<div dir="ltr"><div class="gmail_extra"><div>Hi Lawrence, <br><br></div><div>I'm going to answer your questions a bit out of order, but hopefully things'll still be clear.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
How do you have an AD domain where your AD servers aren't authoritative for itself?<br>
<br></blockquote><div><br></div><div class="gmail_quote">This is how our AD domain is set up -- the root of the AD domain is <a href="http://brandeis.edu" target="_blank">brandeis.edu</a>,
but the domain controllers do not run the MS DNS Server service.
Client computers get the main campus DNS resolvers via DHCP, and are set not to
use the MS DNS Client service. We've set up dynamic zones in BIND for
the zones needed by AD: _<a href="http://msdcs.brandeis.edu" target="_blank">msdcs.brandeis.edu</a>, _<a href="http://tcp.brandeis.edu" target="_blank">tcp.brandeis.edu</a>, _<a href="http://udp.brandeis.edu" target="_blank">udp.brandeis.edu</a>, etc.<br>
<div>
<br></div><div>Microsoft TechNet has some really thorough docs on this:<br><br><a href="http://technet.microsoft.com/en-us/library/dd316373.aspx">http://technet.microsoft.com/en-us/library/dd316373.aspx</a><br><br></div>
<div>It's a bit dated, but the principles still apply. The more general Microsoft docs:<br><br><a href="http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx">http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx</a><br>
<a href="http://technet.microsoft.com/en-us/library/cc772774%28v=ws.10%29.aspx">http://technet.microsoft.com/en-us/library/cc772774%28v=ws.10%29.aspx</a><br><br></div><div>are also quite good.<br></div><div><br><br></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Had a strange problem where our servers couldn't resolve hosts in an AD subdomain.<br></blockquote>
<div><br>Can you clarify the problem a bit here? Is it that the
authoritative nameservers for <a href="http://foo.example.com">foo.example.com</a> are unable to resolve
<a href="http://ads.foo.example.com">ads.foo.example.com</a>? Do the <a href="http://foo.example.com">foo.example.com</a> servers look to themselves for recursion?
Am I correct that a department on campus is running their own AD
environment with a root of <a href="http://ads.foo.example.com">ads.foo.example.com</a>, and you simply delegate
the subdomain to them? <br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
This was in the zone file:<br>
<br>
$ORIGIN <a href="http://foo.example.com" target="_blank">foo.example.com</a>.<br>
...<br>
ads NS <a href="http://ads.foo.example.com" target="_blank">ads.foo.example.com</a><br>
...<br>
...<br>
...<br>
ads A a.b.c.d<br>
...<br>
...<br>
...<br>
<br></blockquote><div><br></div><div>This looks pretty normal if you're delegating the <a href="http://ads.foo.example.com">ads.foo.example.com</a> zone to a server called <a href="http://ads.foo.example.com">ads.foo.example.com</a>. A little confusing to use the same name for the nameserver as the subdomain itself, but it seems like it should work.<br>
<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
So changing to:<br>
<br>
$ORIGIN <a href="http://foo.example.com" target="_blank">foo.example.com</a><br>
...<br>
ads NS <a href="http://dc2.foo.example.com" target="_blank">dc2.foo.example.com</a>.<br>
NS <a href="http://dc3.foo.example.com" target="_blank">dc3.foo.example.com</a>.<br>
dc2 A a.b.c.e<br>
dc3 A a.b.c.f<br>
...<br>
<br></blockquote><br></div><div>This looks very odd indeed. If the root of the AD domain is <a href="http://ads.foo.example.com">ads.foo.example.com</a>, why do the DCs live in the parent zone? Is that something you allow? The first zone config looked more appropriate.<br>
<br></div><div>Without going any further into this, it looks as though the department may have set their AD domain up as "<a href="http://foo.example.com">foo.example.com</a>" when in reality it should be "<a href="http://ads.foo.example.com">ads.foo.example.com</a>." Can you clarify this?<br>
<br></div><div>John<br></div></div></div></div>