I have one child domain which references parent domain groups (it is a remote desktop gateway server into a restricted network segment).
This network is resitricted and only the child DC can communicate with the parent DC. Child member computers cannot perform queries to the parent domain controllers.
I believe I can set the root forest zone replication scope to 'All DNS servers in the forest that are domain controllers running Windows', and this would allow the child DC to resolve the parent domain queries, however this would push traffic everywhere.
Is there a way which I can push the root dns parent domain only for one particular child domain?
Answer
Replicating the forest root DNS zone isn't going to do anything other than let your clients in the child view DNS records for the parent.
What you want is to make the group in question a Universal Group. A Universal Security Group is replicated to all Global Catalogs in the forest, this means that a GC in your child can authoritatively answer the query without requiring a referral to the parent.
No comments:
Post a Comment