DNS Advice

[Davros 0]

Our company is about to migrate from NT4 to a W2K domain. I'm currently planning the migration and domain design. We will have an empty root domain with 3 child domains, one for each city. One of the cities will have 5 sites within the domain, separated by WAN links. This is the domain that I am directly responsible for. Each site will have one domain controller, which will also be a DNS server. Previously we only used WINS for internal name resolution, but we will leave WINS behind and rely on DNS alone.

 

My only uncertainty is in regards to DNS. What I want is for every client to use the DNS server in it's respective site or domain. Easy enough, through DHCP. I want all clients to dynamically register A and PTR records with the DNS server in it's site or domain, and those RR's should replicate to all other name servers in the forest. I want every DNS server to be able to resolve names in it's domain, parent domain, and sibling domains. Then I want unresolved queries forwarded to our ISP's name servers. I want to use AD integrated zones, and secure DDNS.

 

So, do I create just one zone at the root domain's DNS server, and include all child domains in this zone? Or should I create a zone for each domain, and delegate authority to that domain's name servers? Also, would it be better to configure forwarding to our ISP's name servers, or use root hints to let our servers do the work?

[clutch 1]

I am going to bed right now, but list how many subdomains you are hosting and how many systems in each one. I can give you a quick rundown on how I would do it, and see if that meets your needs.

[Davros 0]

I knew you'd be the one, Clutch!

 

One empty root domain, parent.com. 3 child domains, child1.com, child2.com, child3.com. Child1.com has about 60 systems, and is in the same site as the parent domain. Child2.com has about 100 systems, and is connected via WAN link to the parent domain. Child3.com has about 300 systems spread over 5 sites. 4 sites in child3.com are connected via WAN links to the central site in that domain, which in turn is connected to the parent domain via WAN link. These links are between 128k-384k. Each site also has it's own high speed connection to the Internet.

 

I've been reading up to refresh my DNS knowledge, and am leaning towards just putting all domains in one AD integrated zone, and listing all DNS servers as authoritative for that zone, and letting each DNS server use root hints for unresolved queries. What do you think?

[clutch 1]

If you plan on having them as distributed management (where each child domain can have its own admin but that admin can't manage the enterprise), then the nomenclature would be:

 

root = parent.com

child1 = child1.parent.com

child2 = child2.parent.com

child3 = child3.parent.com

 

In this respect, you would setup your root domain first, and then have at least 2 domain controllers in it. On those controllers, install your DNS services and setup your forwarders to point to the "real" DNS servers from your ISP (this can be the tricky part, as with proper replication the DNS system should have a local cache of all the info from *.parent.com servers and only go to the outside when using outside resources). Once they are up, stable, and not reporting any errors, then try child1.parent.com. On that one, setup the DC's DNS to only replicate traffic with the servers on its nameservers tab, and on that tab list parent.com's DNS servers. You want to do this so that your DNS server doesn't spend all day replicating traffic with anyone that will listen. You will want to do the same thing for parent.com and make sure that they sync properly afterward (it might take 5 minutes or so). Now, on child1.parent.com, try gettting to the internet. If, for some reason, it doesn't allow you to get out, put parent.com's DNS boxes in the forwarders tab of child1.parent.com's DNS server. The main rule that you really want to focus on is *keep your internal DNS internal*. Make sure that none of the client systems get contaminated with outside data, or they might resolve parent.com as the external IP to your webserver and never get info from your DCs. Once the sync works well between child1.parent.com and parent.com, do the same for child2.parent.com. Rinse and repeat.

 

One more thing, if you have pre-Windows 2000 machines having WINS around isn't such a bad idea. So, if your DNS system has slow resolution times or you have apps that only want to use \\machinename... then simply setup a single WINS box with your DNS boxes in each domain (or more if you like) and then have your DNS perform WINS and WINS-R lookups. Once a system (like Windows NT 4.0) comes online, it will pick up its IP from DHCP, and register with WINS. Then, if someone does a ping for nt4.child1.parent.com, the DNS system will look locally first for nt4, and when it doesn't find it it will scan the WINS DB. Once that's done, it will return the info as nt4.child1.parent.com, appending the proper DNS suffix auto-magically. The process is very fast, so don't be too concerned about this. Just keep this in mind if DDNS registration doesn't work as advertised for you (it rarely did for me).

[Davros 0]

Sorry about my mistaken nomenclature regarding child1.com vs child1.parent.com, I hadn't had my coffee yet!

Hopefully we will have all legacy machines upgraded by the time the servers are ready, so I may not need WINS at all.

 

Let me make sure I understand properly.

First, I set up DNS on the parent.com domain controller, with all child domains in the same zone, and replication should ensure that all nameservers have info on every system in the forest.

I set up DNS on child1.parent.com, and allow replication only between it and parent.com, to reduce traffic. (we are not a 24/7 operation, so I will schedule AD and DNS replication to take place overnight.)

I set up forwarders on each DNS server pointing to our ISP's nameservers.

Ensure that RR's for parent.com do not point to our public address.

Repeat for other child domains.

I'm pretty sure I have this straight, it really isn't that complicated, but I want to get it right the first time and not waste a lot of time troubleshooting.

 

I have heard that some people prefer to let their nameservers use root hints for external name queries, rather than forwarding to the ISP's DNS. Supposedly it eliminates one step and can increase performance. Is this a better way? Or will all the extra recursive queries be a burden on our DNS servers?

 

Thanks for the info!

[clutch 1]

You pretty much have it bud. When you setup your domain controllers, go ahead and let the install DNS for you, but remember that you will have to configure it to some extent on your own. I would also try to have the child domain controllers forward their unknown DNS requests to your ISP (or use root hints, which may help you out as you stated) to speed up the process, but if you have any resolution issues (like clients stating that they can't get group policies) then setup the child domain forwarders to point to the parent domain DNS boxes.

[Davros 0]

I haven't run dcpromo yet, but I've got DNS working perfectly now. One zone with all domains, replication only between specified nameservers, forwarders to the local ISP. Thanks for the help, and I love your new sig.

[clutch 1]

 

Cool, just keep an eye on the logs to make sure that any group policies will propogate properly.

[Butternuts 0]

Pathetic x) x)

[Davros 0]

Quote:

Pathetic x) x)

Why is that? I have all my domains up and running perfectly now. It had been a while since I set up DNS zones so I bounced some ideas around with Clutch, and of course that helped greatly. Have you been able to help anyone EVER? Quit trolling and conform, or better yet, just go bug the Yahoo forums, types like you are always welcome there.