| Author | Messages | |
amulnick
Posts:163
 | | 05/18/2007 6:20 AM |
| BTW, the dns suffix search order, seems to be correct on the child domain based on the ipconfig output.
Those child servers should be able to find hosts in both domains by shortname query.
Question: when you delegated the zone, what shows up on the root server dns console? (or via dnscmd if you're using cli)?
You should have stub^^^ and NS and corresponding A RR in the delegated zone when looking at the root server dns zones. When looking at the child server (what the ns and a rr define) you should have a full zone. Make sense?
Al
On 5/18/07, hboogz wrote:
Just so that we're clear.The following tests are from the DC ( sole DC ) in the child domain: All is good.
C:\>nslookup aaracena.jacwf.phippsny.orgServer:
phjacdc1.jacwf.phippsny.orgAddress:
192.168.31.3Name: aaracena.jacwf.phippsny.org Address:
192.168.31.250C:\>nslookup angel.jacwf.phippsny.org
Server: phjacdc1.jacwf.phippsny.orgAddress:
192.168.31.3Name: aaracena.jacwf.phippsny.orgAddress:
192.168.31.250Aliases: angel.jacwf.phippsny.orgC:\>ipconfig/all
Windows IP Configuration Host Name . . . . . . . . . . . . : phjacdc1 Primary Dns Suffix . . . . . . . :
jacwf.phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
jacwf.phippsny.org
phippsny.orgEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-13-72-59-45-A7
DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.31.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
192.168.31.1 DNS Servers . . . . . . . . . . . : 192.168.31.3 Primary WINS Server . . . . . . . :
192.168.31.3
On 5/18/07, hboogz wrote:
Al -I added the ptr, so that issue is resolved. whew.The IPconfig's i sent you were from the 2 DC's in the
phipsny.org domain and my workstation within the
phippsny.org domain[hsingh.phippsny.org]when i kick off an nslookup from a client within the
jacwf.phippsny.org domain, the name resolution works fine. My name resolution problems are occuring from servers,clients within the
phippsny.org domain.
On 5/18/07, Al Mulnick wrote:
First things first.
192.168.1.22 (phprint1) doesn't have a reverse lookup record - that's what you're seeing in the nslookup. Not a biggie, but...
Why does that child dc have teh same dns suffix as the parent domain? Did you change that setting manually?
Focus on the child domain for a minute: you should be able to use nslookup and resolve aaracena.jacwf.phippsny.org
on that child domain dns server. Until you can, there's no point in looking to the root domain to do it.
Something not right there... can you check the zone for the records and see that record in there? (use the gui). Can you check the event log?
On 5/18/07, hboogz wrote:
Results:parent domain:
phippsny.org1st DC:C:\>nslookup aaracena.jacwf.phippsny.orgServer:
phdc1.phippsny.orgAddress:
192.168.1.1DNS request timed out. timeout was 2 seconds.*** Request to phdc1.phippsny.org
timed-out C:\>nslookup angel.jacwf.phippsny.orgServer:
phdc1.phippsny.orgAddress: 192.168.1.1 DNS request timed out. timeout was 2 seconds.
*** Request to phdc1.phippsny.org timed-out2nd DC in parent Domain: Preferred DNS now pointing to itself and forwarders pointing to ISP
C:\>nslookup aaracena.jacwf.phippsny.org*** Can't find server name for address
192.168.1.22: Non-existent domainServer: UnKnown Address: 192.168.1.22DNS request timed out.
timeout was 2 seconds.*** Request to UnKnown timed-outC:\>nslookup angel.jacwf.phippsny.org
*** Can't find server name for address 192.168.1.22: Non-existent domainServer: UnKnownAddress:
192.168.1.22 DNS request timed out. timeout was 2 seconds.*** Request to UnKnown timed-out
IPconfig Results1st DC:C:\>ipconfig/allWindows IP Configuration Host Name . . . . . . . . . . . . : PHDC1 Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.orgEthernet adapter Local Area Connection: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-13-72-4B-1F-E8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.1 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.1
192.168.1.22 Primary WINS Server . . . . . . . : 192.168.1.12nd DC in parent domain:C:\>ipconfig/all
Windows IP Configuration Host Name . . . . . . . . . . . . : phprint1 Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.orgEthernet adapter Local Area Connection 7: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-14-22-1E-3A-DD DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.22 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.22
192.168.1.1 Primary WINS Server . . . . . . . : 192.168.1.22My workstation:C:\WINDOWS>ipconfig /all
Windows IP Configuration Host Name . . . . . . . . . . . . : HSINGH Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.org Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : 00-18-8B-7A-6D-20 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.8 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.1
192.168.1.22 Primary WINS Server . . . . . . . : 192.168.1.1Thank you both for the extended help, it's , as always, greatly appreciated.
