| Author | Messages | |
rmscheck
Posts:60
 | | 10/05/2008 12:31 AM |
| Hi there again..
While striving to maintain a global single forest/single domain topology in
the effort of keeping it simple; I am wondering what are the limitations
behind having a single DNS zone for something like this? Say you get to an
obscene number of computer objects which all register dynamically and now
you find yourself with a very large DNS list, what are the best practices
behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD domain,
or at least I do.. and that's probably bad on my part. However, I'm
curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| danholme
Posts:128
| | 10/05/2008 12:53 AM |
| I can speak for two of my big (five figure user base) clients who have
single domain/forest topologies, and they use MS DNS with great success.
Having a "disjointed" DNS (which one other client has), in which clients
receive DNS suffices from DHCP that are different (e.g.
site.company.com) than the AD domain (company.com) is suicide. It
sucks. Don't do it unless you're paid by the hour.
Multimaster replication is huge as is secure dynamic updates. Don't
forget to make sure you're scavenging not only your domain zone but your
msdcs as well. Set up monitoring (e.g. SCOM) on your DNS activity.
Hope this little bit of encouragement helps. I'm a big fan of MS DNS
cuz I've had great experiences with it, and lousy experiences without
it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 6:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology
in the effort of keeping it simple; I am wondering what are the
limitations behind having a single DNS zone for something like this?
Say you get to an obscene number of computer objects which all register
dynamically and now you find yourself with a very large DNS list, what
are the best practices behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD
domain, or at least I do.. and that's probably bad on my part.
However, I'm curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| bdesmond
Posts:357
| | 10/05/2008 1:03 AM |
| So the DNS MMC UI sucks when you need to manage large volumes of records. Dnscmd however does the job, as does nslookup. You have to understand the output of nslookup in particular to make it (and dnscmd) a suitable replacement for the MMC. If you need to dig in to a deep domain hierarchy, either have some decent docs of it, or if it's something like the base AD zones, use a dummy test forest with the UI to remember the paths. The latter is what I do.
Some large customers just do a flat hierarchy. Some large customers use BIND or QIP or some other DNS server. Some large customers do site based namespaces, e.g. I might be joined to northamerica.briandesmond.com, but my PC might be brianpc.chicago.northamerica.briandesmond.com. Some large customers do it completely disjoint, e.g. I'm joined to northamerica.briandesmond.com, but, I'm brianpc.mufflerbearingdivision.net.
It's all about what works for your environment and what you can build the infrastructure to manage. If you've got no toolset, automation, or solid process, I'd just go with the flat namespace matching your AD domain. If you have the know-how to engineer another system that works, go for it. As far as doing something other than the matching flat namespace, just remember that your average large company had DNS long before AD. Changing that can be a lot more expensive than not changing it.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 11:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology in the effort of keeping it simple; I am wondering what are the limitations behind having a single DNS zone for something like this? Say you get to an obscene number of computer objects which all register dynamically and now you find yourself with a very large DNS list, what are the best practices behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD domain, or at least I do.. and that's probably bad on my part. However, I'm curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| listmail
Posts:445
| | 10/05/2008 12:27 PM |
| Ditto.
The biggest environments (6 figure) I'm used to seem to use disjoint spaces
with third pary DNS so the DNS management can be easily delegated to the
local sites which is, for the most part, where the resources are managed.
Overall though, I mostly tell people to go with what they have experience
with. If you know how to run MSFT DNS with non-disjoint namespaces well,
probably best to stick with it. If you have people that know your DNS
infrastructure backward and forward and run it on XYZ DNS Server in a super
disjoint model, stick with that. AD doesn't really care either way.
And for my uber personal thoughts on DNS... Give me an ADI DNS that doesn't
run on DCs... Members running ADAM would be just fine thanks, then we get
away from the silly chicken/egg issue and the DNS records can be replicated
outside of the DCs' AD replication. And note that using ADAM doesn't mean
you can't run it on DCs... You can run ADAM on a DC... Also give me a MSFT
DNS that can be easily delegated for administrative control across the board
down to the zone or even record level with a web UI for people to manage it
from.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, October 05, 2008 1:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Whether or not you can make AD work fine with 3rd party DNS mechanisms is
really just a matter of whether or not the DNS admins are competent (I think
anyway). I can rattle off a couple of ~150K seat customers that make BIND or
some BIND based equivalent work just fine.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Saturday, October 04, 2008 11:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
I can speak for two of my big (five figure user base) clients who have
single domain/forest topologies, and they use MS DNS with great success.
