I’m working in a branch office deployment where the AD
is centrally managed, and all offices have a high level of autonomy. In MS
terms: central does the service management, branches do data management. I would like the branches to manage their own DNS A records.
In order to do that I am thinking of giving each a delegated subdomain of the
main AD (DNS-)domain and giving them the appropriate permissions. Now I’m
wondering if I’m going to have a problem with Kerberos. I tried to look
it up but what I found on Technet is less then clear. Workstations don’t usually offer services, so I’m
not too worried about that. But what happens when servers are going to register
(through their primary DNS Suffix) in a subdomain? Will they automatically
register the correct SPN, will other computers be able to find that, and is
there a difference between file/print sharing and more specialized services? Do any of you have good/bad experiences to share? -- Regards, Willem |