Announcement

Collapse
No announcement yet.

DNS Islands of resolution...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS Islands of resolution...

    I'm not sure if my DNS setup is having this problem or not. My current setup is as follows:

    - 1 domain with 3 DC's, each w/ GC's and ADI DNS.
    - The first two DC's are located in our central office in the same site.
    - The third DC is located in a separate site with a different subnet.
    - DC1 points itself for DNS. Secondary DNS entry points to DC2.
    - DC2 points itself for DNS. Secondary DNS entry points to DC1.
    - DC3 points itself for DNS. Secondary/Third DNS entry points to DC1/DC2
    - Workstations at remote site (DC3) point toward DC3 for DNS and secondary/third
    DNS entry to DC1/DC2.
    - Added delegations to the primary zone (*I think i screwed up here and was not
    Supposed to do this
    .) I added each DC to the "New Delegation Wizard".

    First problem Im noticing, is that DC1 show under the reverse lookup zones two subnets (this is fine), however DC2 shows under reverse lookup zones only one subnet (That of the remote site). And in the remote DC3, reverse lookup zones show one subnet (the subnet it's located on). I thought the idea of having ADI DNS was that all DNS servers would have identical copies or replicated copies. This is not the case in my situation with Reverse lookup zones. The Primary zone looks fine on all DCs. Since the Reverse Lookup Zones are different in each DC, I believe Im doing something wrong. I'd like to figure this out first before I continue with my deployment of 15 more DCs.

    Second Question is this, I was reading Best Practices for DNS structure design (SearchWinIT.com) and the author mentions that as a general rule, its recommended that ALL DNS Servers point to a single primary as the "preferred DNS Server" This is different from what is recommended in the 2003 AD Branch Office Guide. I thought the whole purpose of having DNS servers in each site/DC was to provide fault tolerance. Can someone please help me understand this?

    I know this is a long post, but Id appreciate any help with this matter.

  • #2
    Re: DNS Islands of resolution...

    Originally posted by kiwikenji View Post
    First problem Im noticing, is that DC1 show under the reverse lookup zones two subnets (this is fine), however DC2 shows under reverse lookup zones only one subnet (That of the remote site). And in the remote DC3, reverse lookup zones show one subnet (the subnet it's located on). I thought the idea of having ADI DNS was that all DNS servers would have identical copies or replicated copies. This is not the case in my situation with Reverse lookup zones. The Primary zone looks fine on all DCs. Since the Reverse Lookup Zones are different in each DC, I believe Im doing something wrong. I'd like to figure this out first before I continue with my deployment of 15 more DCs.
    Yes, that's the idea of having an ADI zone. I would go back and delete all the delegations. See if that clears up the problems.

    Second Question is this, I was reading Best Practices for DNS structure design (SearchWinIT.com) and the author mentions that as a general rule, its recommended that ALL DNS Servers point to a single primary as the "preferred DNS Server" This is different from what is recommended in the 2003 AD Branch Office Guide. I thought the whole purpose of having DNS servers in each site/DC was to provide fault tolerance. Can someone please help me understand this?
    OK, lets think about this one logically for a second. DNS servers should point to themselves. You could set them to point to another DNS server if you want but if it fails to contact itself....

    The fault tolorence really comes into play for the DNS clients (both workstations and servers), not really for the DNS servers.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: DNS Islands of resolution...

      Thanks Jeremy for your advice. I unfortunately am a bit puzzled on how to remove a delegation. As you can tell, im pretty new to this. I looked up removing/deleting a delegation on google but couldnt find anything on the matter. How do I exactly remove delegation? If I recall, when i set up new delegations, these were added both in the primary and reverse zones on each DNS server. I did not see any options to remove delegation in any of the menus.

      Thank you,

      Lost & Confused

      Comment


      • #4
        Re: DNS Islands of resolution...

        Well I don't have a test domain in front of me right now but IIRC the delegation should be in the folder hierarchy and show up as a grey or lighter colored folder. I think you just right-click and select delete. Be sure you don't delete the _msdcs delegation.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: DNS Islands of resolution...

          Jeremy, it looks like i dont have a folder like what you described in my primary or reverse zones. I have the following in my primary zone:

          _msdcs, _sites, _tcp, _udp, _domaindnsZones, and _forestdnsZones.

          But I believe I have found my problem, I looked into the properties of my reverse zones in my primary DNS Server (DC1) and found out that both zones were NOT ADI enabled! So I enabled them, set them to secure, and made sure to allow zone transfer to only the servers listed in my nameservers tab. As soon as I did that, the reverse zones started appearing on the other DNS servers.

          So it looks like that was the problem. Now on the other DNS servers (DC2/DC3), in the reverse zones, I noticed that "Allow Zone Transfers' is disabled in the properties window. Should I enable that on both DC2/DC3 (and any future DNS Servers) to Allow Zone Transfers? Or just set enabled Allow zone transfers from the primary DNS only. Sorry for bombarding you w/ so many questions.

          Comment


          • #6
            Re: DNS Islands of resolution...

            Not a problem.

            Since it's an ADI zone, the transfers will take place through AD replication.

            Now ADI zones can act as a Primary zone if there's a DNS server with a Secondary zone for a particular domain. This situation is where the Zone Transfers would come into play.

            Since all your zones are AD-integrated you can safely disable Zone Transfers.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: DNS Islands of resolution...

              Thank you very much Jeremy for the explanation and for taking the time to answer my questions. Looks like I'm set. Will add points to your reputation for all the assistance you lent. Have a great day!

              Comment


              • #8
                Re: DNS Islands of resolution...

                Glad to help!
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment

                Working...
                X