DNS wisdom needed! 2

[Bullnuts]

I have 3 locations, Site X (300 Users), Site Y(25 Users), and Site Z(15 Users) that are connected via Dedicated VPN/T1 connections.

This is a 2003 Server R2 network which all sites are part of xyz.com (no child domains). All sites login to the same domain. Site X is Forrest Root.

Each Site has a DC which is also an ADI DNS SVR and GC. Site X DNS points to itself then ISP. Site Y and Z DNS points to Local DC ADI DNS then to Site X.

I have configured AD sites and services correctly with the servers in the proper sites and Subnets tied to its corresponding site. Authentication is working well. I am looking for recommendations on DNS config. Since all 3 DC are ADI DNS should I setup Zone transfers between them or will ADI DNS take care of that? In testing if I uncheck zone transfers the SOA sn does not catch up to the Site X, which in theory means I would have to setup zone transfers between these DC’s..? Maybe one of you DNS guru’s could come up with a better suggestion for DNS structure as this is one dept where I am still learning….keeping in mind that I would like to keep the Network structure I have. Right now WINS is the only thing saving my ass and I would like to phase it out eventually,
Best Regards,
NT guy

 

[58sniper]

If it's ADI, then zone transfers should be automatic. Take the ISP reference out of the site X IP properties, and add it to the forwarders.

What does the DNS event log say?

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[Bullnuts]

Thanks for the info, When you say ADI is automatic, when I right click on the zone, go to properties,then zone transfers tab,the box for allow zone transfers is empty. Should it be or should I enter in the other DC's IP's?
I double checked and do have the ISP (2) addresses in the forwarder section on X (original typo).
event viewer is clean on site X. but on Site Y, I am getting event 4015


Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4515

Description:
The zone 0.168.192.in-addr.arpa was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition ForestDnsZones.X.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.

If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.

If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.

Thats the only DNS event message other than informationals stating record updates on other zones.

 

[Dublin73]

Hi, think of AD Integrated DNS in this way....

The Active Directory database (NTDS) on your domain controllers replicates with the other Active Directory databases on your other domain controllers. The Active Directory database contains all of your user and computer account information and so on. You may already know all of this.

Here's where the "Integrated" part of AD "Integrated" DNS comes in....

when the domain controllers are replicating their Active Directory databases with each other, WITHIN this update, is also the DNS zone information, of any Active Directory Integrated zones on that server.

The DNS zone transfer is piggy backing on the Active Directory database transfer so to speak.

With Standard DNS (not AD Integrated), you've got your "Primary DNS server", say in your head office.. and a "Secondary DNS server" for example in your branch office. In this case, rather than AD doing all the work for you and transferring the DNS info. as it's transferring its AD info., you have to manually configure when the DNS zone transfers are going to take place.

This is because, unlike AD Integrated DNS, ONLY your Primary DNS server can be updated. For example when a client PC gets a new IP address from the local DHCP server. Another way to put it would be, the Standard DNS zone on the "Secondary DNS server" is read-only, whereas the zone on the "Primary DNS server" can be written to, or updated. Hope I'm explaining this alright.

Regarding the ISP stuff... Your clients should NEVER have the ISP's DNS server ip address in their network settings. Instead, you want your DNS servers querying the ISP's DNS servers on behalf of your clients. You're on the right track there. The ISP's DNS servers ip addresses need to go in the forwarders tab of your own DNS servers.

Also to note, you can have a mix and match of Standard DNS zones and AD Integrated DNS zones on your domain controllers if need be. Let me know if you're not clear on any of this. I'm not sure what those error messages are in your Event logs, but I'd start by reviewing your DNS configuration first, good luck

 

[Bullnuts]

Thanks again for the tips, I now have a much better grasp on DNS. Problem ended up being that I was receiving a DNS event 4515, 4004 and some KCC events on one of my DC’s due to the fact I jumped the gun on when AD replication was taking place and had some Duplicate DNS partitions created in the directory, which it does not like!

Basically read up MS article 867464, posted some forms and decided to delete all broken ADI zones that got created with the replication set to “all domain controllers in the AD domain, XYZ.com”. Then used ADSIedit to confirm the zone got deleted from the CN=MicrosoftDNS zone in DC=XYZ,DC=com. Next I forced replication to all DC’s and the old ForestDNSZones reappeared in the replication mode “to all DNS server in the AD forest XYZ.com”

Dcdiag /test:dns was still failing on Root hint errors, so I simply removed the root hints zone under CN=MicrosoftDNSZone and then copied them back from a known working DC and rerun the test. It passed all with success!.

Later,
se