Solved

What's the best design of DNS in AD-Intergrated zone?

Posted on 2008-06-10
24
410 Views
Last Modified: 2008-06-11
I have 2 DCs. One is DC1, the other is DC2. DC1 has DNS AD-Intergrated. DC2 curently has no DNS installed. It points DNS to DC1. Should I set up DNS in DC2? What's the advantage of doing this?

And if I setup dns in DC2, should I point to DC2 itself instead of DC1? what's the difference?
0
Comment
Question by:wuitsung
  • 7
  • 7
  • 7
  • +1
24 Comments
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 160 total points
ID: 21755586
If you only have two DC's in your domain I would recommend installing the DNS service on the second DC in AD-integrated mode and using it as the secondary DNS server for all your clients(assuming DC1 is the primary). This will grant you the redundancy to allow DNS lookups, and there internet browsing, in the event DC1 should ever go down.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 170 total points
ID: 21755605
Yes you should set up DNS on at least 2 machines - that way if one fails or is busy the other can deal with DNS queries. For greatest efficiency all DNS servers should point to themselves for preferred DNS and to another as alternate DNS. In a simple environment both should be set to forward to an external DNS as detailed at http://www.petri.co.il/configure_dns_forwarding.htm

Of course for this to work, all clients must also be set to use both servers by specifying one server as "preferred" and the other as "alternate" in the TCP/IP settings on static IP machines and be specifying both DNS servers in the DHCP options on the DHCP scope.
If you want full redundancy its also a good idea to make the DNS servers Global Catalog Servers as well,  go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)
0
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 170 total points
ID: 21755639
have a read through my DNS article - should point you in the right directions
http://www.block.net.au/help/dns-basics/
0
 

Author Comment

by:wuitsung
ID: 21762757
Hi Jay_Jay70, thank you for your article!! very nice writing. But I still has something confused here. Now I have setup DNS in DC2 as intergrated in AD. I am wondering what's the difference after I point the DNS to itself.

In client pc, I point the DNS to DC2. and if DC2 doesn't point to itself, instead, it points to DC1. For the redundancy and load balance, when DC1 fails or busy, it still work out ? Or it will not work because the client query is sent to DC2 and since DC2 points to DC1, so it will never check its own database?
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21762979
The DNS server service and the Network card DNS settings are separate. If a DC is configured to use itself as the primary DNS server, it will query the DNS server service running on the server. If a DNS query times out, it will query the secondary DNS server as configured in the NIC.

DNS forwarders configured in the DNS server settings operate in a similar manner. So if DC2's DNS server service has DC1 configured has its primary forwarder address, if it the requst times out, it will query the next server in the list, usually the ISP DNS servers.

The zones themselves for the internal domain are replicated with Active Directory and both DC's should remain up-to-date as long as replication is operational.
0
 

Author Comment

by:wuitsung
ID: 21764601
Yes, I understand this. But KCTC said that "For greatest efficiency all DNS servers should point to themselves for preferred DNS ", I am just wondering if the DC2 doesn't point to itself, instead, I point to DC1. And now DC1 is shut down. What problem will be there?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764609
from a server point of view, if you have two DC's lets call them DC1 and DC2, you should have two entries in your tcpip configuration

DC1: Primary = Itself, Secondary = DC2
DC2: Primary = Itself, Secondary = DC1

It just ensures a little redundancy across the servers, If you configure round robin within DNS, the load will be nicely balanced
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764615
in regards to your last comment, if you only have DC2 pointing to DC1 and no other entries, and you shut DC1 down, you arent going to be able to resolve anything that is not in cache
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21764705
Jay_jay has explained what I was trying to say, as regards efficiency it is more efficient that a DC points to itself as preferred DNS as it will not have to forward the DNS query over the network to the other DNS server, it can simply ask itself.
0
 

Author Comment

by:wuitsung
ID: 21764709
Thanx! I understand that. Let's say on client side, it use the DNS of DC2. I think everything still going to work out. I think it's just the DC2 itself cannot resolve the name. And do you think the active directory in DC2 will have problem or any other problem in domain environment? while DC1 is down...
0
 

Author Comment

by:wuitsung
ID: 21764746
I just overlooked KCTC's new post... DNS query fauilure in DC2 would prevent which part of AD from working?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21764747
Sorry  I dont understand.

However, be aware that when you specify a Preferred and Alternate DNS server your client will always poll the Preferred DNS server for a response. That response will hopefully be the IP address requested, or it may be a response indicating that the name cannot be resolved.

In the case of the first DNS server failing to resolve the name the Alternate DNS server WILL NOT be used. The Alternate will only be used when no response at all is received (may be the preferred server is down or very busy)

Do  not confuse an alternate DNS server with a forwarder - the toe are very different.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 70

Expert Comment

by:KCTS
ID: 21764760
oops >>the toe are very different.<<

the two are very different.

PS set up BOTH DNS servers to forward to enternal DNS servers in order to resolve external names
0
 

Author Comment

by:wuitsung
ID: 21764812
Hi KCTC, From your previous post "as regards efficiency it is more efficient that a DC points to itself as preferred DNS as it will not have to forward the DNS query over the network to the other DNS server, it can simply ask itself."

My question is here.. don't look at the client side, just on the DC2.
DC2 use the DNS of DC1, but DC1 is down.
I understand that the DNS query will fail. I would like to know that will this affect AD from working properly? or other application on DC2?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764835
of course, if you cant reach a DNS server you will start having AD issues, DNS is the base for Active Directory to function, if it cant locate srv records, you are going to run into a whole load of trouble, thats why we are both saying you need to have alternate DNS options...at a DC level
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21764848
No DNS = No Active Directory !
0
 

Author Comment

by:wuitsung
ID: 21764885
So do you also mean that on client side I will also have problem?
Client -> use DNS of DC2 (It has been replicated from DC1)
I think the client can still locate SRV records....
Sorry to take so much time of you guys.. I am just trying to understand better..
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21764909
If thesre is no DNS there will be no Active Directory and your domain will not function - if there is no DNS neither clients nor servers will be able to find anything at all. If there is no DNS then where is the client going to get SRV records (or anything else) from ?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764938
the clients will still log on and do the usual authentication tricks - BUT your AD will be screaming in the background
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764949
your life span on client operations will be short lived i would say - your DC2 would still hold the zones, but it will get outdated and start failing
0
 

Author Comment

by:wuitsung
ID: 21764971
My DC2 is AD-Intergrated, there is DNS there.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764983
indeed - as above - the zones will still be there, but if your DC1 is down, and your DC2 points only to DC1 for DNS, then anything new and updated and important will fail,

You will have some life, dont get us wrong, but your AD wont even know what do with itself and who else exists out there, it will have records to these resources but wont be able to reach them, wont be able to update, wont be able to replicate, when your records scavenge, your screwed = AD DEATH
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21765005
If you don't do it as described then AD will fail and fail it will, it may start with subtle errors and warings in the event log but will soon escallate. AD DEATH is not a bad description.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21765272
Generally, each DC that also has DNS installed should reference itself for DNS resolution and use another DC as its secondary. Each DNS server would have the ISP provided DNS server configured for its forwarders for internet resolution.

All clients should use a DC at their site that you designate as their primary, and an alternate DC as their secondary.

DC's using themselves for DNS resolution is preffered because the request occurs internally and will not have to traverse the lan. This increased performance, and even stability.

The key here is that AD relies heavily on DNS resolution, without proper DNS configuration the AD will not function for long, if at all. AD-integrated DNS relies on replication, and replication will fail without a properly configured DNS environment.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now