Random DNS question...

knownhero

Hey Guys,

Was looking through old, old, OLD posts on this forum and came across someone that listed some questions but never gave an asnwer too. Just wondering if mine where right:

1) If you want to eliminate zone transfer traffic, what options do you have?
Conditional Forwarder

2) What is the difference between a standard and AD-integrated zone?
Dynamically updated

3) When would you choose a delegation over a stub zone?
If you want things done Dynamically you'd choose the Stub Zone

4) What is the advantage of a conditional forwarder?
Speed

Devilsbane

1. Conditional forwarder would, but here is my question.

2. SECURE dynamic update. NON-AD can still dynamically update, but it isn't secure (no DC to authenticate) so it is highly not recommended. Also, an AD integrated zone can have multiple primary zones, and rather than using zone transfers, the zone information will be transferred as part of the DC replication (which is apparently more efficient). Also remember, that you have 3 options of how to replicate the DNS information when AD integrated.

3. I'm still not positive on this myself.

4. Conditional forwarder is good at minimizing the WAN traffic. Rather than trying to keep an entire update of a zone on your lan, you can just redirect everyone over to where that zone is hosted. Takes the work off your local dc's and mininmizes your queries over the WAN.

dynamik

knownhero wrote: »

1) If you want to eliminate zone transfer traffic, what options do you have?
Conditional Forwarder

I don't know how you can do this without manually updating each zone. Zone transfers are used to update the same zone across multiple servers. You can't forward a zone that a server is hosting to another server. You could also be referring to not hosting all zones on all servers and forwarding select domains to other servers. If so, you could use conditional forwarders, delegations, or stub zones.

knownhero wrote: »

2) What is the difference between a standard and AD-integrated zone?
Dynamically updated

You can perform dynamic updates with standard primary zones. AD-integrated zones allow secure dynamic updates and perform replication through AD replication instead of using zone transfers.

knownhero wrote: »

3) When would you choose a delegation over a stub zone?
If you want things done Dynamically you'd choose the Stub Zone

Yes, with delegations you have to manually update the name servers while stub zones will update themselves. Control vs. ease-of-use. If I remember right, delegations also have to follow the domain hierarchy while a stub zones can refer to any other domain. For example, instead of a.b.domain.com having to go up and down the hierarchy, and back, to resolve x.y.domain.com, you can just have a stub configured to contact those name servers directly.

knownhero wrote: »

4) What is the advantage of a conditional forwarder?
Speed

If I had to use one word, I'd use "precision." This allows you to forward queries for specific domains to specific DNS servers. You might also see an increase in performance since you're offloading iterative queries to, say, an ISP DNS server, but that's a characteristic of forwarding in general. That's not what's unique about conditional forwarders.

Devilsbane

dynamik wrote: »

If I remember right, delegations also have to follow the domain hierarchy while a stub zones can refer to any other domain. For example, instead of a.b.domain.com having to go up and down the hierarchy, and back, to resolve x.y.domain.com, you can just have a stub configured to contact those name servers directly.

Correct. You can only delegate down. To get back up you would use a forwarder.

RobertKaucher

dynamik wrote: »

I don't know how you can do this without manually updating each zone. Zone transfers are used to update the same zone across multiple servers. You can't forward a zone that a server is hosting to another server. You could also be referring to not hosting all zones on all servers and forwarding select domains to other servers. If so, you could use conditional forwarders, delegations, or stub zones.

I think what they mean by this is AD Integrated Zones, because the zone information is replicated along with AD technically there are no zone transfers.

dynamik

RobertKaucher wrote: »

I think what they mean by this is AD Integrated Zones, because the zone information is replicated along with AD technically there are no zone transfers.

Yes, but he was asking about traffic, which you'll still have regardless of the method in which it's transferred (albeit it's more efficient with AD).

RobertKaucher

dynamik wrote: »

Yes, but he was asking about traffic, which you'll still have regardless of the method in which it's transferred (albeit it's more efficient with AD).