Having a "disjointed" DNS (which one other client has), in which clients
receive DNS suffices from DHCP that are different (e.g. site.company.com)
than the AD domain (company.com) is suicide. It sucks. Don't do it unless
you're paid by the hour.
Multimaster replication is huge as is secure dynamic updates. Don't forget
to make sure you're scavenging not only your domain zone but your msdcs as
well. Set up monitoring (e.g. SCOM) on your DNS activity.
Hope this little bit of encouragement helps. I'm a big fan of MS DNS cuz
I've had great experiences with it, and lousy experiences without it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 6:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology in
the effort of keeping it simple; I am wondering what are the limitations
behind having a single DNS zone for something like this? Say you get to an
obscene number of computer objects which all register dynamically and now
you find yourself with a very large DNS list, what are the best practices
behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD domain,
or at least I do.. and that's probably bad on my part. However, I'm
curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| rmscheck
Posts:60
| | 10/05/2008 8:27 PM |
| Thanks for the info!! I would love to hear more about disjointed namespaces
and its impact on AD... 
For one, how can you have a machine joined to contoso.com, yet its DNS
suffix be fabrikam.com.. Wont that cause all sorts of problems with dynamic
DNS updating, DNS lookups, machine communication, etc? Even to have this
automatically done seems odd, since when you join a machine to contoso.com,
it gets contoso.com as its primary suffix by virtue of the join, no?
How would not only a disjointed namespace cause problems, but also actual
different DNS servers... say for instance your contoso.com DNS servers
being X,Y,Z and your fabrikam.com servers being servers A,B,C.. (I ask only
because I've seen disjointed on the same DNS servers with multiple zones,
but not on completely separate DNS servers..)
Sorry to stir up the pot.. this stuff intrigues me..
On Sun, Oct 5, 2008 at 11:22 AM, joe <listmail@joeware.net> wrote:
> Ditto.
>
> The biggest environments (6 figure) I'm used to seem to use disjoint spaces
> with third pary DNS so the DNS management can be easily delegated to the
> local sites which is, for the most part, where the resources are managed.
>
> Overall though, I mostly tell people to go with what they have experience
> with. If you know how to run MSFT DNS with non-disjoint namespaces well,
> probably best to stick with it. If you have people that know your DNS
> infrastructure backward and forward and run it on XYZ DNS Server in a super
> disjoint model, stick with that. AD doesn't really care either way.
>
> And for my uber personal thoughts on DNS... Give me an ADI DNS that doesn't
> run on DCs... Members running ADAM would be just fine thanks, then we get
> away from the silly chicken/egg issue and the DNS records can be replicated
> outside of the DCs' AD replication. And note that using ADAM doesn't mean
> you can't run it on DCs... You can run ADAM on a DC... Also give me a MSFT
> DNS that can be easily delegated for administrative control across the board
> down to the zone or even record level with a web UI for people to manage it
> from.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, October 05, 2008 1:00 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
>
> *Whether or not you can make AD work fine with 3rd party DNS mechanisms
> is really just a matter of whether or not the DNS admins are competent (I
> think anyway). I can rattle off a couple of ~150K seat customers that make
> BIND or some BIND based equivalent work just fine. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c - 312.731.3132*
>
> * *
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Dan Holme
> *Sent:* Saturday, October 04, 2008 11:50 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
>
>
>
> I can speak for two of my big (five figure user base) clients who have
> single domain/forest topologies, and they use MS DNS with great success.
>
>
>
> Having a "disjointed" DNS (which one other client has), in which clients
> receive DNS suffices from DHCP that are *different *(e.g. *site.*
> company.com) than the AD domain (company.com) is suicide. It sucks.
> Don't do it unless you're paid by the hour.
