Announcement

Collapse
No announcement yet.

Any Benefit of Secondary over Stub Zones?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Any Benefit of Secondary over Stub Zones?

    So we have a parent domain parent.corp and child domain child.parent.corp. Both, obviously, DNS servers as well.

    The Parent DC server PDC has a Primary AD Integrated Zone (authoritative for the domain) of parent.corp. It has delegated to the Child DC server CDC the "sub-domain" child of parent.corp .

    The Child DC/DNS server CDC has a Primary AD Integrated Zone (authoritative for the domain) of child.parent.corp.

    My question to you is is it better to setup Stub zones or Secondary zones on the parent/child domains back to the child/parent domains, respectively.? And do I even need a secondary zone in the parent domain if I have a delegation? (i'm going to need a stub or secondary in the child though) Or should I set the each domain up with primary/secondary zones instead?

    I know with Secondary zones you will need to notify to let the secondary zones aware of any changes. Adding the appropriate DC servers to the Name Servers and Notify Servers in the zone properties. A benefit is if the primary server goes down and local processing (for slow WAN traffic).

    The Stub zone will transfer automatically using zone transfers provided we add them appropriately to Name Servers. The added benefit of conditional forwarding the requests onto the appropriate DC/DNS server within the organization.
    Last edited by stamandster; 10th March 2009, 19:42.
    GoogleFu is strong with this one ^

  • #2
    Re: Any Benefit of Secondary over Stub Zones?

    No you do not need secondary zones if you are using AD Integrated DNS zones as the zone information is stored in Active Directory database.

    Only use primary/secondary zones if the server is a DNS server only and not a DC.
    It is always a good idea to have a least two servers as DNS servers.

    Comment


    • #3
      Re: Any Benefit of Secondary over Stub Zones?

      Since you are storing your DNS zones in AD then i wouldn't consider Secondary zones as they can't be AD integrated as previously mentioned.
      So, you are left with existing primary zones for which you can set the replication scope to "All DNS server in a forest". That stores the zone in the ForestDnsZones application partition or create a stub zone and make AD integrated and choose the relevant replication scope.
      I'd personally just do the first but it all depends on your requirements.

      Cheers
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Any Benefit of Secondary over Stub Zones?

        Thanks for all the suggestions.


        | Option One -

        Parent Domain
        -> Parent.corp - Primary AD Int, To all DC's in the parent.corp domain
        ---> Child - Delegation to Child.Parent.Corp zone in the Child domain
        Child Domain
        -->Child.Parent.Corp - Primary AD Int, To all DC's in the child.parent.corp domain
        --> Parent.corp - Secondary Zone back to Parent.corp (probably on just one main DC/DNS server)

        Set Name Servers to all DNS servers that will be replicating and transferring zone information.


        | Option Two -

        Parent Domain
        -> Parent.corp -- Primary AD Int, To all DNS servers in the Forest
        ---> Child - Sub-Domain of the Parent.corp Zone
        Child Domain
        -> Parent.Corp - Stub zone back to the main Parent DC/DNS server

        Set Name Servers to all DNS servers that will be replicating and transferring zone information.


        I'm personally more inclined to go with option one because our Child domain is much larger (many more servers, many locations and workstations) than our Parent domain (two dc's, two locations and no workstations). Basically the parent domain was initially setup as a "security" domain, which is not best practices now. I don't want machines having to get their DNS information from the Parent domain (which reside at two locations). I want to keep the SOA master within the Child domain (which has many multiple locations and dc's/dns servers.

        To have a little history on why we are doing this is that the DNS was never really setup properly since way before I joined the organization and we're experiencing a split brain dns between the parent/child domains. We also want to eventually go to a single domain, parent.corp.
        Last edited by stamandster; 11th March 2009, 14:36.
        GoogleFu is strong with this one ^

        Comment


        • #5
          Re: Any Benefit of Secondary over Stub Zones?

          Originally posted by stamandster View Post
          Thanks for all the suggestions.


          | Option One -

          Parent Domain
          -> Parent.corp - Primary AD Int, To all DC's in the parent.corp domain
          ---> Child - Delegation to Child.Parent.Corp zone in the Child domain
          Child Domain
          -->Child.Parent.Corp - Primary AD Int, To all DC's in the child.parent.corp domain
          --> Parent.corp - Secondary Zone back to Parent.corp (probably on just one main DC/DNS server)

          Set Name Servers to all DNS servers that will be replicating and transferring zone information.
          How about a simplier and more secure setup:


          Parent Domain
          -> Parent.corp - Primary AD Integrated zone.
          Replication scope: to all DNS servers in the forest

          Child Domain
          ->Child.Parent.Corp - Primary AD Integrated zone
          Replication scope: to all DNS servers in the forest

          Both zones are stored in the application partition, More secure and No need to worry about Zone transfers.
          Just make sure replication is functioning properly!!

          Cheers
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Any Benefit of Secondary over Stub Zones?

            Well that works nicely

            I'll be testing today. Thanks again all!

            Any specific security I need to worry about?
            Last edited by stamandster; 11th March 2009, 17:04.
            GoogleFu is strong with this one ^

            Comment


            • #7
              Re: Any Benefit of Secondary over Stub Zones?

              Originally posted by stamandster View Post
              Well that works nicely

              I'll be testing today. Thanks again all!

              Any specific security I need to worry about?
              As you will be running AD integrated zones, make sure Secure Dynamic Updates is turned on by settng it to Only Secure updates on the Properties of each DNS zone.

              Comment


              • #8
                Re: Any Benefit of Secondary over Stub Zones?

                Thanks for the suggestions all

                What's very weird is that the child domain primary ad int. zone has a replication scope of all Domain Controllers in the child domain. However, there's a forestdnszone partition and no domaindnszone partition.

                It looks as though it's still "there" but not enlisted. Must've been deleted at some point via the DNS console.
                Last edited by stamandster; 13th March 2009, 15:01.
                GoogleFu is strong with this one ^

                Comment


                • #9
                  Re: Any Benefit of Secondary over Stub Zones?

                  Originally posted by stamandster View Post
                  Thanks for the suggestions all

                  What's very weird is that the child domain primary ad int. zone has a replication scope of all Domain Controllers in the child domain. However, there's a forestdnszone partition and no domaindnszone partition.

                  Is there a way to fix that? Should I just create the "domain" DomainDnsZone itself via the DNS console? And then restart dns and netlogon? Delete the old one via adsi? Right click on the server and tell it to "Create Default Application Partition Directories"?
                  With the replication scope you have selected the copy of the DNS zone will be stored on the Domain partition and not on the Application partition.

                  By default the DNS server service should create the Application partitions. If you select the replication scope as "All DNS servers in the domain" the DomainDNSzone application partition will be created and the zone will be stored there.
                  However if for some reason the DNS server service is unable to create it you could do it manually with the Dnscmd command.

                  dnscmd ServerName /CreateBuiltinDirectoryPartitions /Domain

                  Check Dnscmd /? for more info.

                  Cheers
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Any Benefit of Secondary over Stub Zones?

                    Thanks L4ndy... I guessed you started writing after I rewrote my post. The partition is actually there but not enlisted.

                    I've been testing in a vmware test domain I setup. I can re-enlist and everything works nicely. But the partition isn't set to auto like the others. Trying to figure out how to set that now.

                    Maybe delete the partition then run the auto create partition?
                    GoogleFu is strong with this one ^

                    Comment

                    Working...
                    X