User profile for user: jgrunewald
jgrunewald Author
User level: Level 1
0 points

How to setup multiple DNS zones in a single domain

We have a small charter school running a Mac Open Directory network on a single subnet with a single registered FQDN for its internal domain. We are about to open a second school within a wing of the same building which will also be on a Mac Open Directory domain, but since it is legally a separate school (just administered by the same staff) it needs to be on it's own subnet and have its own LDAP directory.


Is there a way to program DNS between the two schools so that DNS traffic can be routed between them without breaking the DNS and Open Directory/Kerberos realms of either? Both schools will share the same internal domain name. Is it as simple as creating two primary DNS zones on each other's nameservers, both using the same domain name but each having its own designated nameserver for that particular subnet?


For instance, the existing school is running DNS on server1.example.com within the 10.39.54.0/23 subnet. The second school will be running DNS on server2.example.com within the 10.39.56.0/23 subnet. Would I then simply create two primary zones within each subnet, one referring to its own with itself as the nameserver and one within the neighbor subnet referencing that subnet's server as the designated nameserver.


Or would I do this with each schools DNS servers searching through its own subnet as its primary zone with the neighbor zone being added as a secondary zone?


Thanks!

Mac OS X (10.7)

Posted on Jul 20, 2012 8:47 AM

Reply
5 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Jul 21, 2012 6:37 AM in response to jgrunewald

You have two options.


Use a DNS server with a single internal domain example.com and have (as you said) server1.example.com

If the two subnets are on separate networks either via a router or VLAN, then you could run a separate DHCP server on each and advertise the appropriate DNS server for that subnet.


Otherwise you could have a single DNS server and either single DHCP advertising that single DNS server and have both server1 and server2 in the single DNS zone, or a DHCP server in each subnet but still pointing to the same single DNS server.


Each of these two servers would be an Open Directory Master


Note: in DNS terminology a DNS 'zone' is the same thing as a Domain Name.



The second option which if you want to keep the two 'schools' completely separate is to do the following


Use a DNS server per subnet

Use a DHCP server per subnet

Use a different domain name per school e.g. school1.com and school2.com

Create a server record on each as appropriate e.g. server1.school1.com and server2.school2.com



You cannot have a single DNS server have two identical zones e.g. example.com and example.com as they are of course the same thing.


If the two schools will merge officially at some point it might be better to use the same domain name, if they are going to fully split then definiately it is going to be better to use two different domain names.

Reply
User profile for user: jgrunewald
jgrunewald Author
User level: Level 1
0 points

Jul 21, 2012 1:03 PM in response to John Lockwood

I think I was definitely making this more complicated than it needed to be, partly because I was equating DNS zones with subnets, rather than with domains as you mentioned.


These two schools/subnets are on separate networks, joined by a firewall/router device that passes IP traffic between them. We are hoping to keep both on a single internal domain for simplicity of management, so your first suggestion seems the best for us. I am still a little confused, by that however.


You mentioned each subnet/network having its own DHCP server directing traffic to "the appropriate DNS server for that subnet". That implies to me, each subnet would also have its own DNS server supplying the information for the whole zone, correct?


Secondly, for increased availability and reliability, I would like to have each subnet/network have its own DNS server running on it and serving up the same unified zone/domain (thanks again for the clarification). But would I do that by creating the same primary zone on both servers, or creating the primary zone on one and duplicating the same information as a secondary zone on the other?

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Jul 21, 2012 1:25 PM in response to jgrunewald

It is possible to have a primary DNS server and a secondary DNS server. The primary sends a copy of the DNS zone record to the secondary. With this configuration you only have to maintain a single copy on the primary and any changes are automatically copied to the secondary.


I have done this with a 10.6 Server but not tried it on a Lion server. At least in 10.6 DNS server on the secondary you define the same zone as on the primary but you tell it to create it as type secondary. The secondary then pulls the zone from the primary.


You could have two DHCP servers and each would point to their local DNS server. The clients would use their local DHCP and DNS server. If your running two Open Directory Masters then it would depend on which one the client is bound to as to which user accounts would apply. It would be possible for a client on either subnet to bind to either Open Directory Master.

Reply
User profile for user: jgrunewald
jgrunewald Author
User level: Level 1
0 points

Jul 21, 2012 5:49 PM in response to John Lockwood

I have read the method to follow is the one with the Primary and the Secondary DNS servers, but I have also seen two DNS servers, both mirroring the same primary zone. With this second method, I wasn't sure if it was correct or not (not recommended, or actively a bad idea), since DNS is so important to a properly functioning OD Master and Kerberos realm.


Many thanks!

Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,881 points

Jul 21, 2012 7:20 PM in response to jgrunewald

There's no limit to the number of 'secondary' servers you run. You can even have 'tertiary' servers that slave off the secondary servers (and so on, ad infinitum) to scale out your DNS.

At the end of the day, though, there can (and should) be only one primary server for any given domain/zone. Where that DNS server is, and whether it responds to queries from end users or only zone transfers from other (secondary) servers is largely irrelevant. It all depends on what's easiest for you.


You also have to consider forward vs. reverse DNS. Since both locations are in the same domain, and there can be only one primary server for that domain/zone, you have to decide where that primary server will be.


Now, the DNS server at the other location could slave all its records from the primary, or you could setup that server to slave the forward records (*.com/*.edu/whatever) and also be primary for the reverse records but that gets tricky with Server Admin managing your DNS.

Therefore I suggest you nominate one server as the primary for all records, setup the server in the other location as secondary/slave, and you're done - just remember to make all edits on the primary server.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to setup multiple DNS zones in a single domain

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up