I made an item bold which i think appears suspicious. the IPCONFIG results show a dns suffix search list of just
phippsny.org and doesn't show jacwf.phippsny.org. I removed the manual listing within the NIC properties of both servers and my workstation, but it still does appear. I checked the Default domain GPO and Default Domain Controller GPO and don't see anything specifically enabling the setting placing the DNS suffix.
On 5/18/07, Akomolafe, Deji > wrote:
Try what Al says, and let's see the results.
In the meantime....
>>>I've seen instances where dns/ad replication issues sometimes take a day or two....
Not in this instance, no. Should not take minutes, much less hour or days. If you create a record and ask the server for the record, it should just fetch it and hand it over to you - unless you are having "other issues"
>>>Additionally, as it stands i don't have the dns suffices explicitly defined in and of the DC's NIC properties --- should i enable this feature.
A short explanation of the suffixes and how they impact resolutions - the suffixes that you create on a DNS servers (in TCP/IP) have no bearing on how it resolves a lookup request on behalf of a client. The suffixes on the clients is what determines what the DNS server sends back in response. There is more to this, but it will only lead us down a different path. Suffice to say, your clients will append the suffix of the domain name to which they belong IF they ask for a single-labeled record (like "Angel"). If they get negative response to that query, and you are assigning suffixes through GPO, then the client retries the query by appending the suffixes that it got from GPO. If you don't use GPO for suffixes, then the client looks for suffixes defined in TCP/IP and append them to the query.
So, when you are sitting at a client's console and asking for "Angel", your client is actually looking for "Angel.whatever-suffixes-is-defined-wherever". This is the query that it sends to the DNS server. The suffix that you have defined on/for the DNS server has no bearing in this scenario, unless the lookup request is coming from the DNS server itself - in which case it will be acting as a "DNS client".
Hope that makes sense.
So, to go back to our regularly-schedule program, do the simple query that Al suggested, then give us the reqult. It will be helpful if you could send the result of "ipconfig /all" from both the DNS server and the client you are performing the lookup from.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Al MulnickSent: Fri 5/18/2007 1:07 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Try a query for aaracena.jacwf.phippsny.org
Nslookup aaracena.jacwf.phippsny.org
What do you get?
How about for angel.jacwf.phippsny.org ?
From any of the dns servers? Are the responses the same from each?
(be sure to use the exact question.)
