Sunday, February 2, 2014

Making DNS GlobalNames Zone Available to Other Forests

In large complex forests with multiple domains, the DNS Suffix search list can be extensive and can result in DNS name resolution failing.  Companies with a large number of domains often used WINS to provide single name resolution across all domain infrastructure along side DNS.  This is because it was not possible to provide a single name resolution technology which you could span across your entire Active Directory infrastructure using DNS.

Starting from Windows Server 2008, Microsoft introduced a new DNS concept known as GlobalNames which was a move to permanently decommission the legacy WINS technology to enable single name resolution.

When deploying GlobalNames you first enable it on all DNS servers in your domain using dnscmd.exe:

dnscmd ServerName /config /enableglobalnamessupport 1

You then create the GlobalNames zone file and ensure it replicates to all DNS servers in your Forest (best practice) or alternatively create a separate application partition to hold the GlobalNames zone which gives you the flexibility of choosing which DNS servers in your forest hold this zone.  The whole point of GlobalNames is generally to allow DNS servers in other Active Directory domains (within the same forest) to all share the single name resolution hence removing the need for complex DNS Suffix Search Lists.

But what if you want DNS Servers in other forests to use the GlobalNames zone?

This is a little more complicated as we cant simply replicate the GlobalNames DNS zone to DNS servers in other domains due to the fact it is another Active Directory forest, it runs under a complete different set of security identifies and does not adhere to Ticket Granting Tickets (TGTs) handed out by Kerberos KDC's from another forest.

What Microsoft has done to allow other forests to share a GlobalNames DNS zone is to provide companies the ability to create a service location (SRV) resource records in the remote forests DNS zone.  This is done as follows:

_globalnames._msdcs.remotedomain.local which must point to an FQDN of a DNS server that hosts the GlobalNames zone in the main forests.

Fore more information please refer to the following TechNet article:

http://technet.microsoft.com/en-us/library/cc731744.aspx

I hope this post has been helpful.

1 comment: