Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

AD DNS Question

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD DNS Question

    When we implemented a clean build of server 2003 in our UK office, and a clean build out in our foreign offices, we had to learn everything ourselves, and various contractors we had to help told us contradicting strategies.

    Just to confirm,

    UK - Parent
    Thailand - Child
    Australia - Child

    In DNS of UK I have set up forwarders to our ISP (all other DNS Domains), and have created a delegation for Thailand, and one for Australia.

    Do I need to do the delegations if DNS is replicated to all DNS Servers in the forest?
    I have set this up on each DNS server, thus each server has 3 forward lookup zones (UK.Company.local, Thai.Company.local, Aus.Company.local) and 3 reverse lookup zones (192.168.10.x , 192.168.15.x , 192.168.17.x)
    In each DNS child I have set up forwarders to their ISP (all other DNS Domains), but not configured one for the parent domain.

    We are having intermittent problems with our replication between sites, and I am not sure whether it is a DNS issue or something on the VPN links...

    This post is for someone to confirm whether I have got DNS set up correctly, or if not, what the best way to do it is.

    I have searched on the internet for various resources, and I am currently studying towards MCSE (currently @ MCSA level) yet all documentation I come across does not show a "fixed" way to setting up AD over international sites.....

    PS This forum is great, and brings together a lot of knowledge. This is now my first port of call for technical issues.
    Keep up the good work.


  • #2
    Re: AD DNS Question

    Delegation has little to do with DNS or Active Directory replication. Delegation is for assigning DNS zone responsibilities to other Administrative groups, effectively allowing decentralized administration of DNS zones.

    If your DNS zones are Active Directory integrated, then the replication of your DNS zones is handled by Active Directory. Zones are incrementally replicated via AD. If your DNS zones are AD integrated and you suspect your having DNS replication issues, then AD replication is probably going to be the first and last place to look for the underlying problem.

    Open up the replmon.exe tool which is part of the Windows 2003 supplemental tools on the Win2k3 CD. You'll want to make sure your DNS application partitions are being replicated successfully. See screenshot. Check all domain controllers using the replmon tool. If replication is failing, replmon will tell you where but you will likely have to dig for answers as to "why" and how to fix. Note that you can also use the replmon utility to force or test replication to see if you've licked the underlying problems.

    Microsoft has a few pretty good troubleshooting articles for replication failures.

    On your DNS server which points to the "internet" DNS servers, you should probably use DNS root hints instead of forwarders. Forwarders use recursive DNS queries in order to resolve DNS names for the client resolves. It is generally considered rude or impolite to send recursive lookups to other DNS servers on the internet because the DNS server you have sent a recursive lookup request to is now resonsible for end to end name resolution for that request.

    The burden of recursion should be placed on your own internal DNS servers, probably the DNS servers in the UK domain. In this method, the recursive query is sent by the client resolver to your internal DNS server. When your DNS server figures out that it has nothing in cache to answer the request, it begins sending iterative DNS queries to other DNS servers out in internet land, starting with the root servers which are the most authoritative DNS servers on the internet. Your DNS server(s) contact the root servers using "root hints" which are set up automatically on your Windows DNS servers.

    Consider using forwarding or conditional forwarding for your internal corprate DNS name space, but avoid using forwarding for internet use.

    Since you may have decentralized and delegated DNS zones in Thailand and Australia, consider the use of stub zones on the UK DNS server for both Thailand and Australia. You would do this if the delegated administrators in Thailand and/or Australia were setting up DNS servers without your prior knowledge which would be a scenario for a large corporation with distributed IT teams.

    I highly recommend O'Reilly's Windows Server 2003 DNS book (they have a Win2k version of it as well). Another great resource is the Microsoft Press 70-292/70-296 MCSA/MCSE upgrade exam book. It's got a few great chapters all in a row dedicated to DNS setup which is essential knowledge for a Windows AD environment.

    Attached Files
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.


    • #3
      Re: AD DNS Question

      Thanks Jason for the info.

      I was told by one of the consultants to add our ISP DNS servers as forwarders...goes to show how much they know

      I have used Replmon for a while, and have been checking on the replication, or forcing to the other sites.

      The issues I am having with replication are as follows - this is only for the Thai site

      1) The NTDS Connections in Thai-Site are different to that in the UK site. I can successfully start a replication from Thailand to DC1 in the UK.

      2) When trying to replicate to the Thai-Site DC1 from the UK, I get a Replication error: The naming context Australia.Company.local is in the process of being removed or is not replicated from the specified server.

      3) Every now and then we get RPC errors, yet our firewall VPN has all ports open on that link.

      As first said, we have had very intermittent problems. Everything was up and running successfully to start with, then we got the RPC errors (which seem to have cleared up now), then replication stopped and I started getting problem (2)

      It looks as though the Australia partition is corrupt in the directory in Thailand, but everywhere I've searched I haven't found a solution to that problem.