imherson
asked on
Bridging DDNS and static DNS environments
I work for a department in a large organization which uses static IP & DNS. It’s a mixed environment: There are Win xp and 2000 clients, and NT 4.0 domain controllers, 2003 servers and unix, and IBM mainframes. A couple of departments, including our own have decided we want to upgrade our NT 4.0 DCs to 2003 server Active directory DCs. All of the clients in all of the departments use the same static DNS servers, and the clients names are all client.beach.state.hi.us, but in fact there is no beach.state.hi.us domain.
Anyway, in a test environment I created a 2003 DC for beach.state.hi.us for our department. Depending on how I set TCP/IP on our clients we have different results:
If I use one of the static DNS servers as the primary DNS server and the DC as the secondary DNS server, it takes a long time to logon (its "applying policies" forever). In the event viewer I notice a lot of errors "cannot find user or domain" And then the client cannot browse active directory.
If I use the DC as the primary DNS server in the client's TCP/IP setting and use the static DNS servers as secondary and 3rd DNS servers, then these problems are not there, but some applications cannot resolve names. For example a terminal emulator cannot resolve the IP for a unix server named WAVES.
I cannot make changes on the static DNS server (other than client name change requests) nor on the servers or clients in other departments that we might access. I'm wondering if there might be a way of configuring our DC or setting up another DDNS server to query the static DNS servers on behalf of the clients in our AD domain (and perhaps cache responses). In otherwords, our clients might then use the DDNS as their primary or their only DDNS server.
Anyway, in a test environment I created a 2003 DC for beach.state.hi.us for our department. Depending on how I set TCP/IP on our clients we have different results:
If I use one of the static DNS servers as the primary DNS server and the DC as the secondary DNS server, it takes a long time to logon (its "applying policies" forever). In the event viewer I notice a lot of errors "cannot find user or domain" And then the client cannot browse active directory.
If I use the DC as the primary DNS server in the client's TCP/IP setting and use the static DNS servers as secondary and 3rd DNS servers, then these problems are not there, but some applications cannot resolve names. For example a terminal emulator cannot resolve the IP for a unix server named WAVES.
I cannot make changes on the static DNS server (other than client name change requests) nor on the servers or clients in other departments that we might access. I'm wondering if there might be a way of configuring our DC or setting up another DDNS server to query the static DNS servers on behalf of the clients in our AD domain (and perhaps cache responses). In otherwords, our clients might then use the DDNS as their primary or their only DDNS server.
ASKER
Do you mean that the client would use the different DNS suffix in their TCP/IP settings? Or, do you mean that our domain cannot be beach.state.hi.us -i.e., that it must be whatever.beach.state.hi.us or something else.
In our current setup different departments in our organization have their own domains (NT 4.0 domains) but we all use the same static DNS servers and all the clients resolve as client.beach.state.hi.us. I had hoped that we could keep it this way, so that the clients in this new AD domain resolved as client.beach.state.hi.us whether someone outside our department used our DDNS server or the departments's static DNS server.
Herson
In our current setup different departments in our organization have their own domains (NT 4.0 domains) but we all use the same static DNS servers and all the clients resolve as client.beach.state.hi.us. I had hoped that we could keep it this way, so that the clients in this new AD domain resolved as client.beach.state.hi.us whether someone outside our department used our DDNS server or the departments's static DNS server.
Herson
If you want to use Dynamic DNS all clients will have to have access to the DNS database generated by the DDNS server. For DNS to be dynamic it has to be on 2000 or later and has to be a Primary or Integrated zone. Your Static DNS servers are likely already set up with their own Primary zone so there is no way to add your dynamic entries. If you have a primary zone and the static servers have a primary zone with the same name they can't do any kind of replication with each other because each will believe that it is authoritative for the zone.
You could configure a forwarder to direct clients to another DNS server but you can't set a forwarder for a domain the DNS server believes it is authoritative for.
The reason your scenario works at all is because the client will eventually time out when trying to resolve a name via a server that doesn't know the name and will try the next on its list. (This is why it takes a long time to boot when the DC DNS is set to the secondary DNS server).
