|
Home > Archive > 70-217 > August 2003 > ADS & DNS Namespace
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ADS & DNS Namespace
|
|
| salv236 2003-08-20, 3:28 pm |
| yeah, i tried what you said by trying to set up a child domain however i got an error messahe when i tried to log on with the administrator account from microsoft.com, i kept getting the following message "the domain microsoft.com cannot be contacted. select a different domain name (if this domain was recently created its name may not yet be registered with the domain naming service"). | |
| jeff_j_black 2003-08-20, 4:37 pm |
| 1st, these weren't connected to the Internet correct?
So you had a DC in the domain microsoft.com and you were able to successfully install a server as a DC for a child domain? The particular message you are getting seems network (DNS) related.
Troubleshooting this is exactly what you need to be learning, so don't back off of it. | |
| salv236 2003-08-20, 4:42 pm |
| they both seem to be getting ip addresses automatically and not manually, so i dont see where the problem lies.
The standalone server is a member of microsoft whcih i cant oin as a child domain | |
| salv236 2003-08-20, 5:08 pm |
| in the forward lookup zone i added a host file of the member server added the computer name and its ip and set up a name server i still get the same problem. | |
| jeff_j_black 2003-08-20, 5:09 pm |
| First off, manual addressing for all servers is a must.
Next installing 2k server, install DNS, verify DNS. (if these are not connected to the Internet, then don't be concerned about recursive test.)
If your servers have dynamic addressing or APIPA and DNS does not work right, there will be numerous problems.
After you have a network infrastructure that works, (name resolution) then run DCPROMO for your first domain. Any child domains need to be able to find the parent domain records in DNS for DCPROMO to work on the child domain DC. | |
| yerlanguy 2003-08-23, 12:46 am |
| Jeff, I think you're great!
I have a similar, less obvious problem. My boss doesn't want W2K DNS running on our wire at all. He says I have to use his Novell 6 DNS test box (it's a Novell shop and I have to build one box to host W2K Advanced Server to be DC and Exchange 2K Enterprise server). We'll create at least one other DC later with a retired server.
Anyway, I was running DCPROMO on my test box and got the same message as our friend, when trying to create a child domain, "the domain ourdomain.ca cannot be contacted. select a different domain name (if this domain was recently created its name may not yet be registered with the domain naming service").
I went to the Novell DNS and added my server; An A Record, an MS record, and an SRV record. Supposedly, Novell 6 DNS supports SRV and dynamic updates. Do I have to define a child domain in an upstream DNS before I can create it? Do I just give the DC the domain name ourdomain.ca? I think so; we are behind a major vendor's firewall so there is no exposure to the outsite world..
I'm not convinced the Novell DNS test box has any links to upstream DNS boxes. It may just be sitting there in its own world for all I know.
I'm really looking forward to getting my head around DNS...
Any thoughts are appreciated, | |
| jeff_j_black 2003-08-23, 10:27 am |
| Where your root DNS zone is hosted on a different platform, and that platform supports SRV records and dynamic update:
Your AD Forest Root Domain can use the DNS of the other platform. In this case your first Windows 2000 Domain controller would be installed as new domain in a new tree in a new forest and the domain name would be ourdomain.ca. Bear in mind that the DNS zone on the other platform would be populated with records from the servers and computers from your AD Domain. If this DNS zone is exposed to the public network there is risk of exposing all these records to the public network. If your boss requires that you build AD in the DNS zone ourdomain.ca hosted by the Novell platform, this is what you get.
The typical solution would be to delegate a DNS zone ad.ourdomain.ca and build your AD Forest Root ad.ourdomain.ca in this zone. Of course this would not satisfy what your boss wants, as the DNS zone ad.ourdomain.ca would be hosted on a Windows 2000 DNS server. This soultion would however, allow ourdomain.ca to be exposed to the public network, without having internal AD DNS records exposed to the public network.
Correct me if I misunderstood what you wrote, but it sounds as though your are trying to make a child domain, where the parent domain 'ourdomain.ca' is not a Windows 2000 AD Domain. This would not work. No matter what you do, your first Windows 2000 Domain Controller has to be installed as in the first domain, in a new tree, in a new forest.
Think of DNS domain and Windows 2000 AD Domain as parallel phenomena. Create a DNS zone ourdomain.ca in DNS and AD Domain ourdomain.ca lives within that zone.
I hope this helps, please let me know. | |
| yerlanguy 2003-08-25, 9:51 am |
| Thanks Jeff,
I'll share your text with my boss and we'll develop a plan. I'll then share this plan with you and our listeners.
Cheers! | |
| jeff_j_black 2003-08-25, 1:48 pm |
| I'll be happy to discuss any questions and comments as you move ahead. | |
| blackwidow 2003-08-26, 4:30 am |
| yearlanguy,
just use your Win2k box also as a DNS during DCPromo (make sure DNS address points back to server on LAN card settings) and select first domain in a new tree option. Name it whatever you propose (even ad.something.ca).
