tgrizzel
asked on
Best practices for DNS forwarding in enviroment with 3 windows DNS and 3 linux DNS
I am not very savy on the topic of DNS and need some help. Here is the enviroment:
3 Windows Server 2003 R2 servers all running AD integrated DNS. 2 are at our office, which includes the FSMO holder, and the other is at our datacenter. They are all GC's. We also have an Exchange 2007 server at our datacenter which looks to the local DC out there for authentication. Additionally we have 1 linux DNS server at our office, and we have 2 linux DNS servers at our datacenter, one of which is the master server, while the other 2 supposedly slave off of that one.
I have had some issues with DNS errors recently, today being errors shown in the Exchange server logs of MSExchange ADAccess (Event ID: 2120 and 2104) as well as NETLOGON (Event ID: 5783) followed by several Kerberos (Event ID: 7) errors. I have looked at all of these errors and their "resolutions" seperately, however I started to look more toward general DNS issues as being the result of all of these.
What my first big questions would be, is how should I configure forwarding in my Windows DNS server. Apparently the forwarders do not replicate to all of the DC's and I currently have different sets of forwarders in each of the DC's DNS settings. Should these be all forwarding to all of my DNS servers, only the linux servers, etc.? One thing to add to this would be that our linux enviroment is "sample.com" vs. our Windows enviroment is "ad.sample.com".... it looks as though I could add 2 sections to the DNS forwarders tab, 1 being "ad.sample.com" and add the windows servers to that, and then add another DNS Domain of "All other DNS domains" and set these to the linux servers. Does this sound correct?
My next question is this: our FSMO holder is thought of as our Primary Windows DNS server, as we point all of our DHCP addresses to it. This is 1 of the local DC's at our office. Recently we moved the Exchange server to our datacenter and by nature of Sites and Services the Exchange server started using the local DC for DNS, AD, etc. Since this, we have ran into issues where users will change their pw's in OWA (which points to DC at datacenter) however then pw replication does not seem to happen immeadeately as it should, and the user will lock themselves on local file servers or on desktops as the pw is not correct locally. I have bumped replication to 15 minutes however I am also now concerned about too much replication traffic as well as still having random auth issues. Should I point the local DHCP settings to the DNS server at my datacenter? Should I change my FSMO holder to be the DC at the datacenter? If this server goes down, either for maintinance or for other reasons, will clients locally be able to default over to our local DNS servers by virtue of setting 2 DNS servers in DHCP?
Lastly, I have asked this before, however I have since found conflicting documentation: Each of the DC's (also DNS servers) are pointing to themselves, and only themselves as DNS servers within their network configuration. This was how it was when I started, and this is what I was told when I questioned this recently, however earlier (and now I cant find it) I found something that said that all of the other DNS servers should point to one "master" DNS server. Should I change my DNS servers to point at my FSMO holder/server that I point all of my DHCP clients too? Should I then add themselves as secondary DNS servers? Which DNS servers should my Exchange server point to? -Currently is set to only the DC at the datacenter.
Please help, I know this is a lot of ground to cover here, however I feel its all pretty related.
Thanks
3 Windows Server 2003 R2 servers all running AD integrated DNS. 2 are at our office, which includes the FSMO holder, and the other is at our datacenter. They are all GC's. We also have an Exchange 2007 server at our datacenter which looks to the local DC out there for authentication. Additionally we have 1 linux DNS server at our office, and we have 2 linux DNS servers at our datacenter, one of which is the master server, while the other 2 supposedly slave off of that one.
I have had some issues with DNS errors recently, today being errors shown in the Exchange server logs of MSExchange ADAccess (Event ID: 2120 and 2104) as well as NETLOGON (Event ID: 5783) followed by several Kerberos (Event ID: 7) errors. I have looked at all of these errors and their "resolutions" seperately, however I started to look more toward general DNS issues as being the result of all of these.
What my first big questions would be, is how should I configure forwarding in my Windows DNS server. Apparently the forwarders do not replicate to all of the DC's and I currently have different sets of forwarders in each of the DC's DNS settings. Should these be all forwarding to all of my DNS servers, only the linux servers, etc.? One thing to add to this would be that our linux enviroment is "sample.com" vs. our Windows enviroment is "ad.sample.com".... it looks as though I could add 2 sections to the DNS forwarders tab, 1 being "ad.sample.com" and add the windows servers to that, and then add another DNS Domain of "All other DNS domains" and set these to the linux servers. Does this sound correct?
My next question is this: our FSMO holder is thought of as our Primary Windows DNS server, as we point all of our DHCP addresses to it. This is 1 of the local DC's at our office. Recently we moved the Exchange server to our datacenter and by nature of Sites and Services the Exchange server started using the local DC for DNS, AD, etc. Since this, we have ran into issues where users will change their pw's in OWA (which points to DC at datacenter) however then pw replication does not seem to happen immeadeately as it should, and the user will lock themselves on local file servers or on desktops as the pw is not correct locally. I have bumped replication to 15 minutes however I am also now concerned about too much replication traffic as well as still having random auth issues. Should I point the local DHCP settings to the DNS server at my datacenter? Should I change my FSMO holder to be the DC at the datacenter? If this server goes down, either for maintinance or for other reasons, will clients locally be able to default over to our local DNS servers by virtue of setting 2 DNS servers in DHCP?
