Filter
Top Products
secondary zones can be upgraded to DS integrated zones. At this point non-
Microsoft DNS servers can be safely retired and removed from the network.
Deploying DNS to Support Active Directory
If you are designing a brand new network environment, the process of deploying
Active Directory service/Windows 2000 DNS is relatively straightforward. Chances
are, however, that the Active Directory service you are designing will need to be
integrated into existing DNS infrastructure.
Partitioning, and Replication (Choosing your Zones)
When designing a DNS namespace for an Active Directory, the emphasis should be
placed on creating an effective partition and replication topology while keeping
replication and update traffic at bay.
The following domain/zone configuration is recommended:
• Each Active Directory domain should have a DNS zone corresponding to the
name of the domain. This zone should be configured on a DNS server running
on the Domain Controllers in that Active Directory domain. The zone should be
Active Directory-integrated.
• DNS servers should running on at least two domain controllers in each Active
Directory domain and at least one Domain Controller in each site.
• Since most of the records ending with
“_msdcs.<DnsForestName>” suffix should
be accessible through entire forest it could be useful to delegate a zone
“_msdcs.<DnsForestName>” from the zone “<DnsForestName>”. All DNS servers
in the enterprise that are connected to the primary for
“_msdcs.<DnsForestName>” zone servers, over slow or not-permanent links,
should be configured as secondary servers for the
“_msdcs.<DnsForestName>”
zone. One DNS server from each site should be configured to poll
“_msdcs.<DnsForestName>” zone transfer from a primary server. All other DNS
server in a site poll the zone transfer from the chosen DNS server in that site.
The primaries should not notify secondaries of any changes in the zone. The
secondaries will pool updates from the primaries at zone refresh intervals. The
DNS server that polls the zone transfer directly from the primary server should
be configured to notify all other DNS servers in the same site. This
configuration doesn’t flood the network with the zone replication traffic while
enabling clients in the child domains to resolve DNS queries addressed to the
“_msdcs.<DnsForestName>” zone when the link is down.
The configuration of the reverse lookup zones is not based on the Windows 2000
Domain structure. Instead it is based on the range of IP addresses assigned to a
company. If a company is assigned B class IP addresses such as 172.56.X.Y. then
a reverse lookup zone of 56.172.in-addr.arpa. will be created. It may contain
delegations to other domains, such as, 1.56.172.in-addr.arpa., 2.56.172.in-
addr.arpa. and so on. It is also possible to configure classless reverse lookup zones
that as described in the Internet Draft “Classless IN_ADDR.ARPA delegation”.
Windows 2000 White Paper 60
SUMMARY