Solved

DNS setting in windows 2008 R2 Domains

Posted on 2014-09-02
15
239 Views
Last Modified: 2014-09-06
In one customer site, they upgraded their windows 2003 Domain to windows 2008 R2. Now they have 1 Physical PDC with all the roles & DHCP, 2 VM DCs (all Global catalogue & DNS installed). This was done before we took up the contract.
Now the other day, the IT guys called us and informed that their DNS Replication setting is set to “All domain controllers in this domain (for Windows 2000 Compatibility). Please see the attached named dns_setting_1. They do not have any windows 2000 DNS servers.

1 Question: Now my question is it safe to change to “To all DNS servers running on domain controllers in this company.domain.com? (as per the attached  named DNS_setting2)
2. Question: When we expand DNS>forward lookup Zones>company.com>com>domain> it shows the IP of their VM esxi host!
I believe that it should point to their domain IP (actual domain public IP)? Please see the attached named dns_zone
dns-setting-1.jpg
dns-setting-2.jpg
dns-zone.png
0
Comment
Question by:Zacharia Kurian
  • 9
  • 3
  • 2
  • +1
15 Comments
 
LVL 5

Expert Comment

by:bernardbrink
ID: 40300343
1) there is no problem setting this to a non-2000 server compliant setting (as you said: They do not own any 2000 servers anymore)

2) the FQDN of this server would be vmsvr3.domain.com.domain.com
it's not clear to me why they would need separate domain for the esxi host ? Any documentation ? i looks to me that this fqdn is never used.
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40300373
thanks for the quick reply.

1). So I can safely change the settings in "Change Zone Replication Scope" to " To all DNS servers running in on domain controllers in this domain:company.com" (as per the 2nd attached named dns_setting_2).

2) the FQDN of the PDC is srv1.company.com.
 In some other sites of customers I have seen them having their own domain name in DNS>forward lookup Zones>company.com>com>domain>.

Hope I can change this to their actual domain. But then the FQDN will be for example  "contoso.com.contoso.com" (in one word). Usually when setting up AD, we use company.com.local. But this client has used exactly as their registered domain.

Any further insight?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40300380
Question 1: have you got any subdomain? Setting DNS to all DC in domain is same to set to all DC in forest if you have only one domain on your forest but not same if you have some subdomain on the forest. Consider set to all DC in forest instead.

Question 2: Are you worried about your domain? INMO you are scared about see this com and this host inside. This com folder you see is created as a subdomain, you have not to be worried, is perfectly correct and not impact on your domain.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40300394
you can change the replication settings for what works for you.  for any dc, to any dc in this domain,

"contoso.com.contoso.com"  Why ? Tear down and rebuild..
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40300398
Thanks for the reply and please find the answers as below;

Answer to question 1: they do not have any sub domain in the current domain forest.

Answer to question 2: the "A" record under COM  " vmsrv3.domain.com domain.com" is their 3rd ESXI Host.
It has nothing to do with their domain. So the IT guy wants to get it removed and I am not sure which FQDN I should use.
Is it domain.com.domain. com or the PDC's FQDN link srv1.domain.com?
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40300404
if some has configured their AD with the exact domain name (company.com instead of company.com.local), can let me know the "A" record under DNS>forward lookup Zones>company.com>com>domain>?
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40300646
I think usually the "COM" attribute is not get configured unless they have tried installing SharePoint. But right now they do not have SharePoint.  

So deleting the "COM" from Forward Lookup Zones> company.com, wouldn't be an issue? (I guess so).
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 5

Accepted Solution

by:
bernardbrink earned 500 total points
ID: 40300947
I would have to say, no problem!
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40301025
I would have done if it was in site. But since it is at customer's site, I need to take precautions.

I would take backup of their physical DC and the VM DCs before doing it. Also I would take The Active Directory integrated DNS backup too to be on the safe side.

A while ago my colleague mentioned that they are missing  The Active Directory integrated DNS zone _msdcs.FQDN.

I asked him to create a new _msdcs.FQDN, and force the replication. It went well.

But in case if there is any MS KB net about my question, I would appreciate it.
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40302728
well a few updates & glitches.

We took a complete backup of all their Dcs. Removed the "COM" object. Replicated the changes and made sure all is well.

Then when tried to change the replication setting it is throwing an error. Please find the attached named "error_replication".

When used adsiedit to check if there are any duplicate entries could not find any. But when selected default naming context we find that the reverse dns entry is populated under CN=Microsft DNS. Please find the attached named "replication scope"
error-replication.jpg
replication-scope.jpg
0
 
LVL 5

Expert Comment

by:bernardbrink
ID: 40302761
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40302793
I have gone through that but did not solve it.  The funny things are;

1. when we checked the AD health using dcdiag, dnscmd, repadmin and even BPA, no warnings no errors.
2. when used  adsiedit  with all the possible naming context, could not find any duplicates/broken records.

3. The current replication setting is set to "To all domain controllers in this domain (for Windows 2000 compatibility)" and this is been cross checked through adsiedt with naming context DC=domain,DC=com

4.  Also we checked the defautl domain controller policy where you have to set the 'Administrators' to 'Manage auditing and security log.


Now we are really stuck at this point. Do not know what to do.
0
 
LVL 9

Author Closing Comment

by:Zacharia Kurian
ID: 40302865
the comments made me to give a second thought to pin point the exact problem i.e.. the SEPM.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40307087
SEPM meaning Symantec Endpoint Management?
0
 
LVL 9

Author Comment

by:Zacharia Kurian
ID: 40307286
yes David.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now