Solved

DNS resolve order

Posted on 2014-12-18
6
143 Views
Last Modified: 2014-12-21
Hello...

Network and sites:
3 sites: A, B and C.
Site A = 192.168.1.1/24 and 172.16.4.0/24
Site B= 10.0.0.0/24
Site C = 10.5.0.0/24

********************
Active Directory and DNS:
Site A has 2 DCs:
DC1 =192.168.1.1 (DNS server)
DC2 = 192.168.1.2/ 172.16.4.1 (DNS)

Site B:
RODC3 = 10.0.0.1 (DNS)

Site C:
DC4= 172.16.5.1 (DNS)
*****************************

Site B can only access 192.169.1.x in site A but not 172.16.4.x.

the problem is, when a client try to resolve mydomain.com or dc2 sometime it is resolved to 172.16.4.1 which is not reachable from site B network.

AD replication works fine with out issue as Site A is the hub and replicate to other sites.

Is there a way to configure DNS to response to clients queries in site B from mycompany.com with 192.168.1.1 always not 172.16.4.1 ? in other words, I want all clients in site B to be able to communicate with DC1 or DC2 in 192.168.1.1 vlan.

DCs are mix of 2012 and 2012 R2.

Thanks!
0
Comment
Question by:Suliman Abu Kharroub
6 Comments
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 40506534
check the DNS entries on RODC

access DNS of site B from Primery Domain and check the forwarder point to your primary domain ..

dns
on Site B domain you should have the primary dns of the same domain and  secondary point to your main site primary domain.

all the best
0
 
LVL 40

Assisted Solution

by:footech
footech earned 333 total points
ID: 40506545
Quick note - site C IP range doesn't match up with DC4 IP, but since your problem doesn't seem to involve them it's probably not important.

Why does DC2 have multiple IPs/NICs?
It's not recommended to multihome a DC so if you can avoid that that is the best solution.  There won't be a way to configure things so that queries from site B for DC2 only get 192.168.1.2, unless there is no other record for DC2.

Here's some good reading.  It includes some guidance for manually configuring a multihomed DC.
http://blogs.msmvps.com/acefekay/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters/
0
 
LVL 27

Assisted Solution

by:Dan McFadden
Dan McFadden earned 167 total points
ID: 40506563
Checking the server IP configuration is a good idea, but I would be interested in how client computer IP configurations, at the various sites, are setup.

Are you utilizing DHCP on your network?

For example:

at SiteA
- clients should have DC1 and DC2 as first and second DNS

at SiteB
- clients should have RODC3 as primary DNS and either DC1 or DC2 as a secondary

at SiteC
- clients should have DC4 as primary DNS and either DC1 or DC2 as a secondary

This configuration will make clients at the appropriate sites, use the local DNS first.

Also, I would not recommend running a Domain Controller as a multi-homed server.  A DC really should only operate with 1 IPv4 and/or 1 IPv6 address.  Multi-homing a DC is often a discussion and most experienced Sysadmins will not recommend deploying a DC in such a manner.

Example here on EE:  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22769762.html

Dan
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 40511993
Thank you guys for your answers and good ideas that provided.... I totally agree that mutli-homed DC is not a good idea and needed to be changed. is there any official document explains the issues of having multi-home DC ?

my plan to get rid of the second nic in that DC, but need to convene the management.
0
 
LVL 40

Accepted Solution

by:
footech earned 333 total points
ID: 40512447
I haven't seen just one link that covers everything.  If you do a google search for "site:microsoft.com multihomed domain controller" you will find several issues mentioned.  I think what I already posted is the most comprehensive.  At it's core, I think it pretty much all comes down to name resolution issues.
0
 
LVL 23

Author Closing Comment

by:Suliman Abu Kharroub
ID: 40512449
Thanks a lot!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question