On 5/18/07, hboogz < hboogz@gmail.com> wrote:
Okay, Here goes:I made the changes as indicated by Deji and i re-created the delegation using the steps provided. I restarted all DC's, but the shortname resolution from any clients,servers in the parent company do not resolve just yet. I am going to wait a day for everything to get re-adjusted/reaquainted with each other again..=)
But preliminary nslookup tests from within any client at company.org shows that it doesn't even know of a
site.company.org subdomain.. look at the following nslookup example from my workstation(member of
company.org)C:\WINDOWS>nslookupDefault Server: phdc1.phippsny.orgAddress:
192.168.1.1> set d2> angelServer: phdc1.phippsny.orgAddress:
192.168.1.1------------SendRequest(), len 36 HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS: angel.phippsny.org, type = A, class = IN ------------------------
Got answer (95 bytes): HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS: angel.phippsny.org, type = A, class = IN AUTHORITY RECORDS: ->
phippsny.org type = SOA, class = IN, dlen = 35 ttl = 3600 (1 hour) primary name server =
phdc1.phippsny.org responsible mail addr = admin serial = 82327 refresh = 900 (15 mins)
retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour)------------***
phdc1.phippsny.org can't find angel: Non-existent domain >==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=The following is the same nslookup query from within a server at the
site.company.org domain.C:\>nslookupDefault Server:
phjacdc1.jacwf.phippsny.orgAddress: 192.168.31.3> set d2> angel Server:
phjacdc1.jacwf.phippsny.orgAddress: 192.168.31.3------------SendRequest(), len 42 HEADER:
opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS:
angel.jacwf.phippsny.org , type = A, class = IN------------------------Got answer (81 bytes): HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0 QUESTIONS:
angel.jacwf.phippsny.org, type = A, class = IN ANSWERS: -> angel.jacwf.phippsny.org
type = CNAME, class = IN, dlen = 11 canonical name = aaracena.jacwf.phippsny.org
ttl = 3600 (1 hour) -> aaracena.jacwf.phippsny.org type = A, class = IN, dlen = 4
internet address = 192.168.31.250 ttl = 1200 (20 mins)------------Name:
aaracena.jacwf.phippsny.orgAddress: 192.168.31.250 Aliases:
angel.jacwf.phippsny.org>I've seen instances where dns/ad replication issues sometimes take a day or two to resolve themselves after the necessary resolution steps have been implemented. So, i'll report back on this resolution issue tomorrow.
Additionally, as it stands i don't have the dns suffices explicitly defined in and of the DC's NIC properties --- should i enable this feature.
On 5/18/07, Al Mulnick < amulnick@gmail.com
> wrote:
And the forwarders? Don't forget the forwarders.
On 5/18/07, hboogz < hboogz@gmail.com> wrote:
i'm setting up an optiplex as we speak! And i'll make sure that this optiplex points to itself as the preferred DNS and the 1st DC in the child for secondary.
On 5/18/07, Akomolafe, Deji > wrote:
>>>but outside of installing 2k3 onto a dell optiplex
And, what's wrong with doing so? You think DCs are too proud tobe seen in Optiplexes? :-p
The way you are setup right now, you are one "ooops!" away from sleepless nights of disaster recover. An additionalDC installed on even the cheapest and most basic piece of "Fry's"no-name PCwill do you a lot of goods. If your standards are too high for such things, then just install an additional virtualDC.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Fri 5/18/2007 7:21 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick < mailto:amulnick@gmail.com
> wrote:
Using Deji's topology is going to work just as well and greatly simplify your environment and make it as reliable as it would get (you should deploy a second dc in the child domain - you know that right?). Captain's choice on that as delegation would likely work just fine and it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji > wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on company.com
and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick > wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example? Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz > wrote:
Thanks Jorge - How exactly do you implement the following recommendation ? i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?
I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: mailto:ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: mailto:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| amulnick
Posts:163
| | 05/18/2007 10:00 AM |
| Using Deji's topology is going to work just as well and greatly
simplify your environment and make it as reliable as it would get (you
should deploy a second dc in the child domain - you know that right?).
Captain's choice on that as delegation would likely work just fine and
it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on
company.com and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick <
amulnick@gmail.com> wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example?
Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz <
hboogz@gmail.com> wrote:
Thanks Jorge - How exactly do you implement the following recommendation ?
i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| hboogz
Posts:71
| | 05/18/2007 10:21 AM |
| Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick wrote:
Using Deji's topology is going to work just as well and greatly
simplify your environment and make it as reliable as it would get (you
should deploy a second dc in the child domain - you know that right?).
Captain's choice on that as delegation would likely work just fine and
it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji <
deji@readymaids.com> wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on
company.com and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick <
amulnick@gmail.com> wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example?
Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz <
hboogz@gmail.com> wrote:
Thanks Jorge - How exactly do you implement the following recommendation ?
i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| amulnick
Posts:163
| | 05/18/2007 10:42 AM |
| You need to be sure that you work on that shortname resolution and identify where the requests are being fulfilled. Nslookup will help to narrow that down. Personally, I'd go with the optiplex if the cost of hardware is an issue. Just be sure to have at least two to mitigate against hardware failure.
On 5/18/07, hboogz wrote:
Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick <
amulnick@gmail.com> wrote:
Using Deji's topology is going to work just as well and greatly
simplify your environment and make it as reliable as it would get (you
should deploy a second dc in the child domain - you know that right?).
