Hello to all,
I just register a domain "example.com" to do some testing for start; i created my own public dns servers win2k3 (two servers), one has a primary dns zone, and the other one has a secondary dns zone for backup (replication working perfectly); my question is ...is there a posibility to integrate those zones in AD, to be more secure and for replication purpose (not that is much of a traffic right now). I know how to implement AD but i don't know how to implement it on the second server, or...on the second server i create another AD forest (but then theoretically I would have two separate domains that share the same name) :rolleyes: :confused:; if somewone can clear this for me.

thanks

I am a little confused on your question but if I read it correctly you want to move over some of the FSMO roles to the 2nd server is this correct?

If this is correct it really depends on how you have the network setup.

Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.

Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.

Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.

no, no, no
sorry for misconfusion; I have 2 public dns servers and all I want to do is to integrate the dns zone to AD for security resons, but with no vpn bethween them. I just hit dcpromo on both of them and go...off course there will be different forest, but they share the same name...the public domain name. I don't need AD, I just need DNS to put my A host, MX and the rest of entries that I need. I will try to simulate on vmware, when i will have some time.

adispy,

I am still a little confused with your question. You keep mentioning that these servers will be in separate forests. Unless there is a specific reason for there to be separate forests I would just simply take the server hosting the primary zone and install AD. The convert the zone to ad integrated (this may happen during the install of AD). Then install AD on the server hosting the secondary zone making it a replica by choosing the selection to make it an additional domain controller of an existing domain. Then convert the DNS zone on that server to ad integrated and you should be all set.

Please let me know if I am answering your question correctly because I'm still not sure I understand it.

Ed