Two DNS queries
ivo
Our company consists of two dislocated offices (divisions). Each office runs its own site/domain, MAMMALS.CORP.ANIMALS.COM and FISHES.CORP.ANIMALS.COM, respectively.
Both domains are Win2K native, we use exclusively TCP/IP and DNS (i.e., no NetBIOS, WINS, etc.). Since no server is running what would be the root corp.company.com, both domains act as separate trees. Therefore, we have single AD, single forest but two trees/domains that are manually set to transitively trust each other.
Both offices are permanently connected to Internet and we use it also for our permanent VPN inter-site connection.
Each office (domain) runs its own GC/DC/DNS/DHCP server, called LION.MAMMALS.CORP.ANIMALS.COM and SHARK.FISHES.CORP.ANIMALS.COM, respectively. All workstations (incl. notebooks for frequent-fliers between the offices) are set to use DHCP servis to obtain dynamic IP address, gateway address, DNS and time server addresses.
Although we have two offices (divisions) we are still relatively small company, hence we maintain to use unique user names and computer names across the company, e.g., there is only one computer called TIGER (MAMMALS domain) and only one computer called TUNA (FISHES domain).
The DNS zone CORP.ANIMALS.COM (no corresponding AD domain under this name) is maintained as a primary DNS zone on the DNS server LION (this was our first DC, it also servers all four FSMO roles), and copied as a secondary DNS zone to SHARK. The DNS subzone MAMMALS.CORP.ANIMALS.COM is delegated to the server LION and maintained there as an AD integrated zone. Correspondingly, FISHES.CORP.ANIMALS.COM is delegated to its SHARK server and maintained there as the AD integrated zone. For everything else, out of CORP.ANIMALS.COM, LION and SHARK forward their queries to the corresponding external DNS server...
So far so good. Still, I've got two questions regarding the optimization or easing the maintenance:
1) To make the internal DNS resolution faster (e.g., when workstation TIGER is looking for the IP address of the workstation TUNA), we want to copy the FISHES.CORP.ANIMALS.COM DNS subzone to the server LION as well as to copy the MAMMALS.CORP.ANIMALS.COM DNS subzone to the server SHARK. Should these copies be secondary zones or AD integrated zones?
I remember there was a similar question on one of the certification tests. I think, I opted at that time for copies to be AD integrated zone. Although I passed that exam, I am 99+% sure now that the copies must be maintained as the corresponding secondary zones.
Indeed, MAMMALS domain is the exclusive matter managed by the DC/DNS server LION, DNS server SHARK only needs to keep the passive copy of this zone for faster resolution. Therefore, running MAMMALS as the secondary zone on SHARK is just enough, assuming that dynamical notifications of this zone changes from LION to SHARK is properly configured.
Therefore, "secondary zone" option is just good enough answer, it works properly. Of course, "primary zone" option for those copies would be definitely wrong (and impossible to set it up that way), there couldn't be two primary copies of the same zone, or one AD integrated and another primary.
The answer "AD integrated" would be an intriguing option, inexperienced at that time I thought it was what MS wanted to hear from a cert candidate. However, as an AD integrated zone on its DC/DNS server LION, MAMMALS DNS zone is part of that AD domain internal information. It would be automatically replicated to all other DC servers for the same (!) AD domain MAMMALS, but SHARK is the DC serving another AD domain called FISHES. There is some AD replication between GC (global catalog) servers LION and SHARK, but again, MAMMALS DNS zone as that AD internal domain information doesn't fit into this replication. Therefore, if MAMMALS.CORP.ANIMALS.COM is maintained as the AD integrated zone copy on SHARK, no dynamical changes from LION would ever replicate to SHARK, SHARK would constantly keep the state for this zone as it was at the moment of the zone copy creation.
Please correct me if I was wrong, but this is indeed what I observed in the real life, and also how I later understood inter and intra-domain AD replication affairs (this time reading more thorough Resource Kit and no more the shit certification literature). Does anybody have a better (more elegant) idea how to set up our DNS infrastructure, following the objectives enlisted above? However, let me emphasize again, our DNS infrastructure does work correctly set-up as described above.
2) As said above, computer names are in fact unique across the company (e.g., unique TIGER host belonging to the MAMMALS domain). To make the life easier we want to be able to resolve such short names instead of the corresponding FQDN names. E.g., one wants to ping to TIGER host from his TUNA workstation (sitting in that another FISHES office/site/domain). By default, his TUNA computer would add its own domain suffix MAMMALS.CORP.ANIMALS.COM to the not FQDN name TIGER, therefore it would query its SHARK host asking for the TIGER.FISHES.animals.com FQDN to be resolved. SHARK cannot find such a name in its FISHES zone, so it responds negatively.
There would be no problem here if we were running WINS in parallel - as explained earlier, we want to stay exclusively with DNS as the Win2k native name resolution service.
To fix this problem, TCP/IP properties on the TUNA host (as well as on all another computers in both our offices) has to be manually fixed: Under "Advanced", "DNS" tab, instead of the default "Append primary and connection specific DNS suffixes", "Append these DNS suffixes" must be manually chosen and the FISHES.CORP.ANIMALS.COM and MAMMALS.CORP.ANIMALS.COM suffixes manually typed in - FISHES first, MAMMALS second in the FISHES office and vice versa in the MAMMALS office computers, for better performance.
It's troublesome, specially since all other TCP/IP options are centrally maintained and obtained from the DHCP servers (LION and SHARK, respectively).
Hence, I am asking, is it somehow also possible to specify these suffixes under the corresponding DHCP options, for all workstations to obtain them automatically. Or any other useful suggestion? We also got troubles here when experimenting with the alternative non-Windows operating systems on our workstations: DHCP registration would work OK, therefore routing plus internal and external DNS resolution; however it wouldn't be possible to learn such a host to try append the alternative DNS suffix when querying for the names from another office (e.g., if TUNA would be running Linux and querying for the TIGER as above).
Thanks in advance for your useful comments, suggestions, sharing of experience, etc.
ivo
... Since no server is running what would be the root corp.company.com...
Typo, that (non-existing) root domain would be of course CORP.ANIMALS.COM (!).
2) ... By default, his TUNA computer would add its own domain suffix MAMMALS.CORP.ANIMALS.COM..., therefore it would
query its SHARK host asking for the TIGER.FISHES.animals.com...
Typo, tuna being a fish, would of course append its domain suffix FISHES.CORP.ANIMALS.COM (!), hence it would make a query to SHARK DNS server (!) for the TIGER.FISHES.CORP.ANIMALS.COM (!) FQDN name.
John
--
The fastest distributor? XYRO ADC on http://www.xyro.com/fidimuc.html
For data/software distribution, inventory and remote installations.
"ivo" <ivo.p...@vip.hr> wrote in message news:akl4rh$sa5$1...@sunce.iskon.hr...
ivo
"John" <jo...@nospam.com> wrote in message news:akomc4$l75$1...@news.hccnet.nl...