Captain's choice on that as delegation would likely work just fine and
it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji <
deji@readymaids.com> wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on
company.com and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick <
amulnick@gmail.com> wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example?
Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz <
hboogz@gmail.com> wrote:
Thanks Jorge - How exactly do you implement the following recommendation ?
i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| deji
Posts:262
| | 05/18/2007 11:19 AM |
| >>>but outside of installing 2k3 onto a dell optiplex
And, what's wrong with doing so? You think DCs are too proud tobe seen in Optiplexes? :-p
The way you are setup right now, you are one "ooops!" away from sleepless nights of disaster recover. An additionalDC installed on even the cheapest and most basic piece of "Fry's"no-name PCwill do you a lot of goods. If your standards are too high for such things, then just install an additional virtualDC.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Fri 5/18/2007 7:21 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick wrote:
Using Deji's topology is going to work just as well and greatly simplify your environment and make it as reliable as it would get (you should deploy a second dc in the child domain - you know that right?). Captain's choice on that as delegation would likely work just fine and it is in keeping with DNS standards to delegate a child zone like that. Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order). When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS. 2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain: site.company.org delegated to the child DNS server (you just r-click on company.com and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain: company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS. 2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design. I followed the following article: http://support.microsoft.com/kb/825036 andhttp://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment. I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain. The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones. Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example? Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in subdomain.rootdomain.com) and ask for rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information. Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones. I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz wrote:
Thanks Jorge - How exactly do you implement the following recommendation ? i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ? I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� . � repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs.. � repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or .. � repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
� Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
- Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6- 26.26.62.80
* E-mail :
________________________________________________________________
MVP Profile � https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site � https://mvp.support.microsoft.com/
MVP Overview � https://mvp.support.microsoft.com/mvpexecsum
BLOG � http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: mailto:ActiveDir-owner@mail.activedir.org[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz Sent: Friday, May 04, 2007 22:16To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1 Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc ......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [ hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers." I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box) I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers? I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| hboogz
Posts:71
| | 05/18/2007 11:27 AM |
| i'm setting up an optiplex as we speak!And i'll make sure that this optiplex points to itself as the preferred DNS and the 1st DC in the child for secondary.On 5/18/07,
Akomolafe, Deji wrote:
>>>but outside of installing 2k3 onto a dell optiplex
And, what's wrong with doing so? You think DCs are too proud tobe seen in Optiplexes? :-p
The way you are setup right now, you are one "ooops!" away from sleepless nights of disaster recover. An additionalDC installed on even the cheapest and most basic piece of "Fry's"no-name PCwill do you a lot of goods. If your standards are too high for such things, then just install an additional virtualDC.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Fri 5/18/2007 7:21 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick <
amulnick@gmail.com> wrote:
Using Deji's topology is going to work just as well and greatly simplify your environment and make it as reliable as it would get (you should deploy a second dc in the child domain - you know that right?). Captain's choice on that as delegation would likely work just fine and it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji <
mailto:deji@readymaids.com> wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on company.com
and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick > wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example? Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz > wrote:
Thanks Jorge - How exactly do you implement the following recommendation ? i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?
I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: mailto:ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| hboogz
Posts:71
| | 06/07/2007 10:09 AM |
| Thanks Al and Deji --Through your great work i was able to pinpoint the issue with a rule in my parent domain's firewall preventing me to communicate to port 53 on the child domain's DNS server. I fixed the issue and name resolution is working.
I have a smaller inquiry/issue but i will start a new thread.THanks,..On 5/18/07, Al Mulnick > wrote:BTW, the dns suffix search order, seems to be correct on the child domain based on the ipconfig output.
Those child servers should be able to find hosts in both domains by shortname query.
Question: when you delegated the zone, what shows up on the root server dns console? (or via dnscmd if you're using cli)?
You should have stub^^^ and NS and corresponding A RR in the delegated zone when looking at the root server dns zones. When looking at the child server (what the ns and a rr define) you should have a full zone. Make sense?
