January 28, 2001, 4:48 PM — So far, this series on AD/DNS strategies has covered migrating a Unix-based DNS environment to Windows 2000 and using your Unix-based DNS to support Active Directory. But now my columns will start heating up, because I'll be discussing the strategy of integrating Unix and Windows 2000 DNS systems -- that is, running both Unix-based and Windows-2000-based DNS servers in the same environment. In this approach, you leave your Unix-based DNS servers in place to manage your primary DNS domain (in our example, itworld.com) and designate a subdomain (such as win2k.itworld.com) to be hosted on Windows 2000 DNS servers for the purpose of supporting AD.
This practice is often referred to as delegation because it effectively distributes authority for a portion of DNS namespace to another name server. In my next few columns, I'll be discussing some of the issues and challenges of delegation, as well as identifying potential solutions. In this column, I'll start with an overview of the main issues and a quick technical discussion of how to delegate a new DNS domain.
After evaluating other options, delegating a DNS domain for AD use may seem like a simple, logical approach to solving the AD/DNS integration problem. In fact, if AD/DNS integration has come up in conversation or in other articles you've read, you've probably already encountered a common approach: Create a new DNS child domain under your main domain and delegate it to Windows-2000-based DNS name servers. Unix people maintain their hold on the core DNS domain and you get to run AD on a Windows 2000-based system. It's a win-win situation, right?
Wrong.
We'll spend much more time and thought on that issue because, as with most things in this business, the simple answer is insufficient. The delegated-DNS-domain approach may, in fact, be a win-win situation from a political perspective. However, depending on your environment, it can be far more complicated to plan and implement than other AD/DNS scenarios. Consequently, depending on the size of your organization, this approach may be anything but simple.
Key planning factors
Delegating a DNS zone to AD can be a more complex undertaking than it initially sounds because of several issues, including:
- Determining an adequate IP/DNS management model
- Determining which set of DNS name servers clients should resolve against
- Planning for efficiency in forward lookups across a distributed environment -- from the parent domain to the child domain and vice versa
- Implementing recursion vs. iteration
- Settling reverse lookup
- Visibility across the DNS namespace
