Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS/Firewall/AD issues

Status
Not open for further replies.
thepl4yer

thepl4yer

Technical User
Jan 28, 2005
27
GB
I'm currently about to upgrade a windows NT4 domain to 2003 AD and was wondering the best way to sort the following (or if my intended approach is viable) before I start.

The domain will be upgraded and will join an existing forest root the exists across a firewall - lets say company.com. A local forest root controller will be installed at my site via secure tunnel setup between it and the site where the forest root is located. My upgraded domain will then join this as a child domain (child.company.com). With regard to DNS, assuming that child.company.com is delegated from the root and therefore all child domain dcs hosting dns will have forwarders pointing to these root dns servers, do I need to open the firewall for each one or is there a better way to do it?

Hope this makes sense!


B
 
Sort by date Sort by votes
it seems to make sense :).

i gather you wont have a parent domain DC permanently where you are....

irrespective of you having 1 dc or 5 in the child domain, it/they will need to communicate with the parent domain, so you will need to open up certain ports in the firewall.

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Glad it makes sense! Was starting to wonder!

There is going to be a parent domain dc where we are but it will not be hosting DNS - does this change things?
 
Upvote 0 Downvote
if it hosts active directory, and the DNS zone for company.com is AD integrated, then it may as well host dns too....
that way your child servers will resolve locally and the dns info will be replicated to your site via the parent DC...

you can also limit traffic and zone transfers, maybe even use some security on your firewall to allow only dns/ad traffic between these servers....

would lessen the security 'hole' and limit intersite net traffic too.


Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Ahh well, this is what I wanted to do but unfortunately a lot of the other domains are using private IP addressing that is resolved through dns re-writes on the firewalls. Therefore if the local root was to host the a copy of the root DNS, the ips wouldn't be translated into the correct public IP where as they will if this query goes across the firewall. Unfortunately it is a separate IT department that looks after the root, so there isn't much scope to change any of this... Im just wondering if there was a way to sort of pass the queries through this box as the tunnel is already open ?

 
Upvote 0 Downvote
pass the queries through this box" : the root server on site??

if its a dns server, yep. make it the root server for your child dns servers.... redirection

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Not sure if I'm following you there (sorry!) could you elaborate please ??
 
Upvote 0 Downvote
you said:
"Im just wondering if there was a way to sort of pass the queries through this box as the tunnel is already open ?"

you mean the dns queries?
and you mean the parent domain server that will be located in your site?

if it can be made a dns server then it will carry out the queries for the child domain dns servers for parent domain related requests...

it's friday, not easy!!!

are the 2 sites connected via a vpn tunnel?


Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Sorry, my fault not being clear! All I meant was the parent dc on site couldn't host dns for the root domain due to the dns rewrite issues mentioned previously. It could still in effect run DNS just not for the root domain (even though it is a root domain controller)... they are just connected via a firewall tunnel i.e. one ip/mac address can talk to the ip/mac at the other end...


 
Upvote 0 Downvote
ok... so the dns rewrite thing means that the networks aren't fully routed in that case?

no prob, im about as clear as mud today too!!!!!

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Cheers! Yeah - I could have explained myself a lot better by simply saying they weren't fully routed - LOL!

I'll let the child dns servers talk to the root dns servers through the firewall.

Thanks for the help
 
Upvote 0 Downvote
loool

[COLOR=#FF0000 #EEEEEE]o[/color][COLOR=#FF0F00 #DDDDDD]t[/color][COLOR=#FF1E00 #CCCCCC]h[/color][COLOR=#FF2D00 #BBBBBB]e[/color][COLOR=#FF3C00 #AAAAAA]r[/color][COLOR=#FF4B00 #999999]w[/color][COLOR=#FF5A00 #888888]i[/color][COLOR=#FF6900 #777777]s[/color][COLOR=#FF7800 #666666]e[/color][COLOR=#FF8700 #555555] [/color][COLOR=#FF9600 #444444]h[/color][COLOR=#FFA500 #333333]a[/color][COLOR=#FFB400 #222222]v[/color][COLOR=#FFC300 #111111]i[/color][COLOR=#FFD200 #FFFFFF]n[/color][COLOR=#FFE100 #EEEEEE]g[/color][COLOR=#FFF000 #DDDDDD] [/color][COLOR=#FFFF00 #CCCCCC]f[/color][COLOR=#F0FF00 #BBBBBB]u[/color][COLOR=#E1FF00 #AAAAAA]n[/color][COLOR=#D2FF00 #999999] [/color][COLOR=#C3FF00 #888888]a[/color][COLOR=#B4FF00 #777777]n[/color][COLOR=#A5FF00 #666666]d[/color][COLOR=#96FF00 #555555] [/color][COLOR=#87FF00 #444444]p[/color][COLOR=#78FF00 #333333]a[/color][COLOR=#69FF00 #222222]s[/color][COLOR=#5AFF00 #111111]s[/color][COLOR=#4BFF00 #FFFFFF]i[/color][COLOR=#3CFF00 #EEEEEE]n[/color][COLOR=#2DFF00 #DDDDDD]g[/color][COLOR=#1EFF00 #CCCCCC] [/color][COLOR=#0FFF00 #BBBBBB]t[/color][COLOR=#00FF00 #AAAAAA]h[/color][COLOR=#00FF0F #999999]e[/color][COLOR=#00FF1E #888888] [/color][COLOR=#00FF2D #777777]t[/color][COLOR=#00FF3C #666666]i[/color][COLOR=#00FF4B #555555]m[/color][COLOR=#00FF5A #444444]e[/color][COLOR=#00FF69 #333333] [/color][COLOR=#00FF78 #222222]e[/color][COLOR=#00FF87 #111111]x[/color][COLOR=#00FF96 #FFFFFF]e[/color][COLOR=#00FFA5 #EEEEEE]r[/color][COLOR=#00FFB4 #DDDDDD]c[/color][COLOR=#00FFC3 #CCCCCC]i[/color][COLOR=#00FFD2 #BBBBBB]s[/color][COLOR=#00FFE1 #AAAAAA]i[/color][COLOR=#00FFF0 #999999]n[/color][COLOR=#00FFFF #888888]g[/color][COLOR=#00F0FF #777777] [/color][COLOR=#00E1FF #666666]g[/color][COLOR=#00D2FF #555555]r[/color][COLOR=#00C3FF #444444]e[/color][COLOR=#00B4FF #333333]y[/color][COLOR=#00A5FF #222222] [/color][COLOR=#0096FF #111111]c[/color][COLOR=#0087FF #FFFFFF]e[/color][COLOR=#0078FF #EEEEEE]l[/color][COLOR=#0069FF #DDDDDD]l[/color][COLOR=#005AFF #CCCCCC]s[/color]

bored and deperately trying to be useful somewhere!!

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
977
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
450
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
622
DTGMI
DTGMI
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
900
fredmartinmaine
fredmartinmaine
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
372
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top