Help!
From what I have seen so far of .NET, I don't believe there is, unless
someone else knows any better. That is an AD Integrated feature where the
zone exists in the Domain NC partition of the AD database and follows the
domain controllers rules of all of them being a master (multi-master), all
based on AD replication rules. However, there are some cool new features
with .NET DNS services.
--
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
You can only host an Active Directory Integrated zone on a Domain Controller
in Windows .NET 2003.
So if you want to run the DNS service on a Member Server then you are
"struck" with Primary/Secondary Zones.
Kind Regards
Michael Buchardt
"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNa...@hotmail.com>
skrev i en meddelelse news:e7#BB0UgCHA.2476@tkmsftngp10...
--
William Stacey, MCSE
Windows MVP (DNS/DHCP/WINS)
"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.0210...@posting.google.com...
Thanks William, just as I thought.
Thanks Michael, so that part hasn't changed. I thought there might have
added something new to "stretch" it out, something like the way BIND will
allow you to create multiple "views", and allow/disallow queries by IP. That
would be a neat feature to add to DNS under Windows!!
Thanks for everyone's feedback,
(DNS Authorizative Zones Writable without being DC's)
One other not so related question I need answered where can I find out
Hi SeeHawk
The DNSAdmin group is just that. Just for DNS. Similar to the Print
Operators or Group Policy Admin Groups. They are resticted to those specific
tasks.
As for mutlimaster DNS (mulitple writeable copies) that is only a feature
available on a DC. The RFCs don't allow multiple Primary zones. The AD
Integrated feature is an "enhancement" to the RFCs that allow that since it
is really only one copy that is "copied" to other DCs because it is within
the "one" AD database in a domain (where each DC has a copy of this "one"
database).
Do you know if this DNS Admins group privleges will allow this group
of users the ability to change service states (Stop, Start). In
addition these conceptual DNS Servers will also serve as our DHCP
Servers (Each with seperate scopes, due to our current subnetting
strategy). The problem I worry about also is that if we are trying to
enforce loopback policies on all the servers including DC's. And if
the loopback policy will take precedence over the "Domain Controller
Policy", I think I remember hearing that this is not the case.
Ie: Do I or even can I build a custom Domain Controller Policy around
the DNS Admins and DHCP Admins and have another around all other AD
administrators on the DC's.
LMK if this doesn't make sense.
They could stop the service by rt-clicking the DNS server name in the MMC
and stop it but not necessarily goto the Services console, IIRC.
> In addition these conceptual DNS Servers will also serve as our DHCP
> Servers (Each with seperate scopes, due to our current subnetting
> strategy). The problem I worry about also is that if we are trying to
> enforce loopback policies on all the servers including DC's. And if
> the loopback policy will take precedence over the "Domain Controller
> Policy", I think I remember hearing that this is not the case.
I have not tried loopback with DCs. Usually we create a separate OU for
machines that need a specific shell or some other implementation that we
want to lock it down with loopback or get the computer portion of the GP to
re-run and apply. If there are any security setttings in the GP that will
lock out admins, this may be detrimental, but then again I haven;t tested
that.
>
> Ie: Do I or even can I build a custom Domain Controller Policy around
> the DNS Admins and DHCP Admins and have another around all other AD
> administrators on the DC's.
Instead of creating your own DC policy, there are specific types of
templates you can use that are supplied to offer different levels of
security. Have you looked at the Security & Configuration Analysis snap-in
and the Security Templates snap-in? You can use on of the supplied ones or
you can customize them or create your own in there.
I wouldn't say that you need to be able to do build a custom Domain
Controller Policy around them. If you check, the DNS Admins have FC in DNS
(if you have an AD Integrated zone, check the security tab). That is the
only place they have FC. Likewise for DHCP Admins. They have no access
elsewhere. IS that what you are trying to accomplish?
>
> LMK if this doesn't make sense.
I think I got it. LMK if I misunderstood.
