Announcement

Collapse
No announcement yet.

DNS question (I dont know if need to worry...)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS question (I dont know if need to worry...)

    I'm new at this work, so a lot of things here were the work of formers admins, a few of them very rare, like this one:

    - Two domain controllers, both are GC, and both are DNS servers.
    - Although they are on different physical sites, I dont need to put them logically on different sites (bandwith is not an issue). So they are there just for redundancy.

    I was yesterday checking a problem for some guy at it security dept, that they surfcontrol filter doesn't like our dns server or is having some problems. I went down to check my dns servers and indeed I found something rare: both of them where pointing to each for name resolution, like:

    DC1 ip dns server ->DC2
    DC2 ip dns server ->DC1

    What I always did every time I got to do a new forest/domain (and thought it was a best practice) was to point the DC to itself for name resolution, and if it where to resolve outside address, configure fowarding.

    well I put everything like I liked, but when I got to the DNS console on both domain controllers I saw what you can see on the attachment. I always saw that folder with the _MSDCS records **inside** of the AD zone, not outside. what do you think about it, should I be worry about this?? as a sidenote, I also must point that I cannot ping the name of the domain, I mean the netbios name, i.e. the domain is fulano.com I cant ping fulano

    Thanks for looking
    Angelo
    Attached Files

  • #2
    Re: DNS question (I dont know if need to worry...)

    Hi Angelo,

    I would ALWAYS point each DC to itself for DNS when they are DNS servers, that way all of the correct SRV records get registered etc...

    Also, the _MSDCS zone will appear under the domain zone if the domain has been upgraded from, or is, Windows 2000.

    As long as you have the zone, all will be fine!
    MCSA/MCSE 2000
    MCSA/MCSE 2003
    CCNA

    I love pies.

    Comment


    • #3
      Re: DNS question (I dont know if need to worry...)

      1 caveat to what Harry said:

      I would make DC1 be a dns client of itself AND dc2. When a DC is dns client of itself only, it reboots VERY slowly. 2k3 is much faster than 2k in this scenario, but with more than one dc/dns server, set 2 client dns addresses.
      The _msdcs zone display in the GUI changed from 2000 to 2003. It is normal.

      Also, name resolution for fulano probably will not work. When the AD clients query fulano as a netbios name, they ask for a domain named fulano and get an answer, but a ping for fulano will look for a netbios record type of a workstation or a server, and that record does not exist.

      Comment


      • #4
        Re: DNS question (I dont know if need to worry...)

        good shout Foze.bear,

        I definately agree with that, always best to have a secondary in there for fault tolerance.
        MCSA/MCSE 2000
        MCSA/MCSE 2003
        CCNA

        I love pies.

        Comment


        • #5
          Re: DNS question (I dont know if need to worry...)

          Not just fault tolerance, but on a reboot, AD will try to start before DNS. The Domain Controller will try to query DNS to find itself, before DNS will be up to answer. It's a catch 22. DNS Zones in AD, so AD needs to load for the Zones, but AD needs DNS to load.

          Comment


          • #6
            Re: DNS question (I dont know if need to worry...)

            Isn't there just an extra unneeded Primary zone? The _msdcs.mydomain.com Primary Zone is superfluous?
            Looking at the image I see two Primary Zones. One (lets say) mydomain.com and the other _msdcs.mydomain.com. Now the mydomain.com zone has a subzone called _msdcs which appears to have no subzones (no plus beside it, also the icon is that of a Primary Zone).

            Or is there a reason/gain for doing this? It can be removed/rebuilt without problems?
            To answer the "need I worry" question I think the answer is no. It works as is so everyone is happy.

            *****************Just my recent experience, there are risks to doing this and no real gain :/ *********************
            I've recreated the scenario and deleted the primary zone _msdcs.mydomain.com and the sub zone _msdcs. I then stopped and restarted the DNS server and the _msdcs sub zone looks to have recreated itself. All seems ok.
            ***************************Just my recent experience*******************************



            as a sidenote, I also must point that I cannot ping the name of the domain, I mean the netbios name, i.e. the domain is fulano.com I cant ping fulano
            You could just add a cname (alias) to your DNS for this if you need to resolve it.
            Last edited by Maebe; 8th September 2007, 14:30.
            I don't know anything about (you or your) computers.
            Research/test for yourself when listening to free advice.

