Solved

DNS ISLAND urgent question regarding Q275278

Posted on 2004-09-06
8
318 Views
Last Modified: 2008-02-26
I will have 15 DC/DNS which will be AD integrated primary and secondary on a single domain forest.  

I have installed the frst DC/DNS and now I am about to install DNS on other DCs ready to join the domain.  I have read article Q275278 that talks about DNS ISLANDS.  I have also read Minasi and other expert forums that talk about how to avoid this.

example: 3 DC/DNS servers called DC1, DC2 and DC3
Some experts on this forum recommend the following:

Srv_name  PRIMARY  SECONDARY
DC1           DC2         DC3
DC2           DC1         DC3
DC3           DC1         DC2

The ms article methiod-1 recommends:

Srv_name  PRIMARY  SECONDARY
DC1           DC1         blank
DC2           DC1         DC3
DC3           DC1         DC2

another question: If the MS article is correct,  What happens if DC1 (the so called master)  crashes???

Please answer as quickly as possible and with refrences...  I need to know how I can check your answer is correct...


0
Comment
Question by:mbecmba1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 2

Expert Comment

by:sqwasi
ID: 11991260
mbecmba1,

Your question confused me some.  You said that you were implementing "AD integrated primary and secondary" DNS zones.  However you are talking about two different things.  The AD integrated DNS Zones do not have primary or secondary.  They replicate through AD, just like there is no such thing as Primary and Backup Domain Controllers in AD.  If you are creating active directory integrated zones then you really only need to create the first one.  Go to your original Domain Controller.  Create the Active Directory Integrated Zone.  Configure it like you want it.  Then when you add the additional domain controllers as replica domain controllers the DNS information and the zone you created will be automatically replicated to all of the domain controllers as long as DNS is installed on those domain controllers as well.  I hope this make sense and is helpful.
0
 

Author Comment

by:mbecmba1
ID: 11992689
OK, Lets start again.
1) I installed the first DC and DNS (AD INTEGRATED).  Configured DNS as I want it and it works.  
2) I then installed the second DC and then installed the DNS service.  At that point the Wizard asks if I want to create a forward lookup zone. I Selected PRIMARY & ticked the AD Integrated check box.  This seems to work fine.

Please tell me if I am doing it wrong???  

Anyway the above question is not about that.   I want to know about ISLAND DNS.  The ms article says I should choose one as kind of a master (Not really a master)  and point it's NICs Primary DNS to itself.  On the other DNS servers I point their NIC PRimary to this first DC/DNS.  

I have also seen a different solution in this forum.  Basically never point the forest root DNS servers to itself.  Point them to each other.  

Which one is true???  

Please provide me an answer to both questions above...
0
 
LVL 10

Accepted Solution

by:
ryangorman earned 500 total points
ID: 11995416
sqwasi is confused. It was apparent that you understood that AD integrated zones essentially make each DNS server both primary and secondary.

Your question is a valid query about how should admins configure the client side DNS of Domain Controllers. As we all know *initially* you'd point a proposed DC at any current DNS server and then run DCPromo. After then you have an option to re-point DNS elsewhere.

I've not found a conclusive answer to this question but consider this scenario.

AD-integrated DNS. Two DCs both pointing to themselves. If you demote one DC it'll update the DNS on itself but this change won't be replicated to ther other DC because the demoted DC is now a member server.

I too would like a hard and fast conclusive answer.

0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 

Author Comment

by:mbecmba1
ID: 11997240
Ok,  I have searched everywhere and the MS answer is not really right.  I need to know for sure how and why.
I am raising the points even higher to get some interest but I want real expert answer.  I also need to know after the second DNS comes up,  What ecords I can expect to see in both DNS GUI.  
Is there a proper list of all records I can check for ???

I want a solid answer to both...
0
 
LVL 84

Expert Comment

by:oBdA
ID: 12038447
Don't you just love it how Microsoft contradicts itself in their own setup?
I stick with the recommended settings from the FAQ, and they have worked so far. According to this, the first DC/DNS should only point to itself, additional DCs should poin to the first one as primary, to itself as secondary.
In the _msdcs.your.domain.local. domain, you should see one alias (CNAME) entry for each DC, pointing to the FQDN of the respective DC.
dcdiag.exe and netdiag.exe should tell you if everything is running and configured OK.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675

Troubleshooting Common Active Directory Setup Issues in Windows 2000
http://support.microsoft.com/?kbid=260371

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515

HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
http://support.microsoft.com/?kbid=321708

DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
http://support.microsoft.com/?kbid=265706

Do not install the Support Tools from your installation CD, some tools were updates by the Service Packs. Here's the current version:
Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897
0
 

Author Comment

by:mbecmba1
ID: 12052288
I am kind of happy with the answer, however I have to think of Disaster Recovery.
What hapens when the first so called PRIMARY dies???   All my DNS servers are pointing to a dead server !!!

Thos does not sound right to me.  Sure it works but I refuse to go round the network reconfiguring TCP/IP setting on DCs and watch them reconnecting to the network.  

That is probably why I have seen other people pointing the DNS servers to each other.  

Can anyone tell me if MS is talking rubbish and if they forgot to think about primary crashing???

This is fundamental and BASIC stuff...
0
 
LVL 84

Expert Comment

by:oBdA
ID: 12096792
Actually, that's what you have backups for. If any server dies (beyond repair, without backup), that has a "primary" role in your network, you will always be in more or less trouble. In the DNS case, it wouldn't even help if the DNS were pointing to all sort of other DNS servers; you'd have to change/remove the dead address all over the place anyway.
That said, another problem here is that Microsoft in these KB articles never (well, actually "in no KB article I could find until now"; I'd be glad to be corrected on this one) distinguishes between the different DNS setups, that is whether the AD zones are standard primary/secondary, or whether they are AD integrated.
If you have a primary/secondary setup, there's no way around the primary DNS anyway--the SOA is the only one which has writable copy of the DNS database.
If all your DNS servers are DCs as well, and the AD zone is AD integrated (and your replication is working OK), it should even be possible for the servers to only use themselves as DNS. In that case, every DNS is SOA for the AD zone, so the necessary SRV entries can be created, and then they should be replicated to the other DCs/DNSs.
0
 

Author Comment

by:mbecmba1
ID: 12387743
I have set this up not using ms recommendation and it works.  What worries me is that if I connect to the primary (first) DC, I can see the zone and SOA.  When I connect to the second or thrid DC I see the zone but not the level of detail that I can see on the 1st server. ie: I do not see all the clients A-records etc.

I am happy to give the point to the first person that can send what I am exactly supposed to see on the first and subsequent DNS/DC integrated servers when I connect to them using the DNS MMC.  I don't know if it is possible to attach a snaphot here by you may send me via email to Mahyar.Barad@UKF.NET

I need to know for every single container in DNS what I am expected to see on 1st amd other DCs.

thanks Mahyar
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question