understanding 2003 DNS resolution, not forwarding?

[marcoz123]

Hopefully someone can help me understand the interaction
of DNS resolution between 2003 servers and XP clients.
I understand that in AD it’s probably best to have the clients
(XP) use the DNS server running in the AD domain. And many things
seem to work better when it is setup like this. However, I am having
trouble resolving other IP names of systems within the same IP domain
that are not a part of AD and never registered with the 2003 DNS
server. Ideally, it would be nice if the XP client could, first, try
resolve the name with the 2003 DNS system then upon failure,
roll over to the campus DNS (bind) system where some of these other
systems are defined and receive DHCP numbers.

Or, if the 2003 DNS system can not resolve the name, forward it
on to another campus DNS server. For the life of me, I can’t get this
working.
Here’s what I’ve got:

Campus DNS system (bind) that does not allow dynamic DNS updates
Ip address 10.10.250.100

2003 server running DNS
Ip address 10.10.11.65 name max

XP client
Ip address 10.10.11.113
First DNS pointing to 10.10.11.65 2003 dns
Second DNS pointing to 10.10.250.100 campus dns

XP client
Ip address 10.10.53.113
First DNS pointing to 10.10.11.65 2003 dns
Second DNS pointing to 10.10.250.100 campus dns

Logins are fast, printers map, shares work, etc
Problem is that the XP clients can not resolve a system that is defined in the
10.10.250.100 DNS system but not defined in the 2003 DNS system.
If I reverse the DNS search order so the campus is first and the 2003 DNS is
second, new logins on the XP client can not find the AD domain. They can
however, resolve the “other” IP names in the domain.

Seems like the 2003 DNS is not forwarding the lookup on to the next
DNS server because the request is coming from a client that is the same
IP domain? Helppppppp,

Thank you,
-marc

 

[Cstorms]

Ok, since your primary dns server is (and had to be) your Windows 2003 DC as this is what is used to locate the SRV records for proper authentication and the like you may have to create either the host records for the other machines manually in your Windows DNS zone file or you could also setup a secondary zone file on your windows dns and do zone transfers between systems this way you should be able to resolve by fqdn. I think you could also setup a stub zone here to point your clients to the proper NS for those records. Not super sure on all the BIND stuff but I assume its pretty coorperate now that its in its later 9.x releases.

Cory

 

[marcoz123]

Cory, thanks for the darn fast response!

The issue with creating entries in the w2k3 DNS for these “other”
IP names in the IP domain, is that they get their IP numbers via
DHCP and there is no guarantee they will always be the same.
Additionally, each time a campus (bind) entry is added, changed,
deleted, I will have to keep up with the w2k3 DNS. A lot of work.

In creating a secondary zone, how could that be done for the
same zone name that the w2k3 server is servicing? 10.10.11.0

I did look at the stub zone but can’t find much information. When
creating a STUB zone, the ZONE name is the same as the ZONE name
that the w2k3 server is hosting and it will not allow that.


From what I recall in for example Solaris, SUN UNIX and the
olden days, one could setup a resolver to first look in a local
file, perhaps /etc/hosts, if not found there, use NIS maps, if not
there, query a bind server. Why on earth can’t this be done
with w2k3 DNS?

Any other ideas?

Many thanks again,

-marc

 

[itsp1965]

Unless you have configured your bind DNS environment as secondary to your AD/DNS, the way it works if I am not mistaken is that AD/DNS will always be a secondary zone to the BIND environment. Are you sure zone transfers are being performed between the two types of DNS server? Sounds like you have inconsistencies in the zone entries.

 

[marcoz123]

itsp1965,

The bind DNS system is totally out of my control and serves the
entire campus. Are you saying that the AD/DNS system can be
configured on the w2k3 server to be secondary. Initial queries from
clients will be sent to bind/DNS first, then to AD/DNS?

Thanks,

-marc

 

[Cstorms]

Ok so you pretty much have the idea to have both dns servers accepting dynamic updates and replicating changes between these systems.

This is not possible, you cannot reload any data from the other once you make the zone primary. From what I can see you will be forced to keep your client machines that require AD pointing to your Windows DNS server, from here you could setup another zone (or use the current one I suppose) to have them register their dynamically updated host records to and then setup a secondary zone on the BIND server to replicate these changes to. This will in effect give you the ability to do name resolution for these machines by pointing your other client machines (the ones not using the Windows DNS server), to the BIND server.

Like I said though, 2 DNS servers each with the same zone file name, both being primary zones and replicating changes between both is not possible. If there are any discrepancies here please let me know.

Good luck.

Cory

 

[marcoz123]

Cory,
> Ok so you pretty much have the idea to have both dns >servers accepting dynamic updates and replicating
>changes between these systems.

No, I have no control over the campus bind DNS and it does not and probably never
will support dynamic updates. New users must manually register their computers with this
system before they can receive IP info via campus DHCP/BOOTP.