>
>
>
> Multimaster replication is *huge* as is secure dynamic updates. Don't
> forget to make sure you're scavenging not only your domain zone but your
> msdcs as well. Set up monitoring (e.g. SCOM) on your DNS activity.
>
>
>
> Hope this little bit of encouragement helps. I'm a big fan of MS DNS cuz
> I've had great experiences with it, and lousy experiences without it.
>
>
> Dan
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Rand Salazar
> *Sent:* Saturday, October 04, 2008 6:28 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] Large Single Forest/Single Domain DNS Growth
>
>
>
> Hi there again..
>
>
>
> While striving to maintain a global single forest/single domain topology in
> the effort of keeping it simple; I am wondering what are the limitations
> behind having a single DNS zone for something like this? Say you get to an
> obscene number of computer objects which all register dynamically and now
> you find yourself with a very large DNS list, what are the best practices
> behind running something like that?
>
>
>
> I realize many of us equate a DNS zone in the same way we do an AD domain,
> or at least I do.. and that's probably bad on my part. However, I'm
> curious to know, how the big boys handle this scenario?
>
>
>
> Thanks in advance.
>
> Rand.
>
| | | |
| danholme
Posts:128
| | 10/05/2008 10:15 PM |
| This summarizes a recommendation that arose out of consensus of a team
of engineers I worked with:
A critical requirement for system manageability is accurate DNS name
resolution. This implies all types of records, but especially A, CNAME,
SRV, and PTR. It also implies two critical characteristics of
"accurate:" up to date and secure (i.e. unable to be hijacked). And it
implies all types of managed systems: clients, servers, and domain
controllers.
A hierarchical DNS namespace, which is not aligned with the Windows
Active Directory Domain Services (ADDS) namespace can be problematic:
* Client-side configuration is required to change the Fully
Qualified System Name attribute in Active Directory for each system.
Active Directory also has to be configured to allow systems to
self-register.
* Few companies have, to date, been unable to manage service
principal names (SPNs) efficiently and with 100% accuracy.
Most troublesome is that applications exist which are not coded to
support disjointed namespaces, and expect Windows systems (e.g. a
computer named DESKTOP101) to have fully qualified domain names within
the domain to which the systems belong (e.g. DESKTOP101.company.com).
Technologies like SMS, Microsoft Operations Manager (MOM), PKI, and even
Kerberos authentication itself (particularly for access to services) are
tightly reliant on DNS, and while some (but not all) times the problems
can be worked around, a disjointed namespace will absolutely increase
total cost of ownership. Vista license servers, for example, will
required manual creation of SRV records for each zone.
So you can have disjointed namespaces, but you'll run into troubles. In
three clients I've seen 9 hours of troubleshooting in September alone
just due to disjointed namespaces (forgetting to set SPNs correctly,
e.g.). Then you add other tools & clients to the mix-even tools like
SMS & SCCM-and it gets hairy. You can make it all work, but man is it
ugly. This is particularly true when you have workstations in your DNS
zone, which is of course very helpful when it comes time to
troubleshoot. I know you'll get other opinions on this list, but for
me, it just ain't worth it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Sunday, October 05, 2008 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Thanks for the info!! I would love to hear more about disjointed
namespaces and its impact on AD...
For one, how can you have a machine joined to contoso.com, yet its DNS
suffix be fabrikam.com.. Wont that cause all sorts of problems with
dynamic DNS updating, DNS lookups, machine communication, etc? Even to
have this automatically done seems odd, since when you join a machine to
contoso.com, it gets contoso.com as its primary suffix by virtue of the
join, no?
How would not only a disjointed namespace cause problems, but also
actual different DNS servers... say for instance your contoso.com DNS
servers being X,Y,Z and your fabrikam.com servers being servers A,B,C..
(I ask only because I've seen disjointed on the same DNS servers with
multiple zones, but not on completely separate DNS servers..)
Sorry to stir up the pot.. this stuff intrigues me..
On Sun, Oct 5, 2008 at 11:22 AM, joe <listmail@joeware.net> wrote:
Ditto.
The biggest environments (6 figure) I'm used to seem to use disjoint
spaces with third pary DNS so the DNS management can be easily delegated
to the local sites which is, for the most part, where the resources are
managed.
