GGHC
asked on
AD Intergrated DNS Questions
Currently, we are still in traditional DNS (Primary/Secondary) . DNS Service is on all DCs in Forest (Single Domain). Looking to migrate to AD Integrated.
In order to convert to AD integrated it seems I just have to click on is "Store the Zone in Active Directory".
1) Above Correct? No Prerequisites needed?
2) Does it automatically create the DNS AD Partition?
3) Do I have to do the same on all the Secondary DNS Servers?
4) What is the best method to Post-test replication?
5) What is the logic in AD DNS if Computer from different AD Site needs to register a DNS update?
6) If AD intergrated DNS, is there still such thing as “Primary”?
In order to convert to AD integrated it seems I just have to click on is "Store the Zone in Active Directory".
1) Above Correct? No Prerequisites needed?
2) Does it automatically create the DNS AD Partition?
3) Do I have to do the same on all the Secondary DNS Servers?
4) What is the best method to Post-test replication?
5) What is the logic in AD DNS if Computer from different AD Site needs to register a DNS update?
6) If AD intergrated DNS, is there still such thing as “Primary”?
you already have all prerequisites to run ad integrated dns
just delete secondary zones from all servers and then convert your standard primary zone to ad integrated
it will automatically create required application directory partition to host dns data in active directory
change zone replication scope to "all dns servers in this domain"
wait for some time for ad replication and zone should appear on all dc servers where dns role is installed
also go to zone properties and ensure that zone is set to dynamic update
this will take care of dns records registration
just delete secondary zones from all servers and then convert your standard primary zone to ad integrated
it will automatically create required application directory partition to host dns data in active directory
change zone replication scope to "all dns servers in this domain"
wait for some time for ad replication and zone should appear on all dc servers where dns role is installed
also go to zone properties and ensure that zone is set to dynamic update
this will take care of dns records registration
lastly make sure that you will do all configuration through domain admins
Actually you have asked two many questions in one GO, I forgot to answer those:
There is no primary and secondary for Ad integrated zone
All zone copies are writable copies and it is called as AD integrated zone because zone data is stored in AD and if you made any change in zone on any one server, changes will get replicated to all servers (zone copies on other servers)
The above method you can use to test if zones are working correctly
I think I have covered rest of all questions in earlier post
There is no primary and secondary for Ad integrated zone
All zone copies are writable copies and it is called as AD integrated zone because zone data is stored in AD and if you made any change in zone on any one server, changes will get replicated to all servers (zone copies on other servers)
The above method you can use to test if zones are working correctly
I think I have covered rest of all questions in earlier post
ASKER
Thanks Mahesh.
After a restart of each DCs all the DNS secondary converted to AD Integrated! :)
However when I try to set the “Replication” in General Tab from “All Domain Controllers..” to “All DNS Servers in this Domain..” I get the error “The replication scope could not be set”... Same screenshot earlier in thread.
As per search.. I did already check the Default Domain Controller GP....Administrator on Manage auditing and Security log.
Any idea what else to check/test?
After a restart of each DCs all the DNS secondary converted to AD Integrated! :)
However when I try to set the “Replication” in General Tab from “All Domain Controllers..” to “All DNS Servers in this Domain..” I get the error “The replication scope could not be set”... Same screenshot earlier in thread.
As per search.. I did already check the Default Domain Controller GP....Administrator on Manage auditing and Security log.
Any idea what else to check/test?
The below could be your issue:
To resolve this issue, you must add the built-in administrators group account to the manage auditing and security log user permission. The manage auditing and security log user permission is located in the default domain controller policy.
https://support.microsoft.com/en-us/help/842560/you-cannot-change-the-replication-scope-of-an-active-directory-integra
To resolve this issue, you must add the built-in administrators group account to the manage auditing and security log user permission. The manage auditing and security log user permission is located in the default domain controller policy.
https://support.microsoft.com/en-us/help/842560/you-cannot-change-the-replication-scope-of-an-active-directory-integra
ASKER
Thats the setting that I already tried. I even removed and readded... still no luck.
I must mention the DomainDNSZones & ForestDNSZones contains old stale entries and pretty empty... nothing new/current???
I must mention the DomainDNSZones & ForestDNSZones contains old stale entries and pretty empty... nothing new/current???
ASKER
Also want to mention that as a test I modify a test Host record, it “eventually” updates on other DNS servers. AD replication test are immediate even across Sites (I have no schedule setting set).
I can’t find the DNS under Adsi\Configuration
I can’t find the DNS under Adsi\Configuration
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Error still does exist (But no impact in prod). Good guidance was given by Mahesh. Thanks!!!!
ASKER
First got this error. Restarted DNS Service.. Doesn't seem anything is broken though. Best way to test?
BTW AD Forest is 2008 | Primary DNS is 2008 DC | Most other DCs are 2016
After reviewing the Secondary DNS, these are not part of AD Integrated. Is this correct? Are there any actions/tweaks needed?