We help IT Professionals succeed at work.

Adding DNS Server

dankyle67
dankyle67 asked
on
HI,
our current DNS server is on a server that might fail soon with the drives so wanted to put DNS on another server.  Is it easier to copy the existing DNS server or just to create a new one from scratch?  Is it possible to have 2 DNS servers runhing on same domain?  thanksl
Comment
Watch Question

Senior Active Directory Engineer
BRONZE EXPERT
Top Expert 2012
Commented:
Yes, it is possible and should be done for redundancy :)
I guess that you have DNS zones as AD Integrated? If so, the most simple way for that is adding additional DC with DNS role in your network and AD and DNS data will be replicated automatically.

If you wish, check an article on my blog for that at
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

In case that you run Standard Primary DNS zone, then you can simply use as many secondary zones as you wish. Then follow this MS article at
http://technet.microsoft.com/en-us/library/cc776953%28WS.10%29.aspx

Regards,
Krzysztof

Commented:
If your are trying to move a primary, non-AD integrated, DNS zone, you can copy the *.dns files from %WINDIR%\System32\dns (c:\windows\system32\dns) to your new server and then export the following Registry key HKLM\SOFTWARE\Windows NT\CurrentVersion\DNS Server\Zones to a .reg file.  Then import the .reg file on the new server.  You may wish to review the *.dns files (they are just text files) to see about editing them before making available on the new server.

Commented:
Make sure the DNS server is also not a domain controller. If it is, make sure you transfer the FSMO roles from the faulty server to another domain controller first.

Author

Commented:
I promoted one of our servers to a domain controller last nite and was about to make this the 2nd dns server but noticed you advised on not installing on a domain controller.  So i should install on a member server and where do i do this again?  I thought it was in the sever roles section.  thanks.
Krzysztof PytkoSenior Active Directory Engineer
BRONZE EXPERT
Top Expert 2012

Commented:
DNS SHOULD be added as role on a DC. Then it can be used as AD-Integrated zone(s) which are much more secure than secondary zone(s) on member servers!

When you have DNS role on a DC the DNS records are repliacted during AD replication. In case that you have DNS role on a memebr server then records are replicated unsecure with plain text.

Krzysztof

Commented:
Is this DNS going to be public facing?  If so, then I recommend primary/secondary zones for those public facing systems (so your AD-based information isn't made visible in those zones).  If private facing, then AD-integrated is the best scenario (security, ease of replicating and least effort for scalability, etc.).

Author

Commented:
How would I know if it was public facing zone? Thanks
For the clarification on installing the DNS on a domain
Controller. So once I have the 2nd dns set up
Is one considered primary or are they both considered same. Since they are replicating through active directory as mentioned, guess they would be
Commented:
A public facing zone is one that is available for consumption on the Internet (such as mydomain.com) that is an authoritative DNS server to all those that access hostnames within mydomain.com.

You would only have one primary and one or more secondary DNS zones.  Or you would have an AD-integrated DNS zone.  If you change a DNS from a primary to AD-integrated, then you would want to remove the secondary DNS zones.  That primary would then replicate to the other AD-based DNS servers automatically.

Author

Commented:
Just added the 2nd dns server about an hour ago and i made a mistake in the name of the name i think somewhere in the install process coz now for some reason the users cant access the company website and get their emails which is tied to that domain name.  I wanted to uninstall the dns but didnt know where to do that so i paused the dns server but still cant access the company site.  All other websites are accessible so i guess there must be some conflict or as i mentioned something to do with the name.  

Commented:
Sounds like you just need to edit your DNS forwarders on the DNS server...try adjuting the DNS server forwarders to 8.8.8.8 just as a test. That is Goggle public DNS servers. If you adjust this setting on the server & your clients are pointed to that DNS server for primary DNS, you just need to change the 8.8.8.8 to you ISP.

Author

Commented:
Yea it kept failing so i actually changed the dns that the pcs were pointing to from the internal dns to 8.8.8.8 as you suggested and good thing is it works.  My question is why dont i just keep this address for pcs and remove internal dns altogether?  I know in the past the reason we had the internal dns server was so the name resolving process wouldnt take so long by traversing the internet to go to an external name server then back internally again but it seems the speed is fast when using the 8.8.8.8 which incidentally is the address we have in our barracuda web filter to use as dns server and then we have a secondary as well.  thanks and also i uninstalled that dns role from the 2nd server i created this morning and it still didnt work even after we turned off and on our netscreen router to flush maybe the cache in there.  Seems like it caused a lot of trouble for the purpose of creating this redundant 2nd server since as mentioned we are in process of rebuilding our primary and only dns server up until this point.  

Author

Commented:
Had to create new dns server and removed dns role from original server and so am left with this single dns server that can resolve the web address of the company name but on other pcs and servers they can still only resolve other websites but not the company site.  Able to ping the ip address of the company website but not working when name is used,.  We cant keep using the 8.8.8.8 dns since it seems to be causing an authentications issue on our accounting software that uses sql and dns apparently.  Really need to find out why this dns server is working but not for others.  
Commented:
Yes, 8.8.8.8 is an external DNS server & won't resolve your internal clients. Point your internal DNS servers to themselves & use 8.8.8.8. or your ISP as your forwarder. You'll need the internal DNS to resolve names on your network.

Author

Commented:
thanks, interesting thing is that now i have one dns server that i just created last nite and i removed the dns role of the original dns serve as mentioned that was  causing a lot of problems and ion 1 server that is non dns server, i am able to ping company web address lets say abc.com but on other pcs it only works if i use abc without the .com.  If for instance i wanted to resolve an address that wasnt working like microsoft.com, would it work it i simply enter a new host record (A) called microsoft.com and matched it with the correct ip address?  

Commented:
Make sure your internal (AD-based) DNS's point to external DNS providers (for example, Google public DNS 8.8.8.8 and 8.8.4.4), as a forwarder (property of the DNS server via the DNS MMC).  Then have the internal equipment (workstations, laptops, serers) point to the internal DNS servers.  

Author

Commented:
yes did this which is why its strange since all of them should not be able to resolve the address with the .com suffix but 2  of the servers are able to do it and as mentioned all the pcs can resolve using for example the company site abc wtihout the .com.  Tried comparing everything with the 2 servers that can resolve the .com with the pcs that cant.  

Commented:
All of the servers and workstations only us the AD-Based DNS, right?  They should not reference any external DNS providers (only the DNS servers should).  This is done to avoid issues with the workstations being members of the AD (AD-based clients need AD DNS if they are members of an AD).

Author

Commented:
yes, all the pcs are pointed to the AD based internal dns server which is currently the only dns server available on the network.  I shut down the original dns server yesterday since it has predictive drive failure and is scheduled for replacement tomorrow by dell tech.  During past 5 days it was not reachable through nslookup which reported it was timing out but i suspect the failing drive on it had caused all the problems on our network with domain  controller replication and with active directory.  Once i shut it  down, was able to replicate domain controllers successfully again and could use our accounting app which was getting authentication errors due to dns issues.  If i bring back the original dns next week, should i just remove the dns role on it for now until we are stable for a while then create it again maybe in a month?  Still dont know why this .com issue is working on 2 servers and not the workstations.  We also have 4 other servers but they are not able to resolve the abc.com address as well, only can do it if they use abc without the .com.  Everything else seems to be working so at this point its not as critical but just curious how this works?  

Explore More ContentExplore courses, solutions, and other research materials related to this topic.