Overall though, I mostly tell people to go with what they have
experience with. If you know how to run MSFT DNS with non-disjoint
namespaces well, probably best to stick with it. If you have people that
know your DNS infrastructure backward and forward and run it on XYZ DNS
Server in a super disjoint model, stick with that. AD doesn't really
care either way.
And for my uber personal thoughts on DNS... Give me an ADI DNS that
doesn't run on DCs... Members running ADAM would be just fine thanks,
then we get away from the silly chicken/egg issue and the DNS records
can be replicated outside of the DCs' AD replication. And note that
using ADAM doesn't mean you can't run it on DCs... You can run ADAM on a
DC... Also give me a MSFT DNS that can be easily delegated for
administrative control across the board down to the zone or even record
level with a web UI for people to manage it from.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, October 05, 2008 1:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Whether or not you can make AD work fine with 3rd party DNS mechanisms
is really just a matter of whether or not the DNS admins are competent
(I think anyway). I can rattle off a couple of ~150K seat customers that
make BIND or some BIND based equivalent work just fine.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Saturday, October 04, 2008 11:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
I can speak for two of my big (five figure user base) clients who have
single domain/forest topologies, and they use MS DNS with great success.
Having a "disjointed" DNS (which one other client has), in which clients
receive DNS suffices from DHCP that are different (e.g. site.company.com
<http://company.com/> ) than the AD domain (company.com
<http://company.com/> ) is suicide. It sucks. Don't do it unless
you're paid by the hour.
Multimaster replication is huge as is secure dynamic updates. Don't
forget to make sure you're scavenging not only your domain zone but your
msdcs as well. Set up monitoring (e.g. SCOM) on your DNS activity.
Hope this little bit of encouragement helps. I'm a big fan of MS DNS
cuz I've had great experiences with it, and lousy experiences without
it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 6:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology
in the effort of keeping it simple; I am wondering what are the
limitations behind having a single DNS zone for something like this?
Say you get to an obscene number of computer objects which all register
dynamically and now you find yourself with a very large DNS list, what
are the best practices behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD
domain, or at least I do.. and that's probably bad on my part.
However, I'm curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| listmail
Posts:445
| | 10/06/2008 10:44 AM |
| I wonder if someone who knew what they were doing used a network sniffer if
that 9 hours would have been significantly reduced. I see that regularly,
company that has XYZ problem and can't work it out no matter what, someone
finally listens and pulls up a network sniffer and 15-20 minutes later sees
the problem in black and white. This goes for lots of problems though, it
isn't limited to disjoint namespaces. I've told this story about what
happened many years ago but again I recall an issue where we had MCS guys on
site trying to solve an issue with Exchange and them with the Exchange
Alliance Premier PSS guys out of Texas troubleshot it for a couple of days
and their final hail mary suggestion was that we needed to rerun forest
prep. I asked why, what will that change? I was told it wouldn't change
anything, I said, fine, I am not running it, I can change nothing just by
not running it too. They said it needed to be run, I said why, what will it
change? They said nothing. I said, you really aren't understanding the point
here are you?? In order to fix something, the forest prep would have to
change something... They kept going back to it and I finally said, what does
the network trace say is happening? They said we don't have one. I said get
one and I bet from the symptoms it is some form of name resolution issue.
They got one and said, nope looks fine. I walked over to that side of the
building, looked at the trace, within literally 30 seconds (probably closer
to I walked up to the monitor and looked at it and saw the issue just after
looking at it) I found a name resolution call that was failing. Exchange was
being returned a FQDN and for whatever reason it was chopping that down to a
short host name and trying to resolve through WINS and it was a WAN site
Domain Controller and those specifically and purposely weren't resolvable in
WINS. I told them "Ah yeah there it is.". I was supposed to get a steak
dinner from Morton's out of that one and MCS never delivered (what's the
interest on something like that after 4-5 years??). A couple day
troubleshooting session by MCS and PSS and I solved it in under 60 seconds
with a network trace that no one thought to get before and then once they
got it couldn't even determine what was wrong although it was glaringly
obvious, well if you feel "Requested name does not exist" in the trace is
glaringly obvious. I personally do.
