|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Need help with global AD DNS server placementI have an existing 6 site Windows 2000 AD installation for about 125 users.
It will be upgraded to Windows 2003 AD. Currently, the infrastructure is strung together with no logic about which servers run DNS or what DNS servers each domain controller looks to for DNS. I can't believe it all works. I would like to streamline the infrastructure when the 2003 upgrade happens. There are two major sites containing most of the users (50 users each) . These sites each have 3 DCs. The other sites have one DC. After the 2003 upgrade, should each site's DC also run DNS? Or should I only run DNS out of the major two sites and have the remote sites get DNS from the major sites? All sites are in different countries around the globe and are connected via VPN. The more distant sites' connections can be pretty flakey at times and I don't trust them to be up 100%. Ken,
It is good to have redundancy. However, for 50 users in each of the two 'big' sites it might be a bit overkill to have three Domain Controllers. Two should suffice. You could even get away with one Domain Controller in each of the 'big' sites. And in each of the other four sites I might have just one DC, especially given the flaky connection via the VPN. You definitely want the users to be able to authenticate against a 'local' Domain Controller. Is this currently happening? Although you probably have set up Active Directory Sites and Services correctly (each Site would be created and a subnet would be created for each Site and then associated with the correct Site) it is still possible that the users are authenticating against a 'remote' Domain Controller. This is sometimes a problem in WIN2000. There are ways to avoid this (er, better said is to reduce this). I would possibly run DDNS on each Domain Controller. The 'Branch Management' in WIN2003 is really improved over that of WIN2000. I am just getting into WIN2003 (I know, a bit late) but have read and heard that there are some nice improvements in this area. I would suggest that you read the WIN2003 Branch Management White Paper. -- Show quoteHide quoteCary W. Shultz Roanoke, VA 24012 "ken444444" <k e n -a t- k en bl ai r *-d_o_t-* c0m> wrote in message news:1C1B4670-8868-4910-A6CC-4A13D1E2F5DB@microsoft.com... >I have an existing 6 site Windows 2000 AD installation for about 125 users. > It will be upgraded to Windows 2003 AD. Currently, the infrastructure is > strung together with no logic about which servers run DNS or what DNS > servers > each domain controller looks to for DNS. I can't believe it all works. > > I would like to streamline the infrastructure when the 2003 upgrade > happens. > There are two major sites containing most of the users (50 users each) . > These sites each have 3 DCs. The other sites have one DC. After the > 2003 > upgrade, should each site's DC also run DNS? Or should I only run DNS out > of > the major two sites and have the remote sites get DNS from the major > sites? > All sites are in different countries around the globe and are connected > via > VPN. The more distant sites' connections can be pretty flakey at times > and I > don't trust them to be up 100%. Thanks for the information. What I really need to know is how many DNS
servers I should have and at which locations. I will have 2 DCs each at the two large sites, and one DC at the small sites. But where should the DNS servers reside? kb Show quoteHide quote "Cary Shultz" wrote: > Ken, > > It is good to have redundancy. > > However, for 50 users in each of the two 'big' sites it might be a bit > overkill to have three Domain Controllers. Two should suffice. You could > even get away with one Domain Controller in each of the 'big' sites. > > And in each of the other four sites I might have just one DC, especially > given the flaky connection via the VPN. You definitely want the users to be > able to authenticate against a 'local' Domain Controller. Is this currently > happening? Although you probably have set up Active Directory Sites and > Services correctly (each Site would be created and a subnet would be created > for each Site and then associated with the correct Site) it is still > possible that the users are authenticating against a 'remote' Domain > Controller. This is sometimes a problem in WIN2000. There are ways to > avoid this (er, better said is to reduce this). > > I would possibly run DDNS on each Domain Controller. > > The 'Branch Management' in WIN2003 is really improved over that of WIN2000. > I am just getting into WIN2003 (I know, a bit late) but have read and heard > that there are some nice improvements in this area. I would suggest that > you read the WIN2003 Branch Management White Paper. > > -- > Cary W. Shultz > Roanoke, VA 24012 > > "ken444444" <k e n -a t- k en bl ai r *-d_o_t-* c0m> wrote in message > news:1C1B4670-8868-4910-A6CC-4A13D1E2F5DB@microsoft.com... > >I have an existing 6 site Windows 2000 AD installation for about 125 users. > > It will be upgraded to Windows 2003 AD. Currently, the infrastructure is > > strung together with no logic about which servers run DNS or what DNS > > servers > > each domain controller looks to for DNS. I can't believe it all works. > > > > I would like to streamline the infrastructure when the 2003 upgrade > > happens. > > There are two major sites containing most of the users (50 users each) . > > These sites each have 3 DCs. The other sites have one DC. After the > > 2003 > > upgrade, should each site's DC also run DNS? Or should I only run DNS out > > of > > the major two sites and have the remote sites get DNS from the major > > sites? > > All sites are in different countries around the globe and are connected > > via > > VPN. The more distant sites' connections can be pretty flakey at times > > and I > > don't trust them to be up 100%. > > > Use AD-Integrated DNS. This way every DC is a DNS server if you have DNS
installed. So, install DNS on all servers. At the main site, point clients to both DCs for DNS. At the remote sites, point clients to the local DC and the two in the central site for DNS. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Excellent information! Thanks for the data.. it makes sense. After reading
some information from MS Press books about my question, I couldn't come up with any real answers because their information on the matter was very general and didn't go into detail about specific examples. Show quoteHide quote "Paul Williams [MVP]" wrote: > Use AD-Integrated DNS. This way every DC is a DNS server if you have DNS > installed. So, install DNS on all servers. > > At the main site, point clients to both DCs for DNS. > At the remote sites, point clients to the local DC and the two in the > central site for DNS. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > Glad to have helped. All the best!
-- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net 
Other interesting topics
LDAP query failing
NTDS ISAM and NTDS SDPROP errors DSGET & DSQUERY Problem Is there ~1000 value limit for multi-valued attributes is ADAM? User logon connection dropped overnight. Slow logon when appying personal settings certificate of type DomainController has failed Any way to tell owner of files on file server? Complex Passwords what's the difference between a connect, bind and authentication? |
|||||||||||||||||||||||
