"best practice" is always relative. Having said that, I don't see a reason to create secondary zones in this scenario. With proper delegation, and forwarding, secondary becomes irrelevant - again in the given scenario. I concur with Roger, and would only add that IF your root servers are able to reach the internet Root Servers on their own, then remove the forwarding from them. Just let your child DNS servers forward to your Root DNS servers and let your Roots chase down the lookup for them. Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 6/7/2004 1:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings I would set up a secondary zone for the root on every DC - this simplifies a lot of replication issues. We have recently gone to a forest integrated zone for the root to avoid zone transfer security issues and that seems to be working very well for us. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |---------+----------------------------------> | | "Creamer, Mark" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 06/07/2004 04:16 PM AST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >---------------------------------------------------------------------------- --------------------------------------------------| | | | To: <[EMAIL PROTECTED]> | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Best Practice: DNS settings | >---------------------------------------------------------------------------- --------------------------------------------------| OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find "itself" then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! <mc> -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. ________________________________ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary <RDS>This generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary <RDS>Again - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible. 4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain <RDS>That's pretty clean - no reason to change that. 5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ <RDS>I find that multiple layers of forwarding gets, well, ugly. I've seen a number of weird issues with that process over the years. You don't mention whether this is a contiguous namespace or not. Some of this also depends on if its an empty root or a domain containing resources and users. Are there any flaws to this design that someone can point out to me? Or is it OK? Thanks, as always... Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/