apimentel26
asked on
Windows DNS Zone transfers and aging?
We're running Windows 2008 AD Integrated DNS and a few Secondary Zones. After reviewing current DNS setup Aging is not set and Zone transfers are configured to "Only to servers listed on the Name Servers tab". From what I've read Zone Transfers is designed for Secondary Zones and AD Integrated DNS is not required because it's stored in the AD database which is handled by AD replication.
1) Is it wrong to have all AD Integrated DNS and Secondary configured for Zone transfers?
2) Should I list the secondary zones only in the Zone Transfers?
As for Zone Aging/Scavenging I found this unchecked. Isn't it recommended to have this enabled to clear out stale records?
1) Is it wrong to have all AD Integrated DNS and Secondary configured for Zone transfers?
2) Should I list the secondary zones only in the Zone Transfers?
As for Zone Aging/Scavenging I found this unchecked. Isn't it recommended to have this enabled to clear out stale records?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
footech
If you have Secondary zones, I would make sure you know why you are using them. Zone transfers occur from Standard Primary zones to a Secondary. If you have AD-integrated Primary zones, then normal AD replication takes care of making sure the DNS zone date is available on other domain controllers with DNS installed vs. having the data transferred via zone transfer. I would say in most cases it's preferable to have AD-integrated zones vs. Standard Primary and Secondary zones because the AD replication is more efficient than a zone transfer. I couldn't give any further recommendation without knowing more about what your DNS and/or DC layout is like, the zones you have , and where you want them to be.
ASKER
The secondary zones were the old IP's of decommissioned Win2K DC servers. The previous admin didn't want to update every device and kept it. Everything else is AD Integrated except for those few secondaries that I've found is used for every device.
I don't understand what you're trying to describe. Not to be too blunt, but what you've said doesn't make any sense.
Are you saying the secondary zones contained records for servers which no longer exist? Where is the secondary zone pulling it's data from (has to be a primary zone somewhere)? How does a secondary zone on a server have anything to do with how a device is configured? Maybe you should post some screenshots to help clear up any confusion.
Are you saying the secondary zones contained records for servers which no longer exist? Where is the secondary zone pulling it's data from (has to be a primary zone somewhere)? How does a secondary zone on a server have anything to do with how a device is configured? Maybe you should post some screenshots to help clear up any confusion.
ASKER
The old Win2K AD servers were decommissioned. The previous admins forgot that every device is using the IP addresses of these servers as DNS. They stood up new servers using the same IP of those decommissioned servers and made it secondary DNS zones.
Everything makes sense until "...and made it secondary DNS zones."
ASKER
The previous admins decided to stand up two servers using the same IP of those decommissioned AD servers and made it secondary DNS zones. Which in turn they didn't have to update or modify any DNS settings on the end users machines. Please don't ask my why...
I'm adding some docs that would help answer my original questions.
DNS.pdf
DNS2.pdf
I'm adding some docs that would help answer my original questions.
DNS.pdf
DNS2.pdf
it is probably time to do some housecleaning and get rid of the zones..
Again "made it secondary DNS zones". What is it? You don't make servers into zones. Maybe I'm being dense but I don't understand what you're saying.
If you're referring to the NIC settings on machines where you set which DNS servers you want to use as preferred and alternate, that has nothing to do with zones.
Looking at the simple diagram, here's a guess: "DNS Secondary 1" and "DNS Secondary 2" only have the DNS role installed (and not AD Directory Services). They are configured with secondary zones to pull information from the DNS on the domain controllers (via zone transfer). All the client machines are configured to use only the IPs of "DNS Secondary 1" and "DNS Secondary 2" in their NIC settings.
Is this guess anywhere close to correct?
If you're referring to the NIC settings on machines where you set which DNS servers you want to use as preferred and alternate, that has nothing to do with zones.
Looking at the simple diagram, here's a guess: "DNS Secondary 1" and "DNS Secondary 2" only have the DNS role installed (and not AD Directory Services). They are configured with secondary zones to pull information from the DNS on the domain controllers (via zone transfer). All the client machines are configured to use only the IPs of "DNS Secondary 1" and "DNS Secondary 2" in their NIC settings.
Is this guess anywhere close to correct?
ASKER
Yes, that is correct. DNS Secondary 1 and 2 servers are running DNS Secondary zones of the domain.com.
ASKER
@David
That's I'm planning to do but I'm trying to gather as much details before making these changes.
That's I'm planning to do but I'm trying to gather as much details before making these changes.
If I've understood correctly, then you have two options if you want to get rid of those servers.
1 - Change all devices and clients so that they only point to the domain controllers with DNS, after which you can remove the "secondary" DNS servers.
2 - Re-IP a couple of the domain controllers so they have the IP of the "secondary" DNS servers. For example, if domain controller 1 has an IP of 10.0.0.10, and DNS Secondary 1 has an IP of 10.0.0.1, then first change the IP of DNS Secondary 1 to something else, then change the IP of domain controller 1 to 10.0.0.1. Once you've verified that clients are successfully using the domain controllers for DNS, you can remove the secondary DNS servers.
1 - Change all devices and clients so that they only point to the domain controllers with DNS, after which you can remove the "secondary" DNS servers.
2 - Re-IP a couple of the domain controllers so they have the IP of the "secondary" DNS servers. For example, if domain controller 1 has an IP of 10.0.0.10, and DNS Secondary 1 has an IP of 10.0.0.1, then first change the IP of DNS Secondary 1 to something else, then change the IP of domain controller 1 to 10.0.0.1. Once you've verified that clients are successfully using the domain controllers for DNS, you can remove the secondary DNS servers.
ASKER
@footech
Thanks for trying to figure out what I'm trying to explain. I'm obviously not doing a good job. I'll try again, in the DNS properties of mydomain.com DNS Zone which is running Active Directory Integrated there is an option for Zone Transfer. In this section I can allow Zone transfers by enabling it and there are more options. What I found selected is "Only to servers listed on the Name Servers tab". In the Name Servers tab lists all our DNS servers.
Based off what I read and trying to confirm that this section applies to DNS servers that are running Primary and Secondary Zones. Since AD DNS is part of the AD Replication process (stored in AD partition) would I still need AD DNS in the Name Servers section? Or should I change the option in the Zone Transfer section to "Only to the following servers"? If I did that would I only list the servers running Secondary Zones? Is it wrong to have AD DNS listed there? Or am I completely misunderstanding this?
You can refer back to the drawings I made.
Thanks for trying to figure out what I'm trying to explain. I'm obviously not doing a good job. I'll try again, in the DNS properties of mydomain.com DNS Zone which is running Active Directory Integrated there is an option for Zone Transfer. In this section I can allow Zone transfers by enabling it and there are more options. What I found selected is "Only to servers listed on the Name Servers tab". In the Name Servers tab lists all our DNS servers.
Based off what I read and trying to confirm that this section applies to DNS servers that are running Primary and Secondary Zones. Since AD DNS is part of the AD Replication process (stored in AD partition) would I still need AD DNS in the Name Servers section? Or should I change the option in the Zone Transfer section to "Only to the following servers"? If I did that would I only list the servers running Secondary Zones? Is it wrong to have AD DNS listed there? Or am I completely misunderstanding this?
You can refer back to the drawings I made.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome! Thank you!