Example: Merging DNS Namespaces

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Contoso Corporation merged with Trey Research Corporation. Before the merger, each corporation used internal domains that were subdomains of their external domains. The Contoso Corporation used a private root to simplify their DNS server administration. The Trey Research Corporation forwarded queries to the Internet, rather than using a private root.

The external namespace of the newly merged corporation contains the zones contoso.com and treyresearch.com. Each zone in the external namespace contains the DNS resource records that the companies want to expose to the Internet. The internal namespace contains the internal zones, corp.contoso.com and corp.treyresearch.com.

The Contoso division and the Trey Research division each use a different method to support name resolution for names in their namespace. The Contoso division uses the name contoso.com externally and corp.contoso.com internally. The internal root servers host the root zone. Internal servers also host the zone, corp.contoso.com. The name contoso.com is registered with an Internet name authority.

To ensure that every client within the organization can resolve every name in the newly merged organization, the private root zone contains a delegation to the zone for the top level of the merged organization’s internal namespace, corp.treyresearch.com.

To resolve internal and external names, every DNS client must submit all queries to either the internal DNS servers or to a proxy server. Figure 3.4 shows this configuration.

Figure 3.4   Name Resolution in the Contoso Division

Based on this configuration, internal clients can query for names in the following ways:

• Query internal DNS servers for internal names. The internal DNS servers resolve the query. If a DNS server that receives a query does not contain the requested data in its zones or cache, it uses root hints to contact the internal root DNS servers.

• Query a proxy server for names on the Internet. The proxy server forwards the query to DNS servers on the Internet. The DNS servers on the Internet resolve the query.

• Query internal DNS servers for names in the Trey Research division. Because the root servers contain a delegation to the top level of the DNS namespace of the Trey Research division, the internal DNS servers recursively resolve the query by contacting the DNS servers in the Trey Research division.

External clients:

• Cannot query for internal names. This limitation helps secure the internal network.

• Query DNS servers on the Internet for names in the contoso.com external namespace. The DNS servers on the Internet resolve the query.

The Trey Research division uses the name treyresearch.com externally and the name corp.treyresearch.com internally. The server InternalDNS.treyresearch.com hosts the corp.treyresearch.com zone. The Trey Research division does not have a private root.

To simplify management of clients and DNS servers, Trey Research division administrators decided to use conditional forwarding. Administrators configured the DNS server InternalDNS.treyresearch.com to forward queries in the following manner:

• The server forwards all queries destined for the Contoso division to a DNS server for the Contoso division. For example, the server forwards queries destined for corp.contoso.com to InternalDNS.contoso.com.

• At the same time, the server forwards all other queries destined for contoso.com to a DNS server on the Internet.

Figure 3.5 shows this configuration.

Figure 3.5   Conditional Forwarding in the Trey Research Division