>This is not possible, you cannot reload any data from the >other once you make the zone primary. From what I can see >you will be forced to keep your client machines that >require AD pointing to your Windows DNS server, from here >you could setup another zone (or use the current one I >suppose) to have them register their dynamically updated >host records to and then setup a secondary zone on the >BIND server to replicate these changes to. This will in >effect give you the ability to do name resolution for >these machines by pointing your other client machines
>(the ones not using the Windows DNS server), to the BIND >server.

Not sure I understand here. At what point does a client register/update the
AD/DNS system? When they join the domain? When they login the domain? Any
time they resolve something through the AD/DNS?

>Like I said though, 2 DNS servers each with the same zone >file name, both being primary zones and replicating >changes between both is not possible. If there are any >discrepancies here please let me know.

The trouble I’m having/understanding quite simply is that there are other (non MS)
Systems on one or two of these domains that will never have anything to
Do with the AD/DNS/w2k3 systems. Coincidentally, they are in the same
Domain and share the same IP ranges. It’s the XP clients that need access
To them, SSH and the like. These systems get their IP numbers from and
Are registered with the campus bind system.

Thanks a ton for all the feed back!
-marc

 

[marcoz123]

The trouble I’m having/understanding quite simply is that there are other (non MS)
Systems on one or two of these domains that will never have anything to
Do with the AD/DNS/w2k3 systems. Coincidentally, they are in the same
Domain and share the same IP ranges. It’s the XP clients that need access
To them, SSH and the like. These systems get their IP numbers from and
Are registered with the campus bind system.

Thanks a ton for all the feed back!
-marc

To add more to that last paragraph.
It seems as though it's an all or nothing with
w2k3DNS and it's clients.

Perhaps this can be somehow hacked on the client(XP)
side? I get the impression that the reason there are
multiple spaces to enter DNS servers, is redundancy
and not sort of try this one and if it does not resolve,
try the next one.
On the properties page for the IP configuration
on an XP client, under advanced options, DNS tab,
one can enter DNS servers in order of use. This
almost implies the above! Perhaps a reg hack??

regards,
-marc

 

[lhuegele]

All you have to do is set-up your 2003 DNS server to forward DNS requests that it can't answer over to your campus BIND DNS server. The BIND server would then be responsible for resolution of the DNS information.

Since both DNS servers are part of the same domain, I think this is the best way to go.

Good luck,

 

[marcoz123]

thank you lhuegele,

That's the first thing I tried but it does not seem
to work as I understand it.
Go to the forwarders tab, under "All other DNS domains"
add the campus bind/DNS system right?

I'm thinking the trouble may be that w2k3/DNS is forwarding
a domain lookup that "it" thinks it is the athority of.
And never seems to send it. Other things outside of
this domain resolve correctly!

thanks,

-marc

 

[Cstorms]

You are looking for it to pick and choose how it resolves certain things. The thing is this, when you assign a machine a primary dns server the machine says "Ok its either up or its down", if its down, it will use the secondary server.. Otherwise, it will use the primary and anything that sits on the secondary dns will simply not matter. Therefor in your case

bind dns 10.0.0.1
(A) record = bobsmachine

Windows dns 10.0.0.2
No (A) record

Primary DNS server for client
10.0.0.2
Secondary
10.0.0.1

In this case, pinging bobsmachine will get you absolutely no where even though in theory if one were to take the meanings literally you would assume that since you have a secondary server in the client settings it would work. Wrong.

The primary dns server will send out recursive queries if it can and bring back whatever results it finds.

So how do we do this you say? Well in most cases not unlike yours, one would setup a conditional forwarder that would point to a dns server that could resolve this query. However the discrepancy lies in the fact that these are generally setup for very finite requests (such as subdomain.domain.com), whereas in your case you want to resolve loads of dynamically updated records, within a zone file that mimics itself on both operating systems... This my friend, is why without more control over your environment you are between a proverbial rock and a hard place.



Cory

 

[lhuegele]

Ah, you are correct Marco, and Cory has a good point as well.

2 DNS servers - 1 is W2k3 and the other is Bind.
but both are in the same domain.

I think you're going to have to decide on using just one of the DNS servers as your primary and only use the other as a fall-back if your primary server goes down for some reason. You'll need to figure out which one to use based on your own situation.

Either that, or as Cory states, you need more control over your DNS environment.

Good luck,

 

[marcoz123]

Thanks Cory, not sure I wanted to hear that, but...

How about this:
Would it be useful/work if I could get the campus bind/dns
system to send me zone transfers? like all the 10.10.11.0
entries to the w2k3/DNS system? Perhaps that way, the
w2k3 DNS could stay current?

regards,

-marc

 

[Cstorms]

If you wanted to, you could create a secondary zone of the same name that could accept zone transfers from the BIND server, as posted earlier however, if you already have a primary zone with the exact same name this wont work.

Cory

 

[marcoz123]

Great support/advice from everyone.
I really appreciate the wisdom. Let me mull over some of
this and revisit the thread tomorrow.

Again much appreciated,

-marc