Solved

Secondary/Redundant DNS for remote location

Posted on 2004-03-31
15
768 Views
Last Modified: 2007-12-19
I have a SBS2003 server installed at our headquarters location.  Through VPN routers I have multiple remote offices connected back into the headquarters network.  All PC's at all locations have the IP address of the SBS at headquearters as there only DNS entry (per SBS setup instructions).  Everything is fine when all network/broadband connections are working, however we occasionally lose connectivity either on the headquarters end or remote end.  When this happens, all PC's at the remote locations cannot browse the Internet, nor resolve other IP's on their own internal LAN's since they can't access DNS on the SBS at headquarters.  I have a 2003 server at each remote location running Active directory as well.  What configuration can I do on the remote 2003 servers to have them act as secondary DNS servers?  Is this even possible?  I would like to have them sync with the main SBS, and all machines use it as primary, but have the IP of their local 2003 server as the secondary DNS server.  I'm thinking this shouldn't be a problem, but I want to be certain I configure it correctly.

Anyone have some step by steps?
0
Comment
Question by:DijitalLee
  • 8
  • 6
15 Comments
 
LVL 5

Expert Comment

by:mrpez1
Comment Utility
Set up the remote 2003 servers to be AD integrated DNS servers. The should use the local ISP's DNS server as forwarders. Have them be the primary DNS for their respective sites and use the root server as the backup.

In the AD sites and services MMC snap-in, the sites should be configured so that the AD topology is replicated effeciently. Also, you'll set up the subnets there. Lastly, you'll want to make sure each of these remote DCs are global catalog servers to ensure login capability should the VPN go down.
0
 

Author Comment

by:DijitalLee
Comment Utility
I'm very new to 2003 Server, so forgive my ignorance.

When I go to the "Configure Your Server" wizard, and select the option to add DNS as a server role, I am prompted with the following configuration options:

Create a forward lookup zone. (Recommended for small networks).

Create forward and reverse lookup zones. (Recommended for large networks).

Configure root hints only. (recommended for advanced users only).

Which one should I select?  After that, what further configuration is necessary?

In the Sites and Services MMC, I see the 2 servers at headquarters listed on the properties for the remote 2003 server properties.  The remote 2003 server shows to be NTDS replicating from the 2 servers at headquarters.  Is this all that needs to be done regarding that?

0
 
LVL 5

Expert Comment

by:mrpez1
Comment Utility
I would recommend using the mmc snap ins for configuration.

First off, have you promoted the 2003 servers to Domian controllers using the dcpromo command line utility?

If your remote 2003 servers are Domian controllers they should already have DNS enabled. If you go to the DNS snap in look under Forward Lookup zones and see if there are any there. If not, create a AD integrated zone. (Right click on Forward lookup zones -> new zone. The forward lookup zone will handle requests to resolve host names to IP addresses. You may also creat a reverse lookup zone (for each subnet) to do the opposite.

Subnets. I'm assuming that each of your sites is on a different subnet. E.g. 192.168.1.0 (main office), 192.168.2.0 (remote 1), 192.168.3.0 (remote 2). In sites and services you should create a site for each office. Then drag and drop the proper server into each site's server container (or if they aren't already in the main site's container, create new server entries for each server. Then in NTDS settings set it as a Global Catalog server. This will allow the servers to handle login requests when the VPN to the main office is down. In the subnets container, set up each office's subnet and associate it with the appropraite site. (right click, new subnet and go through the wizard) This will allow intersite replication of AD and by extension, DNS.

How many servers and sites do you have? How many DCs are at the main office?
0
 

Author Comment

by:DijitalLee
Comment Utility
I have the secondary servers setup as Domain controllers.  I did not use the dcpromo utility, but rather the wizard that comes up immediately after install of 2003 is complete.  I do see both 2003 servers listed there.  However, I do have a 2000 server located at the same location as the SBS (headquarters).  It is not showing up.

I'm going to go do the additional procedures now.

I have 3 servers at the primary location (SBS2003, Win2K, Win2K), 2 servers at remote location 1 (2003, Win2K), and 1 server at remote location 2 (Win2K).

0
 

Author Comment

by:DijitalLee
Comment Utility
OK, all done.  In the DNS snap in, I see all the entries for machines on the 192.168.1.x subnet, however there are no entries for the 192.168.0.x subnet.  Is this just because updates haven't taken place?  I manually created the 192.168.0.x subnet, should I have done that?
0
 
LVL 5

Expert Comment

by:mrpez1
Comment Utility
Which office has which subnet? In the office on the 192.168.0.0 subnet, do entries show up in the DNS?

Updates can take some time. If they are AD integrated zones they should occur in the next couple of hours. You can force them but it'll be easier to wait.
0
 

Author Comment

by:DijitalLee
Comment Utility
The main location actually has the 192.168.1.x subnet, and the first remote has 192.168.0.x subnet.  They already had that, so it was just left alone and easier to change the main location.

