I remember it well - my only trip to NC if I am not mistaken. :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 08, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root
Aric, You are correct - I never claimed to invent this ;-) BTW - This is the end result of what you looked at a couple of years ago when Tom B. had you come to Greensboro for a day.... Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, December 08, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root Smells like a MS best practice for branch office environments... ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 08, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root OK - here is the rest of the story... The secnario is a worldwide corp (200+ physical locations, 180 +/- DCs, 4 regional child domains, all site level DCs are also GCs). Clients use their local child domain DC as their DNS server. A fair percentage of our locations are in places that are really network challenged... A design goal was to have users at a site be able to signon and use their local resources even if their WAN link or an upstream WAN link was down. To avoid cached credentials, you need to be able to find three things during logon: DC for the domain that has the account, GC if you are in a multidomain forest and a DNS server that is authoritative for the domain that contains the user/computer. _msdcs is what is used to locate the GC. We wanted a local copy of this so that we could ensure that the users could get a Kerberos ticket even if they could not get all the way back to the TLD servers in the network backbone that have the authoritative copy of the TLD _msdcs. Because each site level DC is a GC and the clients point to the site level DC for DNS and that DNS server has enough info to locate a GC (the locator records in _msdcs) the site's users can logon and get a Kerberos ticket even if their WAN link is down. The TLD secondary onto the child DCs makes sure that the DNS resolution traffic stays local and the zone is available if the site WAN link is down. I agree that the child zones should not be secondaried on the parent server. FWIW - Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 08, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root I have been away for a while and have not been following this conversation closely, so excuse me if I missed some of the relevant conversation. Looking at what you've written, I do not understand what the purpose of this exercise would be. If you have a parent-child topology, and you configure the child DNS servers to forward to the Parent DNS servers, why would you need to secondary the parent zone on the child DNS? If you have a parent-child topology, and you delegate the child zone to the child DNS servers from the Parent DNS servers, why would you need to secondary the child zone on the parent DNS? [MY lawyer wants me to include this: I am NOT responsible for MY thoughts ] [My wife says to include this: I am NOT responsible ] Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 12/8/2004 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root It is possible to break out the TLD _msdcs and then create secondaries for just that portion of the TLD zone and transfer those to the child domains. Setup: W2K SP4 W2K DNS only All AD domain DNS zones are AD integrated TLD and 4 peer child domains On the first server in the TLD run the following to break out _msdcs dnscmd . /ZoneAdd _msdcs.sample.com /DsPrimary dnscmd . /Config _msdcs.sample.com /AllowUpdate 2 dnscmd . /Config _msdcs.sample.com /SecureSecondaries 0 dnscmd . /Config _msdcs.sample.com /Aging 1 dnscmd . /Config _msdcs.sample.com /NoRefreshInterval 168 dnscmd . /Config _msdcs.sample.com /RefreshInterval 168 This will then replicate to all of the TLD DCs via std AD DNS replication. On the primary role holder DC for each child domain create a std secondary (non-AD integrated) of the _msdcs.sample.com zone. The source for this secondary should be the primary role holder of the TLD. On each additional child domain DC create a std secondary (also non-AD integrated) of _msdcs.sample.com where the source is the primary role holder of the child domain. The reason for the pickiness of the secondary sources is because the SOA serial numbers in an AD integrated zone are not consistent. Since I used std secondaries, I need consistent serial numbers to make sure that replication works correctly. Admittedly there is some zone transfer latency here but once you get your environment built the TLD is relativly stable FWIW - Frank (My lawyer wants me to add the note that you should do this in a test forest FIRST and make sure it works correctly in your environment ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, December 01, 2004 5:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root Why? What good would that do for you? I understand what you're saying though. No, you wouldn't be able to define just ._msdc as your transfer target. You'd have to define the entire zone that ._msdc belongs to. It's not a zone in itself (which is what you were asking earlier right? It's just a folder for all intents and purposes; it's referred to as a service name and most of those are defined in RFC 1700.) Did I answer the question this time or am I still missing something? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 5:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root how can you just transfer the _msdc zone in a Win2k forest. No the whole root domain.com zone,just the _msdc zone from the root? I don't think thats possible. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 4:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS root Child domains MUST be able to resolve root resources. How you accomplish that is open but a forwarder doesn't come to mind. Failure to resolve those names would result in broken replication and other issues. DNS is not required to be on Windows servers, but it must be on RFC 2052 and RFC 2136 compliant DNS servers. 2052 defines a host that can handle SRV records. 2136 defines DDNS. I've got a setup right now that transfers SRV zones between a root and a child domain. Works fine so I can't think why you couldn't transfer it to another server such as a bind or lucent DNS server. Maybe it's a permissions issue? What's the problem that you're seeing? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 4:28 PM To: ActiveDir (E-mail) Subject: [ActiveDir] DNS root If I had a multi domain Win2k forest and my child domains were delgated control of their respective zones but did not have a secondary copy of the root zone OR were forwarding to the root, would that cut them off from the forest? This is a really basic AD question,but I just wanted to know for sure. If the above senario is true, then no child dc would be able to replicate with other domain dc's and gc lookups would fail. True? Also is _msdc technically a zone like anyother dns zone or is it just some strange folder? I know its purpose but is it really a zone? because it can't be transferred like a zone or have a secondary copy on a child dns sever. what is the desgin reasoning of MS for only having dc's and gc's register in the root zone and not on other dc's zones? I know this can be changed in Win2k3 with App parttions but I was just curious as to why this was designed this way that i always need connectivity to the root for replication and gc lookups. Thanks. Alot of basic questions and i apologize. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/