Yes it looks like you got the bulk of it.. I am in "conceptual"
planning stage but I have a mock enviroment to try some of this stuff
on. Yes I have seen the default templates included with Security
Configuration & Analysis although I really haven't looked into them
(other than the compatibility template). I just think from a design
point of view DNS AD Integrated Zones on Non-DC's should be available.
Making a DNS Server a DC just to add the writeable zones on both
servers seems to me to be a little extreme but maybe Im just barking
because I don't fully understand it. Anyways I will try some of this
stuff out an let you know.. Thanks Very much for your help.
See, sometimes I *do* understand stuff !!!!
;-)
> I am in "conceptual"
> planning stage but I have a mock enviroment to try some of this stuff
> on. Yes I have seen the default templates included with Security
> Configuration & Analysis although I really haven't looked into them
> (other than the compatibility template). I just think from a design
> point of view DNS AD Integrated Zones on Non-DC's should be available.
Nice theory but this would be impossible because the actual zone file is
stored within the Domain partition (one of the 3 logical partitions of AD)
of the AD database and is only available if on a DC. The AD database
(ntds.dit) can only exist on a DC, therefore, the AD Integrated zone can
only exist in DNS that is running on a DC. One other thing, that an AD
Integrated zone can only live on DCs in the same domain since the Domain
partition only replicates between DCs of a specific domain and is not forest
wide.
> Making a DNS Server a DC just to add the writeable zones on both
> servers seems to me to be a little extreme but maybe Im just barking
> because I don't fully understand it.
See above.
> Anyways I will try some of this
> stuff out an let you know.. Thanks Very much for your help.
Wish you luck. Remember, it's usually alot easier if you stick with the KISS
method.
Re: Forest Wide Replication of DNS Zones
Can't .NET support forest wide replication of DNS zones from a
different domain I was also thinking about possibly creating a new
domain setting up AD, making a ADIZ DNS pair and then setting up some
forest wide replication of that DNS on our root "dummy" domain (Really
for recovery purposes in case of a disaster or reconfiguration /
collapsing/ expansion of the dns zones) Is this possible?
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.02110...@posting.google.com...
--
William Stacey, MCSE
Windows MVP (DNS/DHCP/WINS)
"Jeff Westhead [MS]" <jwesth@no_spam.online.microsoft.com> wrote in message
news:uDAJ1aphCHA.2308@tkmsftngp12...
I prefer a VUI (Voice User Interface).
"Computer, please set DNS glue record for zone...."
And have Majel Barrett Roddenberry answer with a confirmation.
> I prefer a VUI (Voice User Interface).
> "Computer, please set DNS glue record for zone...."
> And have Majel Barrett Roddenberry answer with a confirmation.
Ok Ace,
working onit but still some rough spots...
(my computer's interface name is Crystal)
NTCanuck: Crystal, can you set a DNS glue record for a zone if I give you
the parameters?
Crystal: I'll tell me when you set a new record.
'Seek and ye shall find'
NT Canuck
http://ntcanuck.com
BIND-PE, DNS "fail-safe" for NT clients
> NTCanuck: Crystal, can you set a DNS glue record for a zone if I give you
> the parameters?
> Crystal: I'll tell me when you set a new record.
Did I miss something here in Crystal's response?
Ace
> Did I miss something here in Crystal's response?
I suppose I look with different "eyes" Ace, this one
is supposed to give "help" in regards syntax and what
to open/adjust based on scanned/analyzed system.
Hopefully AI can do part of job one day to ease burden
on sysadmins or give them automatic forensics status.
Is maybe a bit of "dream", but feels good to try. ;-)
I put AI in background now (learning mode) until next
Spring (2003) and see if I have done training/data correctly.
Thank you for patience...just hard to get professional feedback.
No prob.
> Crystal: I'll tell me when you set a new record.
I was just lightly commenting on Crystal's syntax. Nothing meant by it.
Wish you luck with everything.
;-)