I looked in the 192.168.1.x subnet, and all machines within that subnet are listed there.  That was the orginal one created by SBS.  I'll give the .0.x subnet a little time to do it's thing.

What advice can you give me regarding a remote location without a server on-site?  They are connected via VPN, but if that goes down, they're pretty much dead in the water.

As of right now, I have DHCP controlled at each location.  This is correct, right?  It shouldn't be handled by the server at the main location for all subnets.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Expert Comment

by:mrpez1
Comment Utility
How many users are at that site? I have a similar situation with a a 2 person office. When the VPN goes down, they have no access to network resources. They can log in if they have used the password and login in that computer before. It's sort of like logging into a laptop off the network. I set them up with the root DC as the primary DNS (over VPN) and their ISP's DNS as the secondary. So if the VPN goes down, they can still get on the internet. If you have a bunch of users there, definately invest in a server and set it up as a DC with global catalog and DNS.

DHCP should be handeled at the site if there is a server there. With some VPN solutions you can do DHCP over VPN, but that will run into problems in the absense of the VPN.

Just to make sure AD Sites and Services is set up correctly, you have three sites. Main, remote 1 and remote2.

Main has your root DC in the servers container. Under NTDS settings it is a Global Catalog

Remote 1 has it's DC in the servers container. Under NTDS settings it is a Global Catalog

Remote 2 has nada in it's servers contianer.

Under Subnets you have three subnets set up.

192.168.1.0 is assigned to the main office
192.168.0.0. is assigned to remote 1
192.168.2.0 (?) is assigned to remote 2

When you right click on NTDS settings for the DCs (in 2003 not 2k), under connections it should have replicate from and to the other site's DC.
0
 

Author Comment

by:DijitalLee
Comment Utility
I only have about 4 users at remote location 2 (one without server).  I'm going to do the same client DNS you suggested.

Also, on clients at locations with a server...  The primary DNS should be the main server, and secondary should be the IP of the server running DNS at that location, correct?

On a side note:  We're using Linksys routers at each location for the VPN/Gateway connections.  On the router's I only have the option of subnet mask 255.255.255.0.  I can't select 255.255.0.0.  This shouldn't be a problem.  But, I am having Master Browser election errors in the error log on my main server.  The solution I found says that it's because of errors in my subnet mask.  I found where I can disable Master Browser settings in the registry on client machines.  Now, the server at the remote locations is still trying to act as master browser.  Should I disable it on the server?  Or should I just not be concerned?

You've been a tremendous help so far, thanks.
0
 
LVL 5

Accepted Solution

by:
mrpez1 earned 125 total points
Comment Utility
No problem. It sounds like your setup is very similar to mine.

The clients with a server should use that server as the primary DNS, then failover to the root server. This way you won't bog down the VPN and if the location's server goes down, everybody can still operate if the VPN is up.

192.168.1.0 is a class C network. That should use the 255.255.255.0 subnet mask.

This is normal behavior. When a computer is turned on or connected to the network, it announces itself as available as a master browser, and an election is held. You can ignore these messages unless it becomes very frequent. As the Domain topology has changed I would expect the elections. It's also a good sign that everybody's talking to each other.
0
 

Author Comment

by:DijitalLee
Comment Utility
I just checked my primary server's usage log and found 108 entries of the following:

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=la-marque,DC=city There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

And 108 entries of:
A call to the Intersite Messaging service that specifies the following transport failed. Transport: CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=la-marque,DC=city As a result, the Knowledge Consistency Checker (KCC) cannot configure a correct intersite replication topology. User Action Verify that the Intersite Messaging service is running. Additional Data Error value: 1722 The RPC server is unavailable.  

I'm pretty much stumped on what those mean.
0
 
LVL 5

Expert Comment

by:mrpez1
Comment Utility
Generally that's going to a problem with the DNS. Can you ping your remote DC by name from your primary DC? Double check that Sites and Services is set up as I outlined above. If it's not there, add a forward lookup entry for the remote DC in each DC's forward lookup zone.
0
 

Author Comment

by:DijitalLee
Comment Utility
Yes, I can ping the remote DNS server from the primary DC at the main location.

When I'm in the Sites and Services snap in, I click on the Subnets category... both subnet groups show up.  However, when I open the actual subnets up, there isn't any objects listed in the right side of the screen.  Normal?

I'm still getting the errors described above.  They are coming in every 15 minutes.

0
 

Author Comment

by:DijitalLee
Comment Utility
Also, this morning (coincidentally) we lost internet connectivity at one of the remote locations that has a server on-site.  While internet was down, logins took an exceptionally long time to process, and server mapped drive access was almost non-existent.

I'm not sure if it had anything to do with me making some IP changes last night to the gateway router, and actual IP of the server and the workstation's DHCP hadn't updated yet.  But it was very frustrating.  I'm going to disconnect the internet connection this weekend and see what happens.  Users at the remote locations MUST be able to function without a connection to the main office.  The only thing they should lose it Exchange connection, which is ok.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now