The biggest place that I worked for had disjoints on the DNS/AD Domain name
as well as on NetBIOS/AD Domain Name. It was a very simple configuration,
each site (hundreds of sites) had one or more zones (thousands of zones) and
we had a basically 5 domain forest (5 regional domains plus a root plus
several app domains in reality). Local resources managed the local zones
including the Domain Controller HOST (A) record. Nothing got registered in
the zones that matches the AD Domains EXCEPT for the DC records. Anytime
someone brought a rogue client or server online that didn't properly set the
DNS Zone (the automated build took care of all of it, people never had to
change the settings, it only got screwed up if they didn't use the official
process) they would pop up in our AD Domain Zones and I would chase them
down and their machine would get jailed (i.e. it was unusable in AD).
MOM and SMS both had issues with disjoint namespaces but that is something
MSFT needed to fix. Early on we received a document from a high level MSFT
manager that indicated that disjoint namespaces were fully supported and
would remain so. We had deployed disjointed on original MSFT suggestion,
then after deployed told it wasn't supported, and then got the official
document a few weeks after that.
I never saw an issue with SPN generation resulting from the disjoint naming.
The build processes completely handled the permissioning required. The worst
I saw is if someone made a mistake and changed the IP on the static HOST
record for the DCs. If they did that we caught it with my monitoring as soon
as the name stopped resolving properly and we got it corrected. No big
hoohoo at all. Ran fantastically well. DNS issues really and truly were not
much of an issue at all for us. The next worse problem was that they didn't
have scavenging enabled so a week after I figured that out I had a script
that did it. Again, no big hoo hoo.
Doing all of that manually, yeah, it would likely get screwed up. People
doing anything manually will get screwed up. Most people don't have that
kind of focus, but a disjoint space is not a small company thing, it is a
larger company thing and if you have a company big enough to enjoy the
benefits of a disjoint, they really shouldn't be hand building clients or
servers. That should all be automated. There are all sorts of consistency
issues that occur that are corrected by that automation.
I would change the last paragraph wrapup to be "you might run into trouble"
but then that is always the case with anything. Running a single domain
space on ADI DNS servers doesn't mean you won't have an issue with DNS.
Again I recommend following what your DNS support people know. The larger
the org, the more likely you have existing disjoint DNS already anyway.
Large orgs could never run on WINS alone like smaller companies did. DNS was
not a new thing when Windows 2000 came out.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Sunday, October 05, 2008 10:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
This summarizes a recommendation that arose out of consensus of a team of
engineers I worked with:
A critical requirement for system manageability is accurate DNS name
resolution. This implies all types of records, but especially A, CNAME,
SRV, and PTR. It also implies two critical characteristics of "accurate:" up
to date and secure (i.e. unable to be hijacked). And it implies all types
of managed systems: clients, servers, and domain controllers.
A hierarchical DNS namespace, which is not aligned with the Windows Active
Directory Domain Services (ADDS) namespace can be problematic:
. Client-side configuration is required to change the Fully
Qualified System Name attribute in Active Directory for each system. Active
Directory also has to be configured to allow systems to self-register.
. Few companies have, to date, been unable to manage service
principal names (SPNs) efficiently and with 100% accuracy.
Most troublesome is that applications exist which are not coded to support
disjointed namespaces, and expect Windows systems (e.g. a computer named
DESKTOP101) to have fully qualified domain names within the domain to which
the systems belong (e.g. DESKTOP101.company.com). Technologies like SMS,
Microsoft Operations Manager (MOM), PKI, and even Kerberos authentication
itself (particularly for access to services) are tightly reliant on DNS, and
while some (but not all) times the problems can be worked around, a
disjointed namespace will absolutely increase total cost of ownership. Vista
license servers, for example, will required manual creation of SRV records
for each zone.
