Active Directory and DNS on child, other domain contollers

[Friday]

Once you have your first domain contoller in the forest setup, ensuring that the NIC's DNS points to itself, AD integrated zones match the AD name, and the svc directories are in DNS, what do you do for the other domain controllers in the same containter for the first forest domain contoller. Do you setup a DNS server with AD zones on those too and point the network DNS configuration for the NIC to itself as well? Or do you not install DNS and just point the NICs DNS entry to the first domain contoller. And if you do that, what if the first domain contollers goes down?

Then with child domains, do you setup DNS with AD integrated zones, and point the NIC's DNS to itself too with a helping forwarder to the first forest domain controller? Or do you just set the NICs DNS to the top forest domain contoller and do not install DNS.

Man, this gets confusing. I tried to set it up using Microsofts techweb pages and I found that the child domain could see all of the users in AD in both domains, but the top forest contoller could only manage itself. It could not find anything in the child domain. However, I could browse to it in explorer.exe from the forest DC.

 

[stash]

For an additional DC in a domain, the easiest way is to point it to the other DC for DNS resolution. Then run dcpromo. After you run dcpromo successfully and everything looks good in your logs, you can install the DNS service on the second DC. If you had an AD-integrated zone, the DNS information will automatically show up in DNS as soon as you install the service on the second DC. This is because AD-integrated DNS zones are stored in the domain naming context, which is replicated to all DCs in the same domain.

This leads into the child domain problem. Since dns info is only replicated between DCs in the same domain, you need to host the child zone on the child DCs. So create a child forward lookup zone on a server, and point that server to itself for DNS. Then create forwarders to your parent domain DCs that run DNS. In the parent domain, you need to create a delegation for the child zone. The delegation tells the parent DNS which server(s) are hosting the child domain. Then if you want to add a second DC for the child domain, follow the same procedure for adding a DC to the parent domain: point it to the first DC for DNS, run dcpromo, then install DNS if you want.

 

[BS911]

Wow, remind me to never get into Microsoft servers!!

 

[randal]

DNS is a monster, especially when it has to do with directory services. Basic DNS hosting for domains (for websites and email) is a snap compared to all of the above. Luckily, all of the above is usually a one-time (aggravating) affair.

At least, for me it was

randal

 

[stash]

There isnt anything in what I described above that is inherently different than other DNS implementations. If you have a child domain, you delegate that child to a different DNS server. Thats how the Internet works...whoever owns .com .net, etc delegates the child domain (microsoft.com, blah.net) to you.

The key is getting a rock solid DNS infrastructure set up before you start promoting servers to be domain controllers. Like anything else, with active directory, planning is essential.

 

[Friday]

Thanks Stash, You cleared up some questions that I had!!