Link to home
Start Free TrialLog in
Avatar of imherson
imhersonFlag for United States of America

asked on

Bridging DDNS and static DNS environments

I work for a department in a large organization which uses static IP & DNS.  It’s a mixed environment:  There are Win xp and 2000 clients, and NT 4.0 domain controllers, 2003 servers and unix, and IBM mainframes.  A couple of departments, including our own have decided we want to upgrade our NT 4.0 DCs to 2003 server Active directory DCs.   All of the clients in all of the departments use the same static DNS servers, and the clients names are all client.beach.state.hi.us, but in fact there is no beach.state.hi.us domain.  

Anyway, in a test environment I created a 2003 DC for beach.state.hi.us for our department.   Depending on how I set TCP/IP on our clients we have different results:

 If I use one of the static DNS servers as the primary DNS server and the DC as the secondary DNS server, it takes a long time to logon (its "applying policies" forever). In the event viewer I notice a lot of errors "cannot find user or domain"  And then the client cannot browse active directory.  

If I use the DC as the primary DNS server in the client's TCP/IP setting and use the static DNS servers as secondary and 3rd DNS servers, then these problems are not there, but some applications cannot resolve names.  For example a terminal emulator cannot resolve the IP for a unix server named WAVES.

 I cannot make changes on the static DNS server (other than client name change requests) nor on the servers or clients in other departments that we might access.  I'm wondering if there might be a way of configuring our DC or setting up another DDNS  server to query the static DNS servers on behalf of the clients in our AD domain (and perhaps cache responses).  In otherwords, our clients might then use the DDNS as their primary or their only DDNS server.
Avatar of Dave_Dietz
Dave_Dietz
Flag of United States of America image

The only way this wil work is if the 2003 DNS server uses a different DNS suffix.

The server has to have either Primary or Integrated zones to do Dynamic updates.  If this server has a primary zone it *cannot* do zone transfers *from* the other DNS servers since it will believe itself to be authoritative for the DNS name.

Best bet is to use a different DNS suffix (i.e. dynamic.beach.state.hi.us or whatever) and create a custom forwarder to the other DNS servers for beach.state.hi.us name resolution.

Dave Dietz
Avatar of imherson

ASKER

Do you mean that the client would use the different DNS suffix in their TCP/IP settings?  Or, do you mean that our domain cannot be beach.state.hi.us -i.e., that it must be whatever.beach.state.hi.us or something else.  

In our current setup different departments in our organization have their own domains (NT 4.0 domains) but we all use the same static DNS servers and all the clients resolve as client.beach.state.hi.us. I had hoped that we could keep it this way, so that the clients in this new AD domain resolved as client.beach.state.hi.us whether someone outside our department used our DDNS server or the departments's static DNS server.
Herson
If you want to use Dynamic DNS all clients will have to have access to the DNS database generated by the DDNS server.  For DNS to be dynamic it has to be on 2000 or later and has to be a Primary or Integrated zone.  Your Static DNS servers are likely already set up with their own Primary zone so there is no way to add your dynamic entries.  If you have a primary zone and the static servers have a primary zone with the same name they can't do any kind of replication with each other because each will believe that it is authoritative for the zone.

You could configure a forwarder to direct clients to another DNS server but you can't set a forwarder for a domain the DNS server believes it is authoritative for.

The reason your scenario works at all is because the client will eventually time out when trying to resolve a name via a server that doesn't know the name and will try the next on its list. (This is why it takes a long time to boot when the DC DNS is set to the secondary DNS server).

There isn't any real way to get the results you want without making some non-trivial changes to the Static DNS servers.

Specifically to answer your questions: yes, your clients would use the different DNS suffix in their TCP/IP settings and your domain (DNS at least - Windows Domain can be whatever you want to call it) would need to be something other than beach.state.hi.us (since there are other DNS servers that are authoritative for this name).

Dave Dietz

Dave Dietz
Dave,
I have a feeling you are right about this.  Another department (lifegaurds) in our organization decided on the same thing (lifegaurds.beach.state.hi.us).

Let's say that we can accept there is no other way for us but to use a different DNS (surfing.beach.state.hi.us) would the forwarder be a different DDNS server than the DC or would it the DC itself ?(FYI, we won't have more than 150 clients). Actuaully, what I mean to ask is what should we do exactly to setup our clients  and DDNS on our DC  and/or DDNS on another server?  Could you spell this out or walk me through this?
Herson
The Forwarder is a property you set on the DNS server that basically says 'if I can't find it go here instead'...

In 2000 forwarders are pretty basic.  In 2003 you can configure a specific Forwader for a given DNS name.

I will find the proper steps tomorrow and post them (it's easy, I just don't have a 2003 server handy right now....)

Dave Dietz
Thanks I'll be looking for your post.  
ASKER CERTIFIED SOLUTION
Avatar of Dave_Dietz
Dave_Dietz
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I got the forwarder set up.  It was easy like you said.  But I'm wondering about whether there is anything else I should be concerned about.  For instance,  the client TCP/IP settings only have the IP for the DC for the DNS server and can resolve names on ".beach.state.hi.us" via the forwarder -no problem.  I did have to "append the DNS suffix" beach.state.hi.us for it to work.  But now my AD searches are a little ify.  When I "search entire directory" I get no results.  I must specify the location surfing to get a list, and then I get no results for specific searches such as client323.  One more thing, when I do an nslookup of client323 (a surfing AD computer) the request gets forwarded to the static DNS server and the response comes back client323.beach.state.hi.us not client323.surfing.beach.state.hi.us.

What else matters for the client connection settings?  'Append client and connection specific DNS suffixes'? 'Append parent suffixes of the primary DNS suffix'?  'DNS suffix for this connection'? 'Register this connection's address in DNS'? 'Use this connection's DNS  suffix in DNS registration'?