11-21-2019 11:10 AM
Currently we have DNS through Infoblox, and I am very new to infolox, always used MS DNS
I am going to be creating a new Active Directory Child domain in an existing forest, so I am looking for best practices on how to do that, not sure if I should setup MS DNS and then move it into infoblox, or is there a better way to accomplish this
11-21-2019 12:03 PM - edited 11-21-2019 12:04 PM
If I understand correctly, you are standing up new child domains with new DCs and are confused between the below options.
1. Set up new child domains with DNS service on the same DC and direct updates to 127.0.0.1. Later move the zone and its data to Infoblox as authoritative primary or secondary !? [Please clarify].
2. Create authoritative primary zone for the child domain on Infoblox DNS and configure the new domain controllers to update Infoblox DNS.
Well, if Infoblox is already DNS for your AD environment and if you have done the capacity planning with your Infbolox Account team to confirm that your existing Infoblox DNS has the resources to accomodate and serve the new zone(s) and data, the recommendation would be to have the zones setup on Infoblox.
1. Create the child zone(s) on Infoblox and assign it to the correct name servers or name server group.
2. Edit the "Updates" section and "Active Directory" section to include/allow your Domain controller IP addresses.
3. Check "Automatically create underscore zones" so that we autocreate necessary subzones such as "_msdcs" on the Infoblox side. This is purely for administrative ease and for segmentation of data to subzones instead of having everything populated directly under the child zone(s) you create.
4. Restart DNS service on Infoblox for changes to take effect.
5. Verify firewall rules to allow UDP and TCP port#53 traffic from your DCs to Infoblox.
6. Standup your new child domain and configure your DCs with the DNS server IP of Infoblox.
7. All resource record updates A,CNAME,MX,SRV etc should propogate to your new zone on Infoblox.
8. If you do not find any records being updated, you may want to restart netlogon service on the DC or investigate further while I cannot think of anything that could go wrong.