So you can have disjointed namespaces, but you'll run into troubles. In
three clients I've seen 9 hours of troubleshooting in September alone just
due to disjointed namespaces (forgetting to set SPNs correctly, e.g.). Then
you add other tools & clients to the mix-even tools like SMS & SCCM-and it
gets hairy. You can make it all work, but man is it ugly. This is
particularly true when you have workstations in your DNS zone, which is of
course very helpful when it comes time to troubleshoot. I know you'll get
other opinions on this list, but for me, it just ain't worth it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Sunday, October 05, 2008 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Thanks for the info!! I would love to hear more about disjointed namespaces
and its impact on AD...
For one, how can you have a machine joined to contoso.com, yet its DNS
suffix be fabrikam.com.. Wont that cause all sorts of problems with dynamic
DNS updating, DNS lookups, machine communication, etc? Even to have this
automatically done seems odd, since when you join a machine to contoso.com,
it gets contoso.com as its primary suffix by virtue of the join, no?
How would not only a disjointed namespace cause problems, but also actual
different DNS servers... say for instance your contoso.com DNS servers
being X,Y,Z and your fabrikam.com servers being servers A,B,C.. (I ask only
because I've seen disjointed on the same DNS servers with multiple zones,
but not on completely separate DNS servers..)
Sorry to stir up the pot.. this stuff intrigues me..
On Sun, Oct 5, 2008 at 11:22 AM, joe <listmail@joeware.net> wrote:
Ditto.
The biggest environments (6 figure) I'm used to seem to use disjoint spaces
with third pary DNS so the DNS management can be easily delegated to the
local sites which is, for the most part, where the resources are managed.
Overall though, I mostly tell people to go with what they have experience
with. If you know how to run MSFT DNS with non-disjoint namespaces well,
probably best to stick with it. If you have people that know your DNS
infrastructure backward and forward and run it on XYZ DNS Server in a super
disjoint model, stick with that. AD doesn't really care either way.
And for my uber personal thoughts on DNS... Give me an ADI DNS that doesn't
run on DCs... Members running ADAM would be just fine thanks, then we get
away from the silly chicken/egg issue and the DNS records can be replicated
outside of the DCs' AD replication. And note that using ADAM doesn't mean
you can't run it on DCs... You can run ADAM on a DC... Also give me a MSFT
DNS that can be easily delegated for administrative control across the board
down to the zone or even record level with a web UI for people to manage it
from.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, October 05, 2008 1:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Whether or not you can make AD work fine with 3rd party DNS mechanisms is
really just a matter of whether or not the DNS admins are competent (I think
anyway). I can rattle off a couple of ~150K seat customers that make BIND or
some BIND based equivalent work just fine.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Saturday, October 04, 2008 11:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
I can speak for two of my big (five figure user base) clients who have
single domain/forest topologies, and they use MS DNS with great success.
Having a "disjointed" DNS (which one other client has), in which clients
receive DNS suffices from DHCP that are different (e.g. site.company.com
<http://company.com/> ) than the AD domain (company.com
<http://company.com/> ) is suicide. It sucks. Don't do it unless you're
paid by the hour.
Multimaster replication is huge as is secure dynamic updates. Don't forget
to make sure you're scavenging not only your domain zone but your msdcs as
well. Set up monitoring (e.g. SCOM) on your DNS activity.
Hope this little bit of encouragement helps. I'm a big fan of MS DNS cuz
I've had great experiences with it, and lousy experiences without it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 6:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology in
the effort of keeping it simple; I am wondering what are the limitations
behind having a single DNS zone for something like this? Say you get to an
obscene number of computer objects which all register dynamically and now
you find yourself with a very large DNS list, what are the best practices
behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD domain,
or at least I do.. and that's probably bad on my part. However, I'm
curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
| listmail
Posts:445
| | 10/06/2008 10:50 AM |
| It gets the name only if the "change primary DNS Suffix when domain
membership changes" is selected in the DNS Suffix and NetBIOS computer name
dialog. Companies doing this make their build load modify the reg entry that
forces that so that it isn't checked. Then whatever DNS name you set for the
machine sticks.
Why can't contoso and fabrikam both be on XYZ and ABC? And if they aren't
who cares? Do you host joeware.net or microsoft.com DNS entries on your DNS
Server (hint... you don't unless you did something pretty weird)? Are you
able to get to www.joeware.net? www.microsoft.com?
