Solved

Bridging DDNS and static DNS environments

Posted on 2004-07-31
8
298 Views
Last Modified: 2010-04-19
I work for a department in a large organization which uses static IP & DNS.  It’s a mixed environment:  There are Win xp and 2000 clients, and NT 4.0 domain controllers, 2003 servers and unix, and IBM mainframes.  A couple of departments, including our own have decided we want to upgrade our NT 4.0 DCs to 2003 server Active directory DCs.   All of the clients in all of the departments use the same static DNS servers, and the clients names are all client.beach.state.hi.us, but in fact there is no beach.state.hi.us domain.  

Anyway, in a test environment I created a 2003 DC for beach.state.hi.us for our department.   Depending on how I set TCP/IP on our clients we have different results:

 If I use one of the static DNS servers as the primary DNS server and the DC as the secondary DNS server, it takes a long time to logon (its "applying policies" forever). In the event viewer I notice a lot of errors "cannot find user or domain"  And then the client cannot browse active directory.  

If I use the DC as the primary DNS server in the client's TCP/IP setting and use the static DNS servers as secondary and 3rd DNS servers, then these problems are not there, but some applications cannot resolve names.  For example a terminal emulator cannot resolve the IP for a unix server named WAVES.

 I cannot make changes on the static DNS server (other than client name change requests) nor on the servers or clients in other departments that we might access.  I'm wondering if there might be a way of configuring our DC or setting up another DDNS  server to query the static DNS servers on behalf of the clients in our AD domain (and perhaps cache responses).  In otherwords, our clients might then use the DDNS as their primary or their only DDNS server.
0
Comment
Question by:imherson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11685260
The only way this wil work is if the 2003 DNS server uses a different DNS suffix.

The server has to have either Primary or Integrated zones to do Dynamic updates.  If this server has a primary zone it *cannot* do zone transfers *from* the other DNS servers since it will believe itself to be authoritative for the DNS name.

Best bet is to use a different DNS suffix (i.e. dynamic.beach.state.hi.us or whatever) and create a custom forwarder to the other DNS servers for beach.state.hi.us name resolution.

Dave Dietz
0
 

Author Comment

by:imherson
ID: 11686580
Do you mean that the client would use the different DNS suffix in their TCP/IP settings?  Or, do you mean that our domain cannot be beach.state.hi.us -i.e., that it must be whatever.beach.state.hi.us or something else.  

In our current setup different departments in our organization have their own domains (NT 4.0 domains) but we all use the same static DNS servers and all the clients resolve as client.beach.state.hi.us. I had hoped that we could keep it this way, so that the clients in this new AD domain resolved as client.beach.state.hi.us whether someone outside our department used our DDNS server or the departments's static DNS server.
Herson
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11686849
If you want to use Dynamic DNS all clients will have to have access to the DNS database generated by the DDNS server.  For DNS to be dynamic it has to be on 2000 or later and has to be a Primary or Integrated zone.  Your Static DNS servers are likely already set up with their own Primary zone so there is no way to add your dynamic entries.  If you have a primary zone and the static servers have a primary zone with the same name they can't do any kind of replication with each other because each will believe that it is authoritative for the zone.

You could configure a forwarder to direct clients to another DNS server but you can't set a forwarder for a domain the DNS server believes it is authoritative for.

The reason your scenario works at all is because the client will eventually time out when trying to resolve a name via a server that doesn't know the name and will try the next on its list. (This is why it takes a long time to boot when the DC DNS is set to the secondary DNS server).

There isn't any real way to get the results you want without making some non-trivial changes to the Static DNS servers.

Specifically to answer your questions: yes, your clients would use the different DNS suffix in their TCP/IP settings and your domain (DNS at least - Windows Domain can be whatever you want to call it) would need to be something other than beach.state.hi.us (since there are other DNS servers that are authoritative for this name).

Dave Dietz

Dave Dietz
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:imherson
ID: 11689111
Dave,
I have a feeling you are right about this.  Another department (lifegaurds) in our organization decided on the same thing (lifegaurds.beach.state.hi.us).

Let's say that we can accept there is no other way for us but to use a different DNS (surfing.beach.state.hi.us) would the forwarder be a different DDNS server than the DC or would it the DC itself ?(FYI, we won't have more than 150 clients). Actuaully, what I mean to ask is what should we do exactly to setup our clients  and DDNS on our DC  and/or DDNS on another server?  Could you spell this out or walk me through this?
Herson
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11690899
The Forwarder is a property you set on the DNS server that basically says 'if I can't find it go here instead'...

In 2000 forwarders are pretty basic.  In 2003 you can configure a specific Forwader for a given DNS name.

I will find the proper steps tomorrow and post them (it's easy, I just don't have a 2003 server handy right now....)

Dave Dietz
0
 

Author Comment

by:imherson
ID: 11693484
Thanks I'll be looking for your post.  
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 11694670
304491 Conditional Forwarding in Windows Server 2003
http://support.microsoft.com/?id=304491

I think this describes it better than I can......  :-)

Let me know if you need any clarification.

Dave Dietz
0
 

Author Comment

by:imherson
ID: 11700164
I got the forwarder set up.  It was easy like you said.  But I'm wondering about whether there is anything else I should be concerned about.  For instance,  the client TCP/IP settings only have the IP for the DC for the DNS server and can resolve names on ".beach.state.hi.us" via the forwarder -no problem.  I did have to "append the DNS suffix" beach.state.hi.us for it to work.  But now my AD searches are a little ify.  When I "search entire directory" I get no results.  I must specify the location surfing to get a list, and then I get no results for specific searches such as client323.  One more thing, when I do an nslookup of client323 (a surfing AD computer) the request gets forwarded to the static DNS server and the response comes back client323.beach.state.hi.us not client323.surfing.beach.state.hi.us.

What else matters for the client connection settings?  'Append client and connection specific DNS suffixes'? 'Append parent suffixes of the primary DNS suffix'?  'DNS suffix for this connection'? 'Register this connection's address in DNS'? 'Use this connection's DNS  suffix in DNS registration'?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question