Active Directory integrated DNS zones

DiscoDave

DiscoDave

DiscoDave

Associate
Joined
6 Jun 2005
Posts
1,856
Location
Cambridge
Hi All,

I'm currently playing with Windows Server 2008 and experimenting with Integrated zones. I have two servers in my domain, DC1 and DC2 Each are both domain controllers and DNS servers. Each have their own IP address as the primary DNS server, and the other domain controller as secondary.

I've joined a desktop machine, Deskop01 to the domain. The computer account can be viewed on both domain controllers in Active Directory Users and Computers.

It was originally joined by DC1, and consequently has created a host record for it, and I can ping it from DC1.

There is no record for this machine in the DNS server of DC2, and I can't ping it from there.

I would have assumed that the record would have automatically replicated over. Have I missed something here?

Thanks,

David
 
Can you try manually creating some records on each DNS and see if they replicate. I often find the easiest way to do stuff with Windows Server is just to remove the DNS role from DC2 and readd it.

Normally it just works out the box if you follow the wizard.
 
I put a manual record on DC2 and it took about 30mins for it to be replicated on DC1, was rather odd...

Going to start from scratch tonight with two new VM's and see what happens. I assume replication should be instant as integrated zones are contained in the AD replicated files.

What I found odd though, was when I was trying to resolve a name on DC2 it wasn't even trying to locate the record on its alternative DNS ip address (DC1)
 
paradigm said:
Replication isn't instantaneous.

How do you have your AD Site configured?
Click to expand...

Is it not? When user/computer accounts are created these are automatically replicated to all other domain controllers in the domain, I thought the same would apply to DNS as they are integrated within the AD DS files.

Can you elaborate on what configuration options you're talking about? They're just two domain controllers in a single domain in a single forest (no child domains), Windows server 2008 functional level. Everything else is default.
 
Basically, are both DC's configured into the same site under Active Directory Sites and Services?

The default replication schedule for NTDS is once per hour, which is why there will always be a delay in replication of the Active Directory partition information.

The ADUC scenario is slightly different, as they are direct reads and writes to AD, and the FSMO roles dictate which server to look at primarily.
 
Ah I see, thanks for your elaboration.

Yes both DC's are located under the same site.

So, in a domain with two DC's what's the best practice regarding DNS? Ie:
  • Should both DC's be running AD Integrated zones, but will forward DNS queries it can't look up locally to the other DC (to compensate for delays in the update)
  • Should one DC have an integrated zone and the other DC have a primary zone (non AD integrated) so that if machines are joined to that DC, DNS records will be added automatically (will this get replicated to the other domain controller?)
  • Should one DC have an integrated zone and the other DC have a secondary zone?

Sorry for the newbie questions, this is the first time for me deploying an entire AD structure from scratch. Your comments are appreciated.
 
Both should be running an AD integrated zone, with secure updates. Don't be under the delusion that this is two seperate AD integrated zones, it is one. This one zone is updated on the primary DNS server (well it is when it is a case of a client updating its DNS registration against its connection), and then replicated to all DNS servers in either the forest or the domain (depending on what replication model you chose) once per hour based on the NTDS schedule.

Nice to see someone trying to learn it off their own back however :)
 
Ah yes, I did configure for both DC's to only accept secure updates.

I assume the "Primary" DNS server is essentially the first DC I created with the DNS role configured for Integrated DNS.

So, with all that on board, is the following configuration correct?:

DC1 - Integrated DNS, primary DNS server : own IP, secondary DNS server: DC2
DC2 - Integrated DNS, primary DNS server : own IP, secondary DNS server: DC1

So hopefully the following will occur:

  • Machine Desktop01 is added to the domain, DC1 was chosen to do this. DC1 created a Computer object as well as a DNS entry.
  • DC2 receives the computer object information from DC1, but not the DNS entry yet
  • I log onto DC2 locally, and attempt to ping Desktop01
  • DC2 first looks at its own DNS server for the record, doesn't exist, forwards DNS query to it's secondary DNS server (DC1)
  • DC1 replies - it has this record, provides details
  • DC2 receives name resolution data.
  • Eventually, (up to an hour later) DNS data is exchanged between the two DC's, DC2 receives any new records that have been added to DC1 (Desktop01
  • Happy days.

I also assume this is a two way exchange, ie if both DC1 and DC2 have new DNS records, when the hourly exchange happens, they will both synchronise new records and have the same as each other.
 
Ok I'm not quite sure what's going on here.

DC1 and DC2 have been configured

DC1 has a DNS record DC2 doesn't have

DC2 has DC1 set as a forwarder

However (performed on DC2)

C:\Windows\system32>ping test2
Ping request could not find host test2. Please check the name and try again.

C:\Windows\system32>nslookup
Default Server: localhost
Address: 127.0.0.1

> server 192.168.50.81
Default Server: [192.168.50.81] (IP Address of DC1)
Address: 192.168.50.81

> test2
Server: [192.168.50.81]
Address: 192.168.50.81

Name: test2.davenet.local
Address: 10.0.0.1

Anyone got any clues?
 
Because if both of my DC's have integrated DNS zones and new records are added, it could be up to an hour before both DC's have an up to date record of DNS records. During this time, I need both DC's to request lookups from each other to ensure adequate name resolution.
 
That's a really bad configuration.

I find replication is instant (nearly) between mine anyway so not sure why you're having trouble. It sounds like paradigm knows more about the finer details, so it could be that m replication schedule is set to some daft period or there might be something else I'm missing
 
Are you running Windows Server 2008 with integrated DNS? I too was hoping for instant replication, but as described by Paradigm - The default replication schedule for NTDS is once per hour, and as the DNS information resides in this for AD integrated DNS, it will take up to this long for the servers to be in sync with DNS records.

If you have a similar setup I'd like to hear what you've got configured.
 
I'm running 2003 where I work but I've also set up 2008 at other small/mid sized businesses and it's never been an issue. In fairness, the only site I've really paid that much attention to is my own site, but if it does happen every hour at the others then it has never caused a problem.

Not sure why you would need DNS to be so up to date with a small setup?
 
I think it's rather me being more over-inquisitive. I understand the benefits from having integrated DNS into AD DS, but currently we just have a primary and secondary DNS setup and modifications are instantly replicated to both servers; seems a little backward to have to wait up to an hour if I went the integrated route. But yeah, you're right; shouldn't really be much of a problem really. This may be different for much larger organisations though.
 
DiscoDave said:
Because if both of my DC's have integrated DNS zones and new records are added, it could be up to an hour before both DC's have an up to date record of DNS records. During this time, I need both DC's to request lookups from each other to ensure adequate name resolution.
Click to expand...

The simple (and correct) solution, is for both DC's to use DC1 as the pDNS. DC2 only ever acts as secondary.

You then have your DHCP scope options configured in the same way, pDNS as DC1 and sDNS aS DC2.
 
DiscoDave said:
I think it's rather me being more over-inquisitive. I understand the benefits from having integrated DNS into AD DS, but currently we just have a primary and secondary DNS setup and modifications are instantly replicated to both servers; seems a little backward to have to wait up to an hour if I went the integrated route. But yeah, you're right; shouldn't really be much of a problem really. This may be different for much larger organisations though.
Click to expand...

I'll have a look at my setup in the morning, test it and let you know.
 
That's fair enough, I assumed as much but just wanted to be sure.

Anywho, paradigm, iaind; thank you very much for your responses, I appreciate your input.
 
You must log in or register to reply here.
Back
Top Bottom