There isn't any real way to get the results you want without making some non-trivial changes to the Static DNS servers.
Specifically to answer your questions: yes, your clients would use the different DNS suffix in their TCP/IP settings and your domain (DNS at least - Windows Domain can be whatever you want to call it) would need to be something other than beach.state.hi.us (since there are other DNS servers that are authoritative for this name).
Dave Dietz
Dave Dietz
You could configure a forwarder to direct clients to another DNS server but you can't set a forwarder for a domain the DNS server believes it is authoritative for.
The reason your scenario works at all is because the client will eventually time out when trying to resolve a name via a server that doesn't know the name and will try the next on its list. (This is why it takes a long time to boot when the DC DNS is set to the secondary DNS server).
There isn't any real way to get the results you want without making some non-trivial changes to the Static DNS servers.
Specifically to answer your questions: yes, your clients would use the different DNS suffix in their TCP/IP settings and your domain (DNS at least - Windows Domain can be whatever you want to call it) would need to be something other than beach.state.hi.us (since there are other DNS servers that are authoritative for this name).
Dave Dietz
Dave Dietz
ASKER
Dave,
I have a feeling you are right about this. Another department (lifegaurds) in our organization decided on the same thing (lifegaurds.beach.state.hi .us).
Let's say that we can accept there is no other way for us but to use a different DNS (surfing.beach.state.hi.us ) would the forwarder be a different DDNS server than the DC or would it the DC itself ?(FYI, we won't have more than 150 clients). Actuaully, what I mean to ask is what should we do exactly to setup our clients and DDNS on our DC and/or DDNS on another server? Could you spell this out or walk me through this?
Herson
I have a feeling you are right about this. Another department (lifegaurds) in our organization decided on the same thing (lifegaurds.beach.state.hi
Let's say that we can accept there is no other way for us but to use a different DNS (surfing.beach.state.hi.us
Herson
The Forwarder is a property you set on the DNS server that basically says 'if I can't find it go here instead'...
In 2000 forwarders are pretty basic. In 2003 you can configure a specific Forwader for a given DNS name.
I will find the proper steps tomorrow and post them (it's easy, I just don't have a 2003 server handy right now....)
Dave Dietz
In 2000 forwarders are pretty basic. In 2003 you can configure a specific Forwader for a given DNS name.
I will find the proper steps tomorrow and post them (it's easy, I just don't have a 2003 server handy right now....)
Dave Dietz
ASKER
Thanks I'll be looking for your post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got the forwarder set up. It was easy like you said. But I'm wondering about whether there is anything else I should be concerned about. For instance, the client TCP/IP settings only have the IP for the DC for the DNS server and can resolve names on ".beach.state.hi.us" via the forwarder -no problem. I did have to "append the DNS suffix" beach.state.hi.us for it to work. But now my AD searches are a little ify. When I "search entire directory" I get no results. I must specify the location surfing to get a list, and then I get no results for specific searches such as client323. One more thing, when I do an nslookup of client323 (a surfing AD computer) the request gets forwarded to the static DNS server and the response comes back client323.beach.state.hi.u s not client323.surfing.beach.st ate.hi.us.
What else matters for the client connection settings? 'Append client and connection specific DNS suffixes'? 'Append parent suffixes of the primary DNS suffix'? 'DNS suffix for this connection'? 'Register this connection's address in DNS'? 'Use this connection's DNS suffix in DNS registration'?
What else matters for the client connection settings? 'Append client and connection specific DNS suffixes'? 'Append parent suffixes of the primary DNS suffix'? 'DNS suffix for this connection'? 'Register this connection's address in DNS'? 'Use this connection's DNS suffix in DNS registration'?
The server has to have either Primary or Integrated zones to do Dynamic updates. If this server has a primary zone it *cannot* do zone transfers *from* the other DNS servers since it will believe itself to be authoritative for the DNS name.
Best bet is to use a different DNS suffix (i.e. dynamic.beach.state.hi.us or whatever) and create a custom forwarder to the other DNS servers for beach.state.hi.us name resolution.
Dave Dietz