This is quickly getting into a how does DNS work conversation and we don't
need to have it as there is a ton of docs on it on the web.
Let's just say basically that if a machine needs to update a record in
pdq.com zone, it asks the DNS server it knows about, who is the authority
for that zone and it sends the request there. There is no issue with dynamic
updates unless you have it disabled or block it in some other way.
AD works fine with a disjoint space. That doesn't mean every app out there
does, but if you find an app that has issues with it like MOM and SMS did
(they are supposed to be fixed by now as those issues were reported back in
2003/2004 at the latest) then those are issues with those apps, not AD.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Sunday, October 05, 2008 8:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Thanks for the info!! I would love to hear more about disjointed namespaces
and its impact on AD...
For one, how can you have a machine joined to contoso.com, yet its DNS
suffix be fabrikam.com.. Wont that cause all sorts of problems with dynamic
DNS updating, DNS lookups, machine communication, etc? Even to have this
automatically done seems odd, since when you join a machine to contoso.com,
it gets contoso.com as its primary suffix by virtue of the join, no?
How would not only a disjointed namespace cause problems, but also actual
different DNS servers... say for instance your contoso.com DNS servers
being X,Y,Z and your fabrikam.com servers being servers A,B,C.. (I ask only
because I've seen disjointed on the same DNS servers with multiple zones,
but not on completely separate DNS servers..)
Sorry to stir up the pot.. this stuff intrigues me..
On Sun, Oct 5, 2008 at 11:22 AM, joe <listmail@joeware.net> wrote:
Ditto.
The biggest environments (6 figure) I'm used to seem to use disjoint spaces
with third pary DNS so the DNS management can be easily delegated to the
local sites which is, for the most part, where the resources are managed.
Overall though, I mostly tell people to go with what they have experience
with. If you know how to run MSFT DNS with non-disjoint namespaces well,
probably best to stick with it. If you have people that know your DNS
infrastructure backward and forward and run it on XYZ DNS Server in a super
disjoint model, stick with that. AD doesn't really care either way.
And for my uber personal thoughts on DNS... Give me an ADI DNS that doesn't
run on DCs... Members running ADAM would be just fine thanks, then we get
away from the silly chicken/egg issue and the DNS records can be replicated
outside of the DCs' AD replication. And note that using ADAM doesn't mean
you can't run it on DCs... You can run ADAM on a DC... Also give me a MSFT
DNS that can be easily delegated for administrative control across the board
down to the zone or even record level with a web UI for people to manage it
from.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, October 05, 2008 1:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Whether or not you can make AD work fine with 3rd party DNS mechanisms is
really just a matter of whether or not the DNS admins are competent (I think
anyway). I can rattle off a couple of ~150K seat customers that make BIND or
some BIND based equivalent work just fine.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Saturday, October 04, 2008 11:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Large Single Forest/Single Domain DNS Growth
I can speak for two of my big (five figure user base) clients who have
single domain/forest topologies, and they use MS DNS with great success.
Having a "disjointed" DNS (which one other client has), in which clients
receive DNS suffices from DHCP that are different (e.g. site.company.com
<http://company.com/> ) than the AD domain (company.com
<http://company.com/> ) is suicide. It sucks. Don't do it unless you're
paid by the hour.
Multimaster replication is huge as is secure dynamic updates. Don't forget
to make sure you're scavenging not only your domain zone but your msdcs as
well. Set up monitoring (e.g. SCOM) on your DNS activity.
Hope this little bit of encouragement helps. I'm a big fan of MS DNS cuz
I've had great experiences with it, and lousy experiences without it.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Saturday, October 04, 2008 6:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Large Single Forest/Single Domain DNS Growth
Hi there again..
While striving to maintain a global single forest/single domain topology in
the effort of keeping it simple; I am wondering what are the limitations
behind having a single DNS zone for something like this? Say you get to an
obscene number of computer objects which all register dynamically and now
you find yourself with a very large DNS list, what are the best practices
behind running something like that?
I realize many of us equate a DNS zone in the same way we do an AD domain,
or at least I do.. and that's probably bad on my part. However, I'm
curious to know, how the big boys handle this scenario?
Thanks in advance.
Rand.
| | | |
|
|