Lastly, I have asked this before, however I have since found conflicting documentation: Each of the DC's (also DNS servers) are pointing to themselves, and only themselves as DNS servers within their network configuration. This was how it was when I started, and this is what I was told when I questioned this recently, however earlier (and now I cant find it) I found something that said that all of the other DNS servers should point to one "master" DNS server. Should I change my DNS servers to point at my FSMO holder/server that I point all of my DHCP clients too? Should I then add themselves as secondary DNS servers? Which DNS servers should my Exchange server point to? -Currently is set to only the DC at the datacenter.
Please help, I know this is a lot of ground to cover here, however I feel its all pretty related.
Thanks
ASKER
OK,
Here is where our enviroment gets a bit tricky: We have aprox 100 users/computers, aprox 50 of which are windows vista, 15 Mac's, and the rest are flavors of Linux. Almost all of these should, and i say should, be using DHCP for IP/DNS settings. If I am understanding a past situation correct, for whatever reason the Windows servers refuse to answer DNS requests for Linux and Mac computers, and therefore we had to have the Linux servers listed as forwarders for these computers. Also, I beleive that the top answer you listed is also the case, as my windows servers do not have access to the outside internet w/o using the DNS from one of the Linux computers. Additionally we need those forwarders in the Windows servers as we do not have all of the production Linux servers listed in the Windows DNS, as they are updated only in the /var/named/sample.com hosts file. Therefore, it would seem to me that the Linux forwarders need to stay in place on the Windows servers to meet these needs, but what about the other Windows DNS servers? -from reading the answer above it would sound as though I would be safe in removing any Windows DNS servers from the forwarding list....
OWA pw change is necessary unfortunetly, as this gives the Linux and Mac users a way to change their pws.
Sounds good on the DC/DNS answer, as this makes more sense as you have described that this is replicated through AD and therefore not necessary.
What about the Exchange server then? -This is Exchange 2007, and probably just like older versions relies on AD (which then relies on DNS) to work properly. What I really need to make sure is that this: Currently, only having the Exchange server pointed at 1 DNS/AD server (the GC in its local site) what happens when this server goes down? Should I put my 2nd and 3rd DC/DNS servers in the nic card configs? Will this create any issues where the Exchange server tries to use a DC/DNS out of its site (even though it is technically not suppose to)? Will this help anything if the DC at the datacenter goes down or is not available?
Here is where our enviroment gets a bit tricky: We have aprox 100 users/computers, aprox 50 of which are windows vista, 15 Mac's, and the rest are flavors of Linux. Almost all of these should, and i say should, be using DHCP for IP/DNS settings. If I am understanding a past situation correct, for whatever reason the Windows servers refuse to answer DNS requests for Linux and Mac computers, and therefore we had to have the Linux servers listed as forwarders for these computers. Also, I beleive that the top answer you listed is also the case, as my windows servers do not have access to the outside internet w/o using the DNS from one of the Linux computers. Additionally we need those forwarders in the Windows servers as we do not have all of the production Linux servers listed in the Windows DNS, as they are updated only in the /var/named/sample.com hosts file. Therefore, it would seem to me that the Linux forwarders need to stay in place on the Windows servers to meet these needs, but what about the other Windows DNS servers? -from reading the answer above it would sound as though I would be safe in removing any Windows DNS servers from the forwarding list....
OWA pw change is necessary unfortunetly, as this gives the Linux and Mac users a way to change their pws.
Sounds good on the DC/DNS answer, as this makes more sense as you have described that this is replicated through AD and therefore not necessary.
What about the Exchange server then? -This is Exchange 2007, and probably just like older versions relies on AD (which then relies on DNS) to work properly. What I really need to make sure is that this: Currently, only having the Exchange server pointed at 1 DNS/AD server (the GC in its local site) what happens when this server goes down? Should I put my 2nd and 3rd DC/DNS servers in the nic card configs? Will this create any issues where the Exchange server tries to use a DC/DNS out of its site (even though it is technically not suppose to)? Will this help anything if the DC at the datacenter goes down or is not available?
ASKER
oh, and is there any benifit to changing my FSMO holder to the DC at the datacenter? -I saw an error that the Exchange server was looking for the PDC and could not find it, yet I dont want to cause any issues on the office side either....