Agreed, but the way I recall seeing questions phrased on test prep software was that using AD integrated zones eliminated zone transfer traffic because AD needed to replicate any way. But I think this comes down to what the person asking the question actually intends.

knownhero

Originally Posted by knownhero View Post
2) What is the difference between a standard and AD-integrated zone?
Dynamically updated

For this I did mean secure.. I missed it out

dynamik

RobertKaucher wrote: »

Agreed, but the way I recall seeing questions phrased on test prep software was that using AD integrated zones eliminated zone transfer traffic because AD needed to replicate any way. But I think this comes down to what the person asking the question actually intends.

You're playing the "Right way, wrong way, and one Microsoft way" card?

RobertKaucher

dynamik wrote: »

You're playing the "Right way, wrong way, and one Microsoft way" card?

Kind of. It's not DNS zone xfer traffic, technically it's AD replication traffic.

dynamik

Yes, but it still increases AD replication traffic with DNS zone information. If bandwidth is a concern, the information doesn't just magically propagate. Granted, compression is used when replicating AD between sites, so there should be less of a hit.

Devilsbane

dynamik wrote: »

the information doesn't just magically propagate.

Well why not? This is BS.

It is a very similar to the situation I had last night. A user calls in that she can't VPN. After some troubleshooting, she had a new laptop that wasn't connected to her wireless network. She just expected it to work...

dynamik

Devilsbane wrote: »

Well why not? This is BS.

Robert hordes all the magic and uses it for PoSh/SQL garbage...

phoeneous

Devilsbane wrote: »

Well why not? This is BS.

It is a very similar to the situation I had last night. A user calls in that she can't VPN. After some troubleshooting, she had a new laptop that wasn't connected to her wireless network. She just expected it to work...

A few years back I had a remote user complain that her laptop would not turn on. I asked her if she charged it with the ac adapter. She told me that she thought it was getting charged through the wireless network and she didn't think she had to plug it in to the wall. Seriously.

phoeneous

knownhero wrote: »

4) What is the advantage of a conditional forwarder?
Speed

Not just speed, but management of traffic to a specific domain. For example, you want to make sure that when users visit yahoo.com they hit e.yahoo.com in the farm and not f.yahoo.com. I actually had to do this once.

Devilsbane

phoeneous wrote: »

A few years back I had a remote user complain that her laptop would not turn on. I asked her if she charged it with the ac adapter. She told me that she thought it was getting charged through the wireless network and she didn't think she had to plug it in to the wall. Seriously.

Well it is wireless. Why would a laptop with wireless capabilities need to be plugged into the wall? Thats just stupid. Who was in charge of this false advertising?

You should have installed a plutonium battery in it that will power it for years, either that or it will blow up on her. And that is a risk I am willing to take.

RobertKaucher

Devilsbane wrote: »

Well it is wireless. Why would a laptop with wireless capabilities need to be plugged into the wall? Thats just stupid. Who was in charge of this false advertising?

You should have installed a plutonium battery in it that will power it for years, either that or it will blow up on her. And that is a risk I am willing to take.

I once had a lady that moved her own computer to another office. But she called when it would not turn on. I asked if she was certain everything was plugged in properly. She said she was so I went to her desk. She had plugged her surge protector into itself. She asked me, "Why is it called a powerstrip if it can't power the computer?"

Devilsbane

lol, some people are so computer illiterate, it makes you wonder how they even do their jobs. It doesn't take much, I am really being too demanding by expecting that you know where your start button is?

knownhero

Devilsbane wrote: »

lol, some people are so computer illiterate, it makes you wonder how they even do their jobs. It doesn't take much, I am really being too demanding by expecting that you know where your start button is?

I had a consultant once call up saying "We have moved all over servers to a new location and havent changed anything on our system, now we cant get email."

To which I replied. "You do know you now have new IP's. Id recommend checking your NAT"

30 minutes later.