            Comment


            • #7
              Re: DNS question (I dont know if need to worry...)

              Haven't seen it mentioned, but what about trying dcdiag /fix and see what happens.
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment


              • #8
                Re: DNS question (I dont know if need to worry...)

                Look, this is the way all 2k3 DNS servers display it.

                Comment


                • #9
                  Re: DNS question (I dont know if need to worry...)

                  Originally posted by foze.bear View Post
                  Look, this is the way all 2k3 DNS servers display it.
                  Oh, guess my working DNS must be broken then as it looks nothing like the above.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    Re: DNS question (I dont know if need to worry...)

                    Not trying to insult you, but this is how every 2k3 server I have worked on looks. Is yours an upgrade from a 2000 domain? All I know is that Angelo's situation looks like all servers that I have seen.
                    Attached Files
                    Last edited by foze.bear; 10th September 2007, 18:25.

                    Comment


                    • #11
                      Re: DNS question (I dont know if need to worry...)

                      Like Biggles mine is displayed as a subzone of the primary not as a primary itself.
                      I've looked at a Win2k one and it also displays the _msdcs domain as a subdomain of the the primary.

                      It seems both are valid configurations?
                      It may be down to initial configuration or service pack or the direction of the wind or local settings or?
                      I don't know anything about (you or your) computers.
                      Research/test for yourself when listening to free advice.

                      Comment


                      • #12
                        Re: DNS question (I dont know if need to worry...)

                        first of all, thanks for the reply, I dont know why notifications of the threads dont reach my email, I forgot about this with the situation I had ATM.

                        with further investigation, I found a few problems in the DNS infrastructure here (I'm new on this job), wich fortunately could be fixed relatively easy.

                        Comment


                        • #13
                          Re: DNS question (I dont know if need to worry...)

                          Originally posted by foze.bear View Post
                          1 caveat to what Harry said:

                          I would make DC1 be a dns client of itself AND dc2. When a DC is dns client of itself only, it reboots VERY slowly. 2k3 is much faster than 2k in this scenario, but with more than one dc/dns server, set 2 client dns addresses.
                          The _msdcs zone display in the GUI changed from 2000 to 2003. It is normal.

                          Also, name resolution for fulano probably will not work. When the AD clients query fulano as a netbios name, they ask for a domain named fulano and get an answer, but a ping for fulano will look for a netbios record type of a workstation or a server, and that record does not exist.
                          for what is worth, before I got hired here, I used to manage Windows 2000 server, and every other AD I got configured, I recall this ping on the domain it would work fine. I'm not microsoft certified, so I can't speak for cert knowledge, just practice and real world troubles , but I always used this "ping to domain" thing to certify DNS was in good health so workstations wouldn't have problems to log on to the domain; in fact this is not true because all was working, despite the fact that the domain didn't replied... after I got a few things fixed, now the domain replys my pings to the sole domain name; and everything is still good.

                          Thanks!
                          Last edited by angelo; 25th October 2007, 15:43.

                          Comment


                          • #14
                            Re: DNS question (I dont know if need to worry...)

                            ping doesn't use DNS in the first place unless you're using the FQDN
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: DNS question (I dont know if need to worry...)

                              Dumber is correct - you have to ping <domain>.<TLD> and not just <domain> to test DNS.
                              Also where the _msdcs folder is coloured grey you can safely delete it. I have done this on several installations and no harm has come, as long as the SRV records are correctly registered.
                              TIA

                              Steven Teiger [SBS-MVP(2003-2009)]
                              http://www.wintra.co.il/
                              sigpic
                              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                              We donít stop playing because we grow old, we grow old because we stop playing.

                              Comment

                              Working...
                              X