dns on multiple domains

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:35CBD83B-0907-40A4-AF2F-02B5F48EA7EB@microsoft.com,
> okon3 typed:
> > I have 2 domains and 3 domain controllers.
> > One domain for our voice network(Cisco windows 2000 server unity
> > server with Exchange) with one of the DCs and integrated dns and it
> > also has an integrated reverse lookup zone for our data network.
> > Our data domain has the other two DC's(windows 2000 server soon to be
> > upgraded to 2k3 server) and integrated DNS, one of these DCs has a
> > primary DNS zone for our voice domain, the other DC has no reference
> > to the voice domain(I would like it to).
> >
> > Can I integrate the voice domains dns into our data domain dns
> > servers or what would be the recommended path?
> >
> > Thanks
>
> Yes, you can setup a zone stored in AD for another domain, but, before you
> could use Secure updates, you'll need to create a trust, and make sure the
> server in the external Domain has update rights in the zone. There is no
> replication between external domains, but you can have Authentication in the
> zone.
>
OK thanks, is there a benefit other than redundancy without replication?
also:
Is there a limit to the number of AD integrated zones on 2000 or 2003
server? We are about to add some subnets for separate wireless access and
other projects that we would like to keep separate from our internal data
subnet, can I integrate these subnets as well if there is no real
authentication taking place? AD network authentication that is.
Thanks again,
Tom
 >> Stay informed about: dns on multiple domains 

Read inline please.

In news:5E4B51B2-CD5A-4FFD-98E3-23AB16766A4F@microsoft.com,
okon3 typed:
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>
>> Read inline please.
>>
>> In news:35CBD83B-0907-40A4-AF2F-02B5F48EA7EB@microsoft.com,
>> okon3 typed:
>>> I have 2 domains and 3 domain controllers.
>>> One domain for our voice network(Cisco windows 2000 server unity
>>> server with Exchange) with one of the DCs and integrated dns and it
>>> also has an integrated reverse lookup zone for our data network.
>>> Our data domain has the other two DC's(windows 2000 server soon to
>>> be upgraded to 2k3 server) and integrated DNS, one of these DCs has
>>> a primary DNS zone for our voice domain, the other DC has no
>>> reference
>>> to the voice domain(I would like it to).
>>>
>>> Can I integrate the voice domains dns into our data domain dns
>>> servers or what would be the recommended path?
>>>
>>> Thanks
>>
>> Yes, you can setup a zone stored in AD for another domain, but,
>> before you could use Secure updates, you'll need to create a trust,
>> and make sure the server in the external Domain has update rights in
>> the zone. There is no replication between external domains, but you
>> can have Authentication in the zone.
>>
> OK thanks, is there a benefit other than redundancy without
> replication?

SECURITY

also:
> Is there a limit to the number of AD integrated zones on 2000 or 2003
> server?

I have over 1000 zones on two servers and haven't found the wall yet.

We are about to add some subnets for separate wireless
> access and other projects that we would like to keep separate from
> our internal data subnet, can I integrate these subnets as well if
> there is no real authentication taking place? AD network
> authentication that is.

Any zone on a Domain Controller can be stored in Active Directory, (ADI) if
your DCs are in different Forests, or different Domains under Win2k, there
will be no replication between the servers, but you can still have a trust
and Authenticate between them. Just to read DNS requires no Authentication,
and is probably the only service on Win2k or Win2k3 that doesn't require
some sort of Authentication to read. However, setting the zone to Only
Secure updates, will require AD Authentication with a privileged account to
update.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 >> Stay informed about: dns on multiple domains 

Kevin,
Thanks for your reply and I appologize for the delay in my response.

I think I'm confusing myself, we are about attept public internet access.
I've not configured DHCP or DNS for none AD devices or users. I think that is
where I'm making it more difficult than it needs to be.

Should I just set up a DHCP scope and point the dns stuff to my ISPs or to
my DNS servers=a AD integratred reverse look up zone so it replicates between
my two DCs???
Thanks again,

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:5E4B51B2-CD5A-4FFD-98E3-23AB16766A4F@microsoft.com,
> okon3 typed:
> > "Kevin D. Goodknecht Sr. [MVP]" wrote:
> >
> >> Read inline please.
> >>
> >> In news:35CBD83B-0907-40A4-AF2F-02B5F48EA7EB@microsoft.com,
> >> okon3 typed:
> >>> I have 2 domains and 3 domain controllers.
> >>> One domain for our voice network(Cisco windows 2000 server unity
> >>> server with Exchange) with one of the DCs and integrated dns and it
> >>> also has an integrated reverse lookup zone for our data network.
> >>> Our data domain has the other two DC's(windows 2000 server soon to
> >>> be upgraded to 2k3 server) and integrated DNS, one of these DCs has
> >>> a primary DNS zone for our voice domain, the other DC has no
> >>> reference
> >>> to the voice domain(I would like it to).
> >>>
> >>> Can I integrate the voice domains dns into our data domain dns
> >>> servers or what would be the recommended path?
> >>>
> >>> Thanks
> >>
> >> Yes, you can setup a zone stored in AD for another domain, but,
> >> before you could use Secure updates, you'll need to create a trust,
> >> and make sure the server in the external Domain has update rights in
> >> the zone. There is no replication between external domains, but you
> >> can have Authentication in the zone.
> >>
> > OK thanks, is there a benefit other than redundancy without
> > replication?
>
> SECURITY
>
> also:
> > Is there a limit to the number of AD integrated zones on 2000 or 2003
> > server?
>
> I have over 1000 zones on two servers and haven't found the wall yet.
>
> We are about to add some subnets for separate wireless
> > access and other projects that we would like to keep separate from
> > our internal data subnet, can I integrate these subnets as well if
> > there is no real authentication taking place? AD network
> > authentication that is.
>
> Any zone on a Domain Controller can be stored in Active Directory, (ADI) if
> your DCs are in different Forests, or different Domains under Win2k, there
> will be no replication between the servers, but you can still have a trust
> and Authenticate between them. Just to read DNS requires no Authentication,
> and is probably the only service on Win2k or Win2k3 that doesn't require
> some sort of Authentication to read. However, setting the zone to Only
> Secure updates, will require AD Authentication with a privileged account to
> update.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>
 >> Stay informed about: dns on multiple domains 