Phone rings

"It's working" - Hang up

No thank you or anything

earweed

RobertKaucher wrote: »

I once had a lady that moved her own computer to another office. But she called when it would not turn on. I asked if she was certain everything was plugged in properly. She said she was so I went to her desk. She had plugged her surge protector into itself.

My wife did that once..lol
She had cleaned around behind her computer and rearranged the wires. Her monitor was plugged up but nothing else. The power strip was plugged to itself and she claimed the computer was broke.

Hyper-Me

Devilsbane wrote: »

lol, some people are so computer illiterate, it makes you wonder how they even do their jobs. It doesn't take much, I am really being too demanding by expecting that you know where your start button is?

Oh I agree, and it makes me mad.

If a computer is a part of your job, you need to know how to use it. No, i dont expect you to administrate an AD domain or anything, but know where something like the start button is. Know how to turn the thing on and off, etc.

Thats like a mechanic not knowing how to use a socket wrench.

JBrown

Hyper-Me wrote: »

Oh I agree, and it makes me mad.

If a computer is a part of your job, you need to know how to use it. No, i dont expect you to administrate an AD domain or anything, but know where something like the start button is. Know how to turn the thing on and off, etc.

Thats like a mechanic not knowing how to use a socket wrench.

A-men to that.

One of our "Professors" ( he teaches 70-640 class) recently asked me how did I reset a user account on Windows 2008R2 server install. I thought he is "testing me" at first, but after giving him step-by-step explanation I realized that he is not joking. His incompetence just insulted me. I got so angry that could not hold myself, told him to go f** himself. Now he is upset, and won't talk to me. I guess its time to look for another job.

Devilsbane

I had a professor like that. He was giving a lecture one day on permissions and told the class that when you are on a remote computer you get the most restrictive permissions. So if the NTFS is read/write and the share is only read, you get read.

But when you access locally, you get the most privileges. So if there is read/write on the share, but only read on the NTFS, you will get read/write. I called him out on this (wasn't positive, this was prior to any certification, but it just didn't sound right). So we debated in front of the class for 10 minutes, and he said that I was wrong.

This is a guy that claims to have MCSE, CCNA, and went to Chicago to get his MCITP:EA. Why he went to Chicago, I'm not sure. There are plenty of testing centers around us. (Didn't know better at the time). He claims to have taken 1 test each day of the week, failed one of them (because he spent the day before studying for the wrong test) so he then took that one again. So now he has an MCITP:EA (except he called it MCSE on 2008, again didn't question it because I had no idea)

The funny thing is, I have never seen proof of a single certification, he has all the MCSE books, but they are still in plastic wrap, and he is dumber than a box of rocks.

knownhero

Devilsbane wrote: »

I had a professor like that. He was giving a lecture one day on permissions and told the class that when you are on a remote computer you get the most restrictive permissions. So if the NTFS is read/write and the share is only read, you get read.

But when you access locally, you get the most privileges. So if there is read/write on the share, but only read on the NTFS, you will get read/write. I called him out on this (wasn't positive, this was prior to any certification, but it just didn't sound right). So we debated in front of the class for 10 minutes, and he said that I was wrong.

This is a guy that claims to have MCSE, CCNA, and went to Chicago to get his MCITP:EA. Why he went to Chicago, I'm not sure. There are plenty of testing centers around us. (Didn't know better at the time). He claims to have taken 1 test each day of the week, failed one of them (because he spent the day before studying for the wrong test) so he then took that one again. So now he has an MCITP:EA (except he called it MCSE on 2008, again didn't question it because I had no idea)

The funny thing is, I have never seen proof of a single certification, he has all the MCSE books, but they are still in plastic wrap, and he is dumber than a box of rocks.

Brain **** much?

Devilsbane

knownhero wrote: »

Brain **** much?

Nope, pretty sure it is lies much. I don't even think a dumper could do that.