Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
multiple domains in one forest 2
- Thread starter terry712
- Start date
-
1
- #2
it uses the fqdn, the dns name, the full name, as you put it ;-)
AD functions with DNS, and can't work without DNS.
DNS is the service locator (the SRV records in funny names you find in your DNS console entries.....) for AD.
Clients use DNS queries to locate the AD DCs.
other DCs use it to find their replication partners...;
ad infinitum!
Aftertaf
"Solutions are not the answer." - Richard Nixon
AD functions with DNS, and can't work without DNS.
DNS is the service locator (the SRV records in funny names you find in your DNS console entries.....) for AD.
Clients use DNS queries to locate the AD DCs.
other DCs use it to find their replication partners...;
ad infinitum!
Aftertaf
"Solutions are not the answer." - Richard Nixon
- Thread starter
- #3
ok thats good
so if we have for example 2 servers in a forest root of factory.local , and we have bothe server running a AD integrated zone. lets call them forestserv1 and forestserv2
so forestserv1 we give address 10.2.6.100
and forestserv2 we give address 10.2.6.200
so obviously on same physical and AD site
they both point to each other for primary and secondary ip address - ie forestserv1 points primary to forestserv2 and secondary to itself - the zone is set to forward to dns server on outside of dmz. the domain suffix on the connection of both these servers are factory.local
we than add a child zone let's call it west.factory.local and again it has 2 servers. westserv1 and westserv2. again this is on the same physical and AD site but a diferent site from forest - say a 2mb wan link with a redundant loop so 99.99% reliable.
westserv1 is on 10.3.6.100 and westserv2 is on 10.3.6.200
the dns zone west.factory.local is AD integrated and running on both - as forwarders it forwars to the 2 servers in the forest zone.
the zone is delegated from the forest and when doing this it auto creates a glue record for one of the servers - let's say it's for westserv1.
on westserv1 the primary dns is set for westserv2 and secondary itself and the connection suffix is west.factory.local.
this site has 75 clients on it - the dhcp server dishes out addresses of 10.3.6.110 up to 10.3.6.185 and the suffix west.factory.local
reverse zones have been setup.
so if we are on forestserv1
i can ping everything by fqdn
i can ping by short name everything in the domain
i can ping all internet stuff
from westserv2
i can ping everything by fqdn
i can ping by short name everything in the domain
i can ping all internet stuff
i cant ping the entries in forest root by short name - is this normal for most setups or how would you allow this. i dont want to add multiple suffix . do people replicate all the dns zones to the forest or indeed should it exist in the forest
sorry this is long but i'm crap at explaining. any questions just shout - thanks for help
so if we have for example 2 servers in a forest root of factory.local , and we have bothe server running a AD integrated zone. lets call them forestserv1 and forestserv2
so forestserv1 we give address 10.2.6.100
and forestserv2 we give address 10.2.6.200
so obviously on same physical and AD site
they both point to each other for primary and secondary ip address - ie forestserv1 points primary to forestserv2 and secondary to itself - the zone is set to forward to dns server on outside of dmz. the domain suffix on the connection of both these servers are factory.local
we than add a child zone let's call it west.factory.local and again it has 2 servers. westserv1 and westserv2. again this is on the same physical and AD site but a diferent site from forest - say a 2mb wan link with a redundant loop so 99.99% reliable.
westserv1 is on 10.3.6.100 and westserv2 is on 10.3.6.200
the dns zone west.factory.local is AD integrated and running on both - as forwarders it forwars to the 2 servers in the forest zone.
the zone is delegated from the forest and when doing this it auto creates a glue record for one of the servers - let's say it's for westserv1.
on westserv1 the primary dns is set for westserv2 and secondary itself and the connection suffix is west.factory.local.
this site has 75 clients on it - the dhcp server dishes out addresses of 10.3.6.110 up to 10.3.6.185 and the suffix west.factory.local
reverse zones have been setup.
so if we are on forestserv1
i can ping everything by fqdn
i can ping by short name everything in the domain
i can ping all internet stuff
from westserv2
i can ping everything by fqdn
i can ping by short name everything in the domain
i can ping all internet stuff
i cant ping the entries in forest root by short name - is this normal for most setups or how would you allow this. i dont want to add multiple suffix . do people replicate all the dns zones to the forest or indeed should it exist in the forest
sorry this is long but i'm crap at explaining. any questions just shout - thanks for help
-
1
- #4
I'll have to double check but off the top of my head, you have to manually configure inter-site replication between domains.
If you want clients in one domain to be able to ping clients in the other domain, you will need to configure DNS suffixes to search in their own domain first then the other domain second. Also keep in mind that if you do this, no two clients should have the same name in either domains (ie: web.west.factory.local & web.factory.local) as pinging web from west domain would automatically resolve to the one inside the west domain.
If you want the clients in the west domain to hit the Internet, the westserv1/2 DCs must be configure to forward unresolved entries to the DNS server in the forest domain that is in your DMZ or you can just let all DNS servers query the Internet (not recommended due to network congestion).
Hopefully, someone can back me up on this.
If you want clients in one domain to be able to ping clients in the other domain, you will need to configure DNS suffixes to search in their own domain first then the other domain second. Also keep in mind that if you do this, no two clients should have the same name in either domains (ie: web.west.factory.local & web.factory.local) as pinging web from west domain would automatically resolve to the one inside the west domain.
If you want the clients in the west domain to hit the Internet, the westserv1/2 DCs must be configure to forward unresolved entries to the DNS server in the forest domain that is in your DMZ or you can just let all DNS servers query the Internet (not recommended due to network congestion).
Hopefully, someone can back me up on this.
for the 'short' name resolution from child to root domain, you will have to setup dns suffixes.....
otherwise, your clients will not know what to try to resolve...
what happens is this:
you ping westserv1
your client:
1 1ooks in its cache,
2 checks its host file,
3 appends its OWN domain to the host (westserv.west.factory.local) and asks its DNS server for the address....
4 the DNS server doesn't have this info so it says 'sorry!'.
if you add DNS suffixes, it will do 3) again, this time appending the second dns suffix (ie without .west.)
this time your dns server will know who to ask and it'll work.
this is necessary, unfortunately...
remember, it's just all 000 & 111. we need to tell them what to do.
Aftertaf
"Solutions are not the answer." - Richard Nixon
otherwise, your clients will not know what to try to resolve...
what happens is this:
you ping westserv1
your client:
1 1ooks in its cache,
2 checks its host file,
3 appends its OWN domain to the host (westserv.west.factory.local) and asks its DNS server for the address....
4 the DNS server doesn't have this info so it says 'sorry!'.
if you add DNS suffixes, it will do 3) again, this time appending the second dns suffix (ie without .west.)
this time your dns server will know who to ask and it'll work.
this is necessary, unfortunately...
remember, it's just all 000 & 111. we need to tell them what to do.
Aftertaf
"Solutions are not the answer." - Richard Nixon
- Thread starter
- #7
ok thats more or less what i'm expecting
so basically the setup is ok and if i want more i would need to add additional suffix's which isnt really desired
and my ad will be ok as it always uses fqdn
do most people have all zones at the forest or do they segment it like this?
so basically the setup is ok and if i want more i would need to add additional suffix's which isnt really desired
and my ad will be ok as it always uses fqdn
do most people have all zones at the forest or do they segment it like this?
- Status
Similar threads
- Locked
- Question