolafe.com> wrote in message
news:OY6yV4sKJHA.728[ at ]TK2MSFTNGP03.phx.gbl...
[Quoted Text] > Actually, forwarding from child to parent or parent to child or from any
> server that can't (shouldn't) go external is not a problem.
Yea, it isn't a problem if it is handled correctly, but I think more often
than not it isn't thought-out correctly. It is not required for resolution
within a Forest so I would rather see someone avoid it and try to not create
situations where they would find themselves doing that.
> And it is not a requirement to forward to your ISP (or to anyone for that
> mater), if your DNS server can (is allowed to) go outside and chase
> referrals.
I've let them use RootHints for external resolution before and had no
problem,..but using a Forwarder seems to be more popular.
>
> I think there is some other configuration problem with the OP's DNS setup,
> but his descriptions don't quite contain the information necessary to
> provide a good diagnosis.
Yea, probably will take a while to sort out.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
|