how to detup dns for forest 1

[ilpadrino]

I've installed the first two AD domains. The first was the root in the forest. For the second to connect to the forest, I had to change its DNS entry to the first.

Now that I'm finished with the second AD domain, what should the DNS settings on the DC's be so each can browse the other's AD?

Thanks.

 

[Bedpan]

A few options..

1) Maintain the forward lookup zones for all domains on each DNS server

2) On the Child domain forward DNS to the parent domain DNS. On the Parent domain create a Delegation for the child domain that will forward requests to the child domain DNS server...

Make Sense?

Mike

 

[ilpadrino]

I think so. Except the domains are not child/parents. So from what you said, I should create delegations on each to forward requests to the other? Where do I create these delegations?

Should I not set each DNS server as a forwarder on the other?

 

[DFavel]

On the on the forest root Domain controller, can see both domains in Active Directory Domains and trusts?

 

[Bedpan]

Deligation only works for child/grandchild domains..

The easiest way to accomplish this would be to..

Setup DNS in Both Domains
Create a Zone for every Domain on each DNS Server
If you are using AD Integration you are done
If you are not using integration, then you need to setup replication.

Mike

 

[ilpadrino]

Then once I setup the AD integration, do I add hosts for each DC?

So for example, one DNS server I would have both forward lookup zones for each domainx.local. And I would put a host record for the DC on the other domain?

 

[ilpadrino]

Bedpan/Mike, this has worked in the DNS server configurations. Both domains see each other and objects in the directories. Something else I tried to get away with was not changing client DNS entries. This slowed down logins and made network shares and printers unavailable.

How can I speed up internet browsing now that I'm using domain controllers as DNS servers? Should I add more DNS servers? Should all DNS server use AD integration and use forwarders to the ISP? Is AD integration on the DNS servers the best setup or is replication better?

Thanks for your help.
Joe.

 

[Bedpan]

Clients DNS should point to a DNS server that is for there domain as there Primary DNS, and another DNS server host the zone for there secondary.(eg. Primary would be a DC with DNS in there domain, and secondary would be a DC in another domain hosting DNS for there zone). Because each DNS server host the zone for all of your domains your clients can then resolve address for all resources in all your domains and have a secondary entry in case there DC goes down.

Two DNS server should be all you need unless you have multiple sites (at least one DNS server per site), or are a very large organization (1 DNS server for every 1000 clients of so).

If you are running a pure windows shop there would be no reason not to run integrated. It take some hasles and worries out of DNS as you no longer have to think about DNS replication as it takes plate with AD. If you are running Unix/Linux or other Server OS'es there maybe reasons to consider not running intergrated..

Hope this helps..

Mike

 

[ilpadrino]

Your comments did help. I haven't had too many issues since upgrading, but it's amazing the areas I missed in my supposedly thorough planning phase.

At this point I've added a DC in the second domain and assigned the correct FSMO roles. I tried to promote it to GC, but it doesn't seem to be able to. I keep getting event 1559,1578, and 1110 every 30 minutes. I wonder if there is a communication problem with the root of the forest, which is the only GC so far. I can ping everything, but the _msdcs areas of the DNS do not correspond. On the forest root, the DNS does not have _msdcs for the second domain. But on the second domain's DNS, it does have _msdcs for both domains.

Any ideas on what I've done wrong?

 

[ilpadrino]

I've been troubleshooting this problem all morning and have realized some differences in the two DNS servers that may have something to do with my troubles. To summarize, I have a forest of 2 domains: domain1.local and domain2.local. Each DC is a DNS server with AD-integrated zones for both domains. Both have their primary DNS set to themselves and secondary to the other. I now see that the 2 dns servers do not have matching zones for domain1.local. On the second DNS server, there is only the _msdcs folder, and it is incomplete. The first DNS server has _msdcs, _sites, _tcp, and _udp for both domains. And there are many more records under the _msdcs.

So when adding the second dc on domain2.local, it won't promote to global catalog due to not being able to resolve by the second dns server. The event log warning is 1265. How can I fix the second dns server to represent correctly the domain1.local zone - esp after following the bedpan's post above for configuring the dns servers?

Thanks in advance. Joe.