In news:1C1A0EB9-5514-43FD-B299-0F91F341FA8A@microsoft.com,
okon3 typed:
> Kevin,
> Thanks for your reply and I appologize for the delay in my response.
>
> I think I'm confusing myself, we are about attept public internet
> access. I've not configured DHCP or DNS for none AD devices or users.
> I think that is where I'm making it more difficult than it needs to
> be.
>
> Should I just set up a DHCP scope and point the dns stuff to my ISPs
> or to my DNS servers=a AD integratred reverse look up zone so it
> replicates between my two DCs???
> Thanks again,

With AD, you should always only use the internal DNS addresses for DHCP
Option 006. Your DNS will resolve the external queries for your clients. You
can specify both of your DCs as the first and second DNS entries.

You can also configure a forwarder in your DNS to send external queries to
the ISP's. If you are not sure how to do that, read this article:

How to configure DNS for Internet access in Windows Server 2003This
step-by-step guide describes how to configure Domain Name System (DNS) for
Internet access in the Windows Server2003 products. DNS is the core name ...
http://support.microsoft.com/kb/323380


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield
 >> Stay informed about: dns on multiple domains 

> > I think I'm confusing myself, we are about attept public internet
> > access. I've not configured DHCP or DNS for none AD devices or users.
> > I think that is where I'm making it more difficult than it needs to
> > be.
> >
> > Should I just set up a DHCP scope and point the dns stuff to my ISPs
> > or to my DNS servers=a AD integratred reverse look up zone so it
> > replicates between my two DCs???
> > Thanks again,
>
> With AD, you should always only use the internal DNS addresses for DHCP
> Option 006. Your DNS will resolve the external queries for your clients. You
> can specify both of your DCs as the first and second DNS entries.
>
> You can also configure a forwarder in your DNS to send external queries to
> the ISP's. If you are not sure how to do that, read this article:
>
> How to configure DNS for Internet access in Windows Server 2003This
> step-by-step guide describes how to configure Domain Name System (DNS) for
> Internet access in the Windows Server2003 products. DNS is the core name ...
> http://support.microsoft.com/kb/323380
>

Thanks Ace,
What I mean is for computers that we don't want on our internal network.
Like a Starbucks or Barnes and Noble bookstore.
We have our internal network on one subnet, then offer wireless as well as a
few public access hardwired PCs on a different subnet.
Do I set this scope up with our internal DNS ip's or our ISP's dns
same question about a wesite in a dmz, point to internal dns or isp dns?

I may be all wrong and not have a valid concern, if a pubic wireless user
uses a ipconfig /all then they have the ip to or DC, again maybe I'm
concerned for nothing But I would think having the specific IP would give
them a good target??? And yes we do have all traffic other than outbound
internet traffic blocked by our router, Hopefully my concern is all for not.

I've seen and read a few documents including the one you pointed out , but
nothing that really discusses AD network traffic for non-(I'll say AD)
traffic=authenticated users and machines.
Thanks again for your time and responses to all the posts.
Tom
 >> Stay informed about: dns on multiple domains 

In news:206A94D8-D6D5-427A-91CF-950BACF71C98@microsoft.com,
okon3 typed:

> Thanks Ace,
> What I mean is for computers that we don't want on our internal
> network. Like a Starbucks or Barnes and Noble bookstore.
> We have our internal network on one subnet, then offer wireless as
> well as a few public access hardwired PCs on a different subnet.
> Do I set this scope up with our internal DNS ip's or our ISP's dns
> same question about a wesite in a dmz, point to internal dns or isp
> dns?
>
> I may be all wrong and not have a valid concern, if a pubic wireless
> user uses a ipconfig /all then they have the ip to or DC, again maybe
> I'm concerned for nothing But I would think having the specific IP
> would give them a good target??? And yes we do have all traffic other
> than outbound internet traffic blocked by our router, Hopefully my
> concern is all for not.
>
> I've seen and read a few documents including the one you pointed out
> , but nothing that really discusses AD network traffic for non-(I'll
> say AD) traffic=authenticated users and machines.
> Thanks again for your time and responses to all the posts.
> Tom

Ok, I see. I would probably setup one or possibly two internal DNS servers
that are not part of the AD infrastructure to handle this and have them
forward out. This will reduce resolution traffic on your line. I would also
harden the installation to disable NetBIOS and File &Print services,
possibly even use a Security Template if I remember the name of the
template, such as the HiSecureServer template. THis will reduce the
machine's exposure surface, but of course you want to make sure only TCP &
UDP 53 are accessible.

Yes, they will see the DNS server if they are technical folks, but then
again, what are they going to do with it, especially if it's tightened down.
You can also choose to use the ISP's to reduce your own resources and
security headaches.

Ace
 >> Stay informed about: dns on multiple domains