Active Directory integrated DNS zones

DiscoDave

DiscoDave

DiscoDave

Associate
Joined
6 Jun 2005
Posts
1,856
Location
Cambridge
Hi All,

I'm currently playing with Windows Server 2008 and experimenting with Integrated zones. I have two servers in my domain, DC1 and DC2 Each are both domain controllers and DNS servers. Each have their own IP address as the primary DNS server, and the other domain controller as secondary.

I've joined a desktop machine, Deskop01 to the domain. The computer account can be viewed on both domain controllers in Active Directory Users and Computers.

It was originally joined by DC1, and consequently has created a host record for it, and I can ping it from DC1.

There is no record for this machine in the DNS server of DC2, and I can't ping it from there.

I would have assumed that the record would have automatically replicated over. Have I missed something here?

Thanks,

David
 
I put a manual record on DC2 and it took about 30mins for it to be replicated on DC1, was rather odd...

Going to start from scratch tonight with two new VM's and see what happens. I assume replication should be instant as integrated zones are contained in the AD replicated files.

What I found odd though, was when I was trying to resolve a name on DC2 it wasn't even trying to locate the record on its alternative DNS ip address (DC1)
 
paradigm said:
Replication isn't instantaneous.

How do you have your AD Site configured?
Click to expand...

Is it not? When user/computer accounts are created these are automatically replicated to all other domain controllers in the domain, I thought the same would apply to DNS as they are integrated within the AD DS files.

Can you elaborate on what configuration options you're talking about? They're just two domain controllers in a single domain in a single forest (no child domains), Windows server 2008 functional level. Everything else is default.
 
Ah I see, thanks for your elaboration.

Yes both DC's are located under the same site.

So, in a domain with two DC's what's the best practice regarding DNS? Ie:
  • Should both DC's be running AD Integrated zones, but will forward DNS queries it can't look up locally to the other DC (to compensate for delays in the update)
  • Should one DC have an integrated zone and the other DC have a primary zone (non AD integrated) so that if machines are joined to that DC, DNS records will be added automatically (will this get replicated to the other domain controller?)
  • Should one DC have an integrated zone and the other DC have a secondary zone?

Sorry for the newbie questions, this is the first time for me deploying an entire AD structure from scratch. Your comments are appreciated.
 
Ah yes, I did configure for both DC's to only accept secure updates.

I assume the "Primary" DNS server is essentially the first DC I created with the DNS role configured for Integrated DNS.

So, with all that on board, is the following configuration correct?:

DC1 - Integrated DNS, primary DNS server : own IP, secondary DNS server: DC2
DC2 - Integrated DNS, primary DNS server : own IP, secondary DNS server: DC1

So hopefully the following will occur:

  • Machine Desktop01 is added to the domain, DC1 was chosen to do this. DC1 created a Computer object as well as a DNS entry.
  • DC2 receives the computer object information from DC1, but not the DNS entry yet
  • I log onto DC2 locally, and attempt to ping Desktop01
  • DC2 first looks at its own DNS server for the record, doesn't exist, forwards DNS query to it's secondary DNS server (DC1)
  • DC1 replies - it has this record, provides details
  • DC2 receives name resolution data.
  • Eventually, (up to an hour later) DNS data is exchanged between the two DC's, DC2 receives any new records that have been added to DC1 (Desktop01
  • Happy days.

I also assume this is a two way exchange, ie if both DC1 and DC2 have new DNS records, when the hourly exchange happens, they will both synchronise new records and have the same as each other.
 
Ok I'm not quite sure what's going on here.

DC1 and DC2 have been configured

DC1 has a DNS record DC2 doesn't have

DC2 has DC1 set as a forwarder

However (performed on DC2)

C:\Windows\system32>ping test2
Ping request could not find host test2. Please check the name and try again.

C:\Windows\system32>nslookup
Default Server: localhost
Address: 127.0.0.1

> server 192.168.50.81
Default Server: [192.168.50.81] (IP Address of DC1)
Address: 192.168.50.81

> test2
Server: [192.168.50.81]
Address: 192.168.50.81

Name: test2.davenet.local
Address: 10.0.0.1

Anyone got any clues?
 
Because if both of my DC's have integrated DNS zones and new records are added, it could be up to an hour before both DC's have an up to date record of DNS records. During this time, I need both DC's to request lookups from each other to ensure adequate name resolution.
 
Are you running Windows Server 2008 with integrated DNS? I too was hoping for instant replication, but as described by Paradigm - The default replication schedule for NTDS is once per hour, and as the DNS information resides in this for AD integrated DNS, it will take up to this long for the servers to be in sync with DNS records.

If you have a similar setup I'd like to hear what you've got configured.
 
I think it's rather me being more over-inquisitive. I understand the benefits from having integrated DNS into AD DS, but currently we just have a primary and secondary DNS setup and modifications are instantly replicated to both servers; seems a little backward to have to wait up to an hour if I went the integrated route. But yeah, you're right; shouldn't really be much of a problem really. This may be different for much larger organisations though.
 
That's fair enough, I assumed as much but just wanted to be sure.

Anywho, paradigm, iaind; thank you very much for your responses, I appreciate your input.
 
You must log in or register to reply here.
Back
Top Bottom