dankyle67
asked on
Adding DNS Server
HI,
our current DNS server is on a server that might fail soon with the drives so wanted to put DNS on another server. Is it easier to copy the existing DNS server or just to create a new one from scratch? Is it possible to have 2 DNS servers runhing on same domain? thanksl
our current DNS server is on a server that might fail soon with the drives so wanted to put DNS on another server. Is it easier to copy the existing DNS server or just to create a new one from scratch? Is it possible to have 2 DNS servers runhing on same domain? thanksl
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If your are trying to move a primary, non-AD integrated, DNS zone, you can copy the *.dns files from %WINDIR%\System32\dns (c:\windows\system32\dns) to your new server and then export the following Registry key HKLM\SOFTWARE\Windows NT\CurrentVersion\DNS Server\Zones to a .reg file. Then import the .reg file on the new server. You may wish to review the *.dns files (they are just text files) to see about editing them before making available on the new server.
Make sure the DNS server is also not a domain controller. If it is, make sure you transfer the FSMO roles from the faulty server to another domain controller first.
ASKER
I promoted one of our servers to a domain controller last nite and was about to make this the 2nd dns server but noticed you advised on not installing on a domain controller. So i should install on a member server and where do i do this again? I thought it was in the sever roles section. thanks.
DNS SHOULD be added as role on a DC. Then it can be used as AD-Integrated zone(s) which are much more secure than secondary zone(s) on member servers!
When you have DNS role on a DC the DNS records are repliacted during AD replication. In case that you have DNS role on a memebr server then records are replicated unsecure with plain text.
Krzysztof
When you have DNS role on a DC the DNS records are repliacted during AD replication. In case that you have DNS role on a memebr server then records are replicated unsecure with plain text.
Krzysztof
Is this DNS going to be public facing? If so, then I recommend primary/secondary zones for those public facing systems (so your AD-based information isn't made visible in those zones). If private facing, then AD-integrated is the best scenario (security, ease of replicating and least effort for scalability, etc.).
ASKER
How would I know if it was public facing zone? Thanks
For the clarification on installing the DNS on a domain
Controller. So once I have the 2nd dns set up
Is one considered primary or are they both considered same. Since they are replicating through active directory as mentioned, guess they would be
For the clarification on installing the DNS on a domain
Controller. So once I have the 2nd dns set up
Is one considered primary or are they both considered same. Since they are replicating through active directory as mentioned, guess they would be
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Just added the 2nd dns server about an hour ago and i made a mistake in the name of the name i think somewhere in the install process coz now for some reason the users cant access the company website and get their emails which is tied to that domain name. I wanted to uninstall the dns but didnt know where to do that so i paused the dns server but still cant access the company site. All other websites are accessible so i guess there must be some conflict or as i mentioned something to do with the name.
Sounds like you just need to edit your DNS forwarders on the DNS server...try adjuting the DNS server forwarders to 8.8.8.8 just as a test. That is Goggle public DNS servers. If you adjust this setting on the server & your clients are pointed to that DNS server for primary DNS, you just need to change the 8.8.8.8 to you ISP.
ASKER
Yea it kept failing so i actually changed the dns that the pcs were pointing to from the internal dns to 8.8.8.8 as you suggested and good thing is it works. My question is why dont i just keep this address for pcs and remove internal dns altogether? I know in the past the reason we had the internal dns server was so the name resolving process wouldnt take so long by traversing the internet to go to an external name server then back internally again but it seems the speed is fast when using the 8.8.8.8 which incidentally is the address we have in our barracuda web filter to use as dns server and then we have a secondary as well. thanks and also i uninstalled that dns role from the 2nd server i created this morning and it still didnt work even after we turned off and on our netscreen router to flush maybe the cache in there. Seems like it caused a lot of trouble for the purpose of creating this redundant 2nd server since as mentioned we are in process of rebuilding our primary and only dns server up until this point.
ASKER
Had to create new dns server and removed dns role from original server and so am left with this single dns server that can resolve the web address of the company name but on other pcs and servers they can still only resolve other websites but not the company site. Able to ping the ip address of the company website but not working when name is used,. We cant keep using the 8.8.8.8 dns since it seems to be causing an authentications issue on our accounting software that uses sql and dns apparently. Really need to find out why this dns server is working but not for others.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
thanks, interesting thing is that now i have one dns server that i just created last nite and i removed the dns role of the original dns serve as mentioned that was causing a lot of problems and ion 1 server that is non dns server, i am able to ping company web address lets say abc.com but on other pcs it only works if i use abc without the .com. If for instance i wanted to resolve an address that wasnt working like microsoft.com, would it work it i simply enter a new host record (A) called microsoft.com and matched it with the correct ip address?
Make sure your internal (AD-based) DNS's point to external DNS providers (for example, Google public DNS 8.8.8.8 and 8.8.4.4), as a forwarder (property of the DNS server via the DNS MMC). Then have the internal equipment (workstations, laptops, serers) point to the internal DNS servers.
ASKER
yes did this which is why its strange since all of them should not be able to resolve the address with the .com suffix but 2 of the servers are able to do it and as mentioned all the pcs can resolve using for example the company site abc wtihout the .com. Tried comparing everything with the 2 servers that can resolve the .com with the pcs that cant.
All of the servers and workstations only us the AD-Based DNS, right? They should not reference any external DNS providers (only the DNS servers should). This is done to avoid issues with the workstations being members of the AD (AD-based clients need AD DNS if they are members of an AD).
ASKER
yes, all the pcs are pointed to the AD based internal dns server which is currently the only dns server available on the network. I shut down the original dns server yesterday since it has predictive drive failure and is scheduled for replacement tomorrow by dell tech. During past 5 days it was not reachable through nslookup which reported it was timing out but i suspect the failing drive on it had caused all the problems on our network with domain controller replication and with active directory. Once i shut it down, was able to replicate domain controllers successfully again and could use our accounting app which was getting authentication errors due to dns issues. If i bring back the original dns next week, should i just remove the dns role on it for now until we are stable for a while then create it again maybe in a month? Still dont know why this .com issue is working on 2 servers and not the workstations. We also have 4 other servers but they are not able to resolve the abc.com address as well, only can do it if they use abc without the .com. Everything else seems to be working so at this point its not as critical but just curious how this works?