DNS and sub-domains questions

dmw

I have a child domain setup. The parent domain controller is also the AD integrated DNS server allowing secure updates only.

If I setup a DNS server on the child dc does that automatically become the authoritative server for that zone or do I have to delagate that domain from the parent DC to the child DC then setup the primary zone on the child domain's dns console? If I setup a caching only dns on the child dc then the would the parent dns still be the authoritative dns server for the child domain?

Also aside from adding another domain via another domain controller can a new domain by added simply through DNS where the DNS server manages both domains rather than having 2 separate domain controllers.

I am not sure these questions will make sense. Its been one of those long study days after work.

royal

Every dns server that is installed on a DC will be authoritative for that Active Directory zone. If you have a 2nd DC, you don't even have to install a zone after installing Active Directory. Once you install DNS, once active directory replication kicks in, it'll automatically copy over the Active Directory DNS zone records.

A caching server is not authoritative when it doesn't have the record in cache. I'm almost positive that a record lookup that a caching server answers will show as authoritative.

You can have a 2nd Active Directory integrated zone on a DC's DC, but there's a downpoint. You don't actually have another domain for user's to authenticate to. There's no NTDS.dit for the new domain, no Sysvol, no authentication for users to the new domain, no SRV records for the new domain, etc... To actually have a new Active Directory Domain Controller enviornment, you need another domain controller. If you try to run DCpromo on a domain controller that is already a DC, it will only allow you to uninstall Active Directory and remove itself as a Domain Controller.

dmw

So in this case because it is AD integrated there is nothing to do really on the child dc?

If it were not AD integrated then I could setup the domain delagation from the parent dc to the child dc, zone transfers...

royal

Correct. Because it is Active Directory integrated and they are both DC's, the 1st DC will copy over all the records to the new DC when AD replication starts. The NS record for the new DNS/DC will also be created when AD replication happens and zone records are updated. You wont see the updated NS records until the 2nd or so replication because on the 1st replication, it only copies over the zone contents. After it's copied over, the new DNS/DC will see it is authoritative and then create a NS record and then on the next AD replication it'll start copying over the new NS records.

There's no reason you would not use AD integrated zone on DC's. If you're in a situation where you aren't using DC's and just using a primary/secondary non AD integrated, then yes, you would set up either a delegation or a stubzone to the child DC. You don't have to, but if you want to use resources on the child domain using dns, then yes. If you want resolving to go both ways, from parent to child and child to parent, you'd have to setup a delegation/stubzone on each. One on the child pointing to the parent and one to the parent pointing to the child.

dmw

As far as which methiod to replicate the dns data. I would need to chooseto all dc's in the forest as opposed to the domain since they are 2 separate domains, right?

royal

It depends. Do you want to increase replication traffic or do you want to have less replication traffic? You'll have more replication traffic if you choose to replicate throguhout the forest but your queries will be better since you're replicating through the ForestDnsZones partition (keep in mind windows 2000 doesn't have these application partitions). If you want less replication traffic throughout your forest, then you could configure a stub zone, delegation, or even do a conditional forwarder.

Imagine if you have a forest of 10 domains. The domains don't talk with eachother all that much. 1 domain will talk to another once in a while. So why bother replication to the entire forest? You're just increasing replication traffic a lot which isn't even needed since the domains don't talk to eachiother except for 1 domain talking to the other once in a while. Instead, to conserve network bandwidth, you would just configure stub zones, delegations, or conditional forwarders to point to the other domain and vice versa. That way, you're not increasing network bandwidth but the 2 domains can talk to eachother since t hey'll be able to resolve eachothers dns.

Also, keep in mind when to use a conditional forwarder. When you have a stub zone, the dns server isn't performing recursion. If you're on site1.domain.com and a client pings for someone on site2.domain.com and site1.domain.com has a stubzone configured for site2.domain.com, the dns server in site1.domain.com will see the stub zone for site2.domain.com and actually send back a referral to the client and that client will then contact the authoritative dns servers for site2.domain.com. Now imagine if you had a firewall that ONLY allowed the dns server in site1.domain.com to talk to the authoritative dns server on site2.domain.com. The dns query would fail in the situation above since the client can't communicate over port 53. Well if you used conditonal forwarder, the dns server is the one who will query the authoritative dns server on port 53 instead of the client. Keep in mind that distinction (server does the queries in conditional forwarding and for delegations/stub zones, the server will send back a referral in which the client will then contact the server from the other domain).

Danman32

I'm not so sure about that. If the server at site1 was told to do recursion, then I believe it would contact one of the name servers referred to by the stub zone.

Also remember that a DC on a parent domain running DNS with a zone for the parent domain would not, by itself, have any way to refer to the child domain if it needed to unless you added the zone for the child domain, delegated that child domain, had a stub zone for referral and automatic NS list updates, or configured a conditional forwarder for the child domain.