Link to home
Start Free TrialLog in
Avatar of soadmin
soadmin

asked on

Install DNS on DC

Hello,

I just recently moved departments and inherited an AD setup that was not setup the best.  What I found today was that the primary DC looks to be set up just fine with all FSMO roles, DFS and SQL.  On the secondary DC, the person installed AD, but did not install DNS.  I thought something was wrong when I went to connect to the secondary DC from the first's ADUC and it didn't show up.

So, now my questions is this: Can I simply add the role of DNS on the secondary server?  If so, how do I do this so that I ensure it is AD integrated.  Once all of that is done and replication works in ADUC (which it does not now), I'll then point the Secondary DC to itself for primary DNS and to the primary DC for secondary DNS, or should I reverse that?  If so, should I do that on the primary: point to itself first and the secondary second for DNS?  I know there are many Microsoft articles that say it does not matter or contradict each other.  

These servers are Server 2008 service pack 2.

Thanks,
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

If you open the DNS console on the existing DC, right click and select properties, it will tell you if its AD Integrated or not - if not then just change it.

All you have to do then is install the DNS role on the other DC, the DNS zone data will replicate automatically with the AD Replication,
I would also agree with KCTS, you will need to add the role first, then do the following...
- add the DNS role to the secondary DC
- login to the PDC
- open DNS console
- right click the internal domain zone, select properties
- beside replication click the change button and make sure its replicating to all DNS servers on domain controllers
- Click the Name servers tab and make sure that the secondary DC is listed in there
- If your DC's are on the same LAN segment DNS should replicate fairly quick.

Hope this helps!
I would suggest is this is not setup in a typical way (and even if it is, whenever you "inherit" a network) you should run DCDIAG /C /E /V to get a comprehensive diagnostic on AD and start resolving any issues you may have.  While it's generally a best practice to run DNS on a DC, if you have 5 DCs and 2 or 3 are DNS servers, then it's not necessary (of course, if you have 5 DCs in one site, then you are either General Electric, Microsoft, or in desperate need of removing some of the DCs to lighten your administrative load because that many are almost certainly unnecessary.
ASKER CERTIFIED SOLUTION
Avatar of Sandesh Dubey
Sandesh Dubey
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of soadmin
soadmin

ASKER

Thanks everyone.  In looking at things this morning, I do not believe the appropriate firewall ports are open since the DC are on different subnets.  389 looks open, but DNS is not...this is going to be a mess.  Here are the ports that I think I need to open but just wanted to run it by all of you for a quick verification:

http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Thx
Yes you are refering to correct link for AD port requirement.Here is one more link.

Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx