Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Configuring DNS on a branch office DC not working

Posted on 2008-10-08
Medium Priority
Last Modified: 2012-05-05
Firstly, yes, I have read a few other threads on this issue but I am still having issues and hoped for direct help.

I need to prepare a DC for a branch office, about 50 users, over in Europe.  We are a US based company with 125 users.

Issue:  I created a new DC in a new subnet for the branch office.  DNS does not import the AD DNS information for forward lookup zones.  It only shows the reverse lookup zones.  When I create a new DC on my own network and install DNS it usually has all DNS information already populated from the AD.

Config:  Main site:  2 DC's running WIndows 2003 Server w/ AD integrated DNS. 192.168.200.x network.
New site:  DC is built as a VMware virtual machines on ESX 3.5.  172.20.20.x network.  Cheap home router being used to interlink both networks until new Checkpoint firewalls arrive.
Here's what I have done so far:
1, created a new Site in the AD.
2, I created a new subnet of in the Sites container.
3, in the Inter-Sites Transport I modified the DEFAULTIPSITELINK to include both sites
4, built a 2003 server on my ESX 3.5 server.  IP address
5, configured a 2nd IP address in the 172.20.20.x net on the nic for my main site DC(  Why?  This was needed to allow bidirectional communication since I am using a cheap home router.  This allowed my main site DC to ping the new DC in a different subnet.  I verified both servers could ping each other before continuing.
6, installed DNS, WINS and DHCP on new server that will become DC for new site.
7, DCPromo'ed new server( to become new DC for new site
When I open DNS, all that shows is the reverse lookup zones.  If I try to create a zone with the same name it tells me that there is already a zone with that name.
After a few hours of troubleshooting, I gave up and DCpromoed the box back down to a server and tried again with same results.

Question time:
1st, Is a single domain with 2 sites the correct path to go down to minimize site to site traffic? (we will have 4mb connection and they have 2mb)
2nd, If yes, am I going about configuring DNS the correct way?  Should I see all DNS information show up on my new DC and something just is not working correctly OR is this the way it works if a DC is in another subnet and I have to configure that site manually?????

Question by:Relay700
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4

Accepted Solution

tismetoo earned 750 total points
ID: 22671451
The answers to questions 1 and 2 are probably yes:
Single domain with 2 sites sounds correct - although would need to know a lot more about your org to be sure.
DNS sounds like it is set up correctly.
I think the issue you have is putting the 172. address on your primary DC. Sites and Services shows the DC as being still in the main site, but the 172 address may be confusing the issue.
Stick with the correct addressing and verify the routing is working correctly on the cheap router. Then use replmon to see what is going on with replication of the domaindns zone. DCDIAG may also point us in the direction of the issue if you can post the results.

Author Comment

ID: 22678571
Our Checkpoint firewalls have arrived so we will try to put the real stuff in place and see if that helps.

Primary question though is whether or not DNS should reflect the entire zone, including Forward Lookup zones.  Should it look the same as our primary site's DNS or does this need to be configured dirrerently?

Expert Comment

ID: 22679563
Depends if the forward lookup zones are AD integrated or not - if they are then the new DC should have the same zones. If they aren't AD integrated you will have to set up stub or secondary zones to ensure they land on the new DC.
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 22686065
Thanks for your help so far!

Update:  We have installed a Checkpoint UTM firewall and configured a VPN tunnel between the two networks as it will be in the real world.  No difference in the DNS.  We removed DNS again and dcpromoed the new DC back to a member server.  Rebooted and then installed DNS and dcpromoed back to a DC with no change in results.
All I get in the DNS is just the reverse lookup zones and not the forward lookup zones.
Routing appears to be fine as their are no DNS errors and the DC's can easily ping each other via IP, name and FQDN.

Any other ideas???????

Author Comment

ID: 22686071
BTW, our DNS zones are AD integrated.

Assisted Solution

tismetoo earned 750 total points
ID: 22700885
What is dcdiag showing for the new DC?

Use the replmon util and find out what the status of the domaindns partition is. What happens when you try and synchronise domaindns from each DC?

Author Comment

ID: 22712402
DCdiag all tests pass.
dcdiag /test:DNS shows only a root server error but all tests pass.

Working on the replmon now.

Thanks for help!

Author Comment

ID: 22712519
replmon shows all replication working correctly.
A forced replication specifically with DomainDNSZones shows attempt was successful.

Expert Comment

ID: 22715922
Replication successful from both sides - ie. performed from each server - branch and HQ? And they still don't show in the DNS server console?

Author Comment

ID: 22719949
Update:  Something we did seemed to have corrected it.
I came in the morning to find that it is now showing a Forward Lookup Zone n the DNS console.

Thanks for all you help!!!!

Author Closing Comment

ID: 31504310
THanks for all your help.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question