Yeah I think you're right. I completely overlooked that part about Bind. :)
:m:dsm:cci:mvp | marcusoh.blogspot.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, October 26, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS setup questions Since the partner forest is not using AD DNS zones but a Unix BIND system, wouldn't that eliminate the ability to do the conditional forwarding? I thought that required both sides to be W2K3 AD DNS... ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, October 26, 2006 1:55 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] DNS setup questions > > You could use conditional-forwarding. You could also setup > an AD int stub zone. I'm not well versed in the security > aspects of either... but either one of those would work fine... > > :m:dsm:cci:mvp | marcusoh.blogspot.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, October 26, 2006 4:32 PM > To: ActiveDir@mail.activedir.org > Subject: DNS setup questions > > OK; my Google-fu isn't working well today, and it's been a > while since I had to do any advanced DNS work. Too much BPM > work, not enough AD admin lately... > > Here's the scenario: > > Our domain: W2K3 functional level single-domain forest using > AD-integrated DNS, secure updates only > Partner domain: W2K3 functional level single-domain forest > using BIND DNS. > > We are planning to establish a trust between the domains. We > need to set up DNS so that both domains can resolve at > minimum SRV records to keep the trust working and allow > member enumeration for selective auth setup. > IIRC, we need to create secondary zones in each domain > pointing to the other domain, and on the W2K3 side, add the > BIND servers to the nameservers tab, right? Anything else I > need to do on the W2K3 DNS side? I really think I'm missing > something here, but I can't find any information with the > answers I need... > > Also, if I allow zone transfers to the other domain's DNS IP > addresses, what's to prevent them from setting up something > other than a secondary server? I know AD integrated won't > allow another AD integrated DNS server outside the current > domain, but I just want to make sure I don't leave anything > insecure... > > Thanks... > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir@mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/