Best practices for DNS forwarding in enviroment with 3 windows DNS and 3 linux DNS
Posted on 2008-11-19
I am not very savy on the topic of DNS and need some help. Here is the enviroment:
3 Windows Server 2003 R2 servers all running AD integrated DNS. 2 are at our office, which includes the FSMO holder, and the other is at our datacenter. They are all GC's. We also have an Exchange 2007 server at our datacenter which looks to the local DC out there for authentication. Additionally we have 1 linux DNS server at our office, and we have 2 linux DNS servers at our datacenter, one of which is the master server, while the other 2 supposedly slave off of that one.
I have had some issues with DNS errors recently, today being errors shown in the Exchange server logs of MSExchange ADAccess (Event ID: 2120 and 2104) as well as NETLOGON (Event ID: 5783) followed by several Kerberos (Event ID: 7) errors. I have looked at all of these errors and their "resolutions" seperately, however I started to look more toward general DNS issues as being the result of all of these.
What my first big questions would be, is how should I configure forwarding in my Windows DNS server. Apparently the forwarders do not replicate to all of the DC's and I currently have different sets of forwarders in each of the DC's DNS settings. Should these be all forwarding to all of my DNS servers, only the linux servers, etc.? One thing to add to this would be that our linux enviroment is "sample.com" vs. our Windows enviroment is "ad.sample.com".... it looks as though I could add 2 sections to the DNS forwarders tab, 1 being "ad.sample.com" and add the windows servers to that, and then add another DNS Domain of "All other DNS domains" and set these to the linux servers. Does this sound correct?
My next question is this: our FSMO holder is thought of as our Primary Windows DNS server, as we point all of our DHCP addresses to it. This is 1 of the local DC's at our office. Recently we moved the Exchange server to our datacenter and by nature of Sites and Services the Exchange server started using the local DC for DNS, AD, etc. Since this, we have ran into issues where users will change their pw's in OWA (which points to DC at datacenter) however then pw replication does not seem to happen immeadeately as it should, and the user will lock themselves on local file servers or on desktops as the pw is not correct locally. I have bumped replication to 15 minutes however I am also now concerned about too much replication traffic as well as still having random auth issues. Should I point the local DHCP settings to the DNS server at my datacenter? Should I change my FSMO holder to be the DC at the datacenter? If this server goes down, either for maintinance or for other reasons, will clients locally be able to default over to our local DNS servers by virtue of setting 2 DNS servers in DHCP?
Lastly, I have asked this before, however I have since found conflicting documentation: Each of the DC's (also DNS servers) are pointing to themselves, and only themselves as DNS servers within their network configuration. This was how it was when I started, and this is what I was told when I questioned this recently, however earlier (and now I cant find it) I found something that said that all of the other DNS servers should point to one "master" DNS server. Should I change my DNS servers to point at my FSMO holder/server that I point all of my DHCP clients too? Should I then add themselves as secondary DNS servers? Which DNS servers should my Exchange server point to? -Currently is set to only the DC at the datacenter.
Please help, I know this is a lot of ground to cover here, however I feel its all pretty related.