I see the complications in your scenario. As to forwarders on the Windows servers, they wouldn't need any forwarders other than the Linux servers as forwarders for "All other domains." This would cover both the sample.com domain and all external domains, assuming the Linux servers are configured with either (1) forwarders, or (2) root hints, for resolution of external domain names. You would want to configure the same forwarders on all of your Windows DNS servers, and you would want your DHCP options to list at least two of your Windows DNS servers as a primary and secondary resolver. The clients in the main office should use the main office DNS servers as primary, secondary, etc. The clients in the datacenter should use at least one local DNS server as the primary and then have DNS server(s) from the main office listed as second and/or third DNS servers for backup purposes.
Question about your Exchange server - Is it set to use the local DC for its global catalog server? This would be the first thing to confirm. I would not move any of the FSMO roles to the data center server at this point. I'm a little surprised about your password issue, since from what I've read, a password change is supposed to trigger a "push" replication event, but I'm really not an expert in the area of replication issues, since I normally deal with very small networks.
As far as DNS on the Exchange server, yes, you should configure a secondary DNS server, and you could even add a third if you want to be extra careful. DNS resolution from the client standpoint does not work in a "round-robin" type of way. The client will always use the primary DNS server for resolution unless or until that server stops responding. Only then will it try to contact the second or third, etc., DNS server in its table.
Question about your Exchange server - Is it set to use the local DC for its global catalog server? This would be the first thing to confirm. I would not move any of the FSMO roles to the data center server at this point. I'm a little surprised about your password issue, since from what I've read, a password change is supposed to trigger a "push" replication event, but I'm really not an expert in the area of replication issues, since I normally deal with very small networks.
As far as DNS on the Exchange server, yes, you should configure a secondary DNS server, and you could even add a third if you want to be extra careful. DNS resolution from the client standpoint does not work in a "round-robin" type of way. The client will always use the primary DNS server for resolution unless or until that server stops responding. Only then will it try to contact the second or third, etc., DNS server in its table.
ASKER
Gotcha. In looking at this this all makes sense right now. I have made these changes/configurations and will let this sit for a day and see how this stands.
Ill keep this post updated with the latest info.
Thanks for your help.
Ill keep this post updated with the latest info.
Thanks for your help.
ASKER
The original errors that I posted above have seemed to have stopped, however I am still seeing some GC connect errors such as Event ID: 9144, NSPI Proxy failed to connect to Global Catalog....... as well as a few others. I am working on looking into these, and this may be an overall physical connectivity issue.
At this point, I mostly got the logical topology info that I was looking for here, therefore Ill monitor for a bit more and hopefully close out this case.
Thanks, ill let you know.
At this point, I mostly got the logical topology info that I was looking for here, therefore Ill monitor for a bit more and hopefully close out this case.
Thanks, ill let you know.
I just found this in a tech article about NSPI Proxy errors, in case you haven't seen it yet:
"Because DSAccess uses a round robin approach when it uses DNS, DSAccess might try to use the external DNS server, making the Exchange server unable to reach the GC servers."
So, contrary to what I said before as it pertains to general DNS settings, this seems to indicate that having a secondary DNS that is external might be causing those errors.
"Because DSAccess uses a round robin approach when it uses DNS, DSAccess might try to use the external DNS server, making the Exchange server unable to reach the GC servers."
So, contrary to what I said before as it pertains to general DNS settings, this seems to indicate that having a secondary DNS that is external might be causing those errors.
ASKER
very interesting. I had been looking into this today as it continues to be an issue at this point, though it is relatively minor comparative to what I had been seeing. I would still think though that having the other DNS server available would outweight the problem of seeing this error every so often (about once an hour). I wonder if the ultimate answer is to move one of my other DC's to the datacenter.... Can you provide a link to that posting? -I had not ran across that as of yet.
Thanks hypercat
Thanks hypercat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help.
Check out my other issue here if you get a chance:
https://www.experts-exchange.com/questions/23935890/MSExchangeSA-Event-ID-9186-Microsoft-Exchange-System-attendant-thinks-that-the-server-is-not-listed-in-the-Exchange-security-group.html?anchorAnswerId=23044095#a23044095
Check out my other issue here if you get a chance:
https://www.experts-exchange.com/questions/23935890/MSExchangeSA-Event-ID-9186-Microsoft-Exchange-System-attendant-thinks-that-the-server-is-not-listed-in-the-Exchange-security-group.html?anchorAnswerId=23044095#a23044095
However, if your Windows servers are handling ad.sample.com AND also are handling DNS traffic between your workstations and the Internet, then you would need a conditional forwarder ONLY for "sample.com" to the Linux servers. All internal domain traffic for "ad.sample.com" and all external Internet traffic would then be handled by the Windows DNS servers.
My advice on the OWA issue would be to lock them out of changing their passwords through OWA. This has been a known issue with OWA even in cases where you don't necessarily have slow replication issues, although it is better under more recent versions (2003-2007). Unless there is some good reason not to do so, I would think that would solve your password problem.
My answer to the DC/DNS question is that you should leave it the way it is. The older method - pointing every DNS server to one "master" server - applies only to the situation where you have primary/secondary DNS servers. AD-integrated DNS servers should always be pointed to themselves only.