Once done, second server when you install will also use this DNS service. For outside lookups, forward requests from Win2k DNS to the Novell box (you were gonna install use that DNS anyway so it will use the wire regardless). Novell DNS can have a delegated zone back to Win2k DNS.
Painless and lot easier done. (especially when you're talking about 1 server to begin with). No manual creation of records. | |
| jeff_j_black 2003-08-26, 9:37 am |
| Yes, the delegated zone for AD would be the better solution. | |
| yerlanguy 2003-08-27, 12:15 am |
| Hi,
I haven't had time to discuss this with my boss yet. If I'm hearing you guys, I can install AD an depend on the Novell DNS. I've checked that this DNS is operational by having it defined as my exclusive DNS server on my W2K Pro workstation, and surfed the 'net OK.
Why then, when I run dcpromo and say that this server is hosting the first domain in the first tree of the first forest, it tell me that it can't find a valid DNS? I'm guessing that Novell DNS is a secondary DNS off some master DNS server buried in the bouls of the vendor. And no capability exits to register an SRV...This place is locked down tighter than Fort Knox, so I wouldn't surprised if I can't register an SRV record with the master DNS server even if I am communicating with it.
How would they react if, all of a sudden, I did install another DNS server? Can I do that and have it only deal with its own AD issues, and not talk to ANY other DNS servers? Is there literature available that presents this scenario? We have no exposure to the ouside world from our subnets.
I'll not be using AD to DO Anything, save for the fact that Exchange 2000, Enterprise, depends on AD for its population, we wouldn't install it at all. All the workstations, principals, and policies will be managed by Zenworks 4.01.
Come-on back... | |
| blackwidow 2003-08-27, 2:33 am |
| A DNS installed on an internal network on ANY machine, be it Novell or otherwise, cannot be reached from the outside world unless there is some glue attaching outside to inside. And with private IP's on the internal network, it's almost impossible that anyone will EVER be able to get to the DNS you put on the Win2k machine to make it a DC. Internal DNS can be pointed to go to another on the outside world, but the reverse requires a lot of magic and netowkring know-how, which guessing from you setup your company may not be ready for.
Hence, there's nothing to worry about putting DNS on you DC when doing DCPromo.
If your netowrk is locked down like Fort Knox  i would'nt worry for a second about outside intrusion to your AD/DNS. Unless your boss knows of a backdoor entrance to Fort Knox.
 | |
| jeff_j_black 2003-08-27, 9:34 am |
| It looks like you are indeed headed for a delegated DNS zone to support AD. I would definitely discuss it with your boss so the client can be made aware of the situation.
Again this would be the prescribed solution in cases where the network will continue to use another platform to host the original zone.
Although this is for Server 2003, it did a really good job, in a few pages on DNS design. I think you'll find the DNS design discussed part-way into Chapter Two:
Designing and Deploying Directory and Security Services | |
| yerlanguy 2003-08-27, 10:17 pm |
| I'm not sure why I need a delegated zone. We reviewed the Novell DNS today and it is a Primary, forwarding anything it can't resolve to a DNS across the router. We don't want to install DNS on W2K.
The only two boxes to be defined within AD are the first DC I install, which will host EXG2K, and a second DC to have the AD database replicated to.
Can't I specify that the AD root domain is ourdomain.ca, same as the Primary DNS Zone, without installing DNS locally? Or do I install DNS on the DC, with same zone name as primary and then remove DNS from the DC, after the successful creation of the AD root domain????? | |
| blackwidow 2003-08-27, 10:54 pm |
| yerlanguy,
my humble reading of your situation is that you are having a lot tougher time with your boss than is needed.
This seems like a very easy setup to me, but unless i really am not understanding some untold technical limitation of your network, i really cannot see why the DNS would be such an issue.
Thanks. | |
| jeff_j_black 2003-08-27, 10:59 pm |
| You can if the existing zone supports dynamic update and SRV records. I will have to defer any comments on Netware 6 DNS capabilities in terms of being able to support AD.
I did a little reading and came to this:
Does Novell DNS have support for Active Directory?
quote:
Novell plans to include a DNS server that is fully BIND 9 compliant, and that will fully support Active Directory, in a future version of NetWare.
The article cited above, does provide you with a solution.
Novell’s Support for Windows NT, Windows 2000, and Active Directory
This one will give you some background. | |
| yerlanguy 2003-08-28, 9:35 pm |
| Hope to get back to it tomorrow. I'll set it up on the Novell DNS first and then become synonomous with ourdomain.ca. I'll let you all know.
Take a read of the first url Jeff suggested as it may apply to all non-8.12 compliant DNS servers..
Thanks again! | |
| jeff_j_black 2003-08-29, 9:17 am |
| Good luck! Let us know how it goes. |
|
|
|
|