You could use conditional-forwarding. You could also setup an AD int stub zone. I'm not well versed in the security aspects of either... but either one of those would work fine...
:m:dsm:cci:mvp | marcusoh.blogspot.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: DNS setup questions OK; my Google-fu isn't working well today, and it's been a while since I had to do any advanced DNS work. Too much BPM work, not enough AD admin lately... Here's the scenario: Our domain: W2K3 functional level single-domain forest using AD-integrated DNS, secure updates only Partner domain: W2K3 functional level single-domain forest using BIND DNS. We are planning to establish a trust between the domains. We need to set up DNS so that both domains can resolve at minimum SRV records to keep the trust working and allow member enumeration for selective auth setup. IIRC, we need to create secondary zones in each domain pointing to the other domain, and on the W2K3 side, add the BIND servers to the nameservers tab, right? Anything else I need to do on the W2K3 DNS side? I really think I'm missing something here, but I can't find any information with the answers I need... Also, if I allow zone transfers to the other domain's DNS IP addresses, what's to prevent them from setting up something other than a secondary server? I know AD integrated won't allow another AD integrated DNS server outside the current domain, but I just want to make sure I don't leave anything insecure... Thanks... ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/