Al
On 5/18/07, hboogz wrote:
Just so that we're clear.The following tests are from the DC ( sole DC ) in the child domain: All is good.
C:\>nslookup aaracena.jacwf.phippsny.orgServer:
phjacdc1.jacwf.phippsny.orgAddress:
192.168.31.3Name: aaracena.jacwf.phippsny.org Address:
192.168.31.250C:\>nslookup angel.jacwf.phippsny.org
Server: phjacdc1.jacwf.phippsny.orgAddress:
192.168.31.3Name: aaracena.jacwf.phippsny.orgAddress:
192.168.31.250Aliases: angel.jacwf.phippsny.orgC:\>ipconfig/all
Windows IP Configuration Host Name . . . . . . . . . . . . : phjacdc1 Primary Dns Suffix . . . . . . . :
jacwf.phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
jacwf.phippsny.org
phippsny.orgEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-13-72-59-45-A7
DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.31.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
192.168.31.1 DNS Servers . . . . . . . . . . . : 192.168.31.3 Primary WINS Server . . . . . . . :
192.168.31.3
On 5/18/07, hboogz wrote:
Al -I added the ptr, so that issue is resolved. whew.The IPconfig's i sent you were from the 2 DC's in the
phipsny.org domain and my workstation within the
phippsny.org domain[hsingh.phippsny.org]when i kick off an nslookup from a client within the
jacwf.phippsny.org domain, the name resolution works fine. My name resolution problems are occuring from servers,clients within the
phippsny.org domain.
On 5/18/07, Al Mulnick wrote:
First things first.
192.168.1.22 (phprint1) doesn't have a reverse lookup record - that's what you're seeing in the nslookup. Not a biggie, but...
Why does that child dc have teh same dns suffix as the parent domain? Did you change that setting manually?
Focus on the child domain for a minute: you should be able to use nslookup and resolve aaracena.jacwf.phippsny.org
on that child domain dns server. Until you can, there's no point in looking to the root domain to do it.
Something not right there... can you check the zone for the records and see that record in there? (use the gui). Can you check the event log?
On 5/18/07, hboogz wrote:
Results:parent domain:
phippsny.org1st DC:C:\>nslookup aaracena.jacwf.phippsny.orgServer:
phdc1.phippsny.orgAddress:
192.168.1.1DNS request timed out. timeout was 2 seconds.*** Request to phdc1.phippsny.org
timed-out C:\>nslookup angel.jacwf.phippsny.orgServer:
phdc1.phippsny.orgAddress: 192.168.1.1 DNS request timed out. timeout was 2 seconds.
*** Request to phdc1.phippsny.org timed-out2nd DC in parent Domain: Preferred DNS now pointing to itself and forwarders pointing to ISP
C:\>nslookup aaracena.jacwf.phippsny.org*** Can't find server name for address
192.168.1.22: Non-existent domainServer: UnKnown Address: 192.168.1.22DNS request timed out.
timeout was 2 seconds.*** Request to UnKnown timed-outC:\>nslookup angel.jacwf.phippsny.org
*** Can't find server name for address 192.168.1.22: Non-existent domainServer: UnKnownAddress:
192.168.1.22 DNS request timed out. timeout was 2 seconds.*** Request to UnKnown timed-out
IPconfig Results1st DC:C:\>ipconfig/allWindows IP Configuration Host Name . . . . . . . . . . . . : PHDC1 Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.orgEthernet adapter Local Area Connection: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-13-72-4B-1F-E8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.1 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.1
192.168.1.22 Primary WINS Server . . . . . . . : 192.168.1.12nd DC in parent domain:C:\>ipconfig/all
Windows IP Configuration Host Name . . . . . . . . . . . . : phprint1 Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.orgEthernet adapter Local Area Connection 7: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-14-22-1E-3A-DD DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.22 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.22
192.168.1.1 Primary WINS Server . . . . . . . : 192.168.1.22My workstation:C:\WINDOWS>ipconfig /all
Windows IP Configuration Host Name . . . . . . . . . . . . : HSINGH Primary Dns Suffix . . . . . . . :
phippsny.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
phippsny.org Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : 00-18-8B-7A-6D-20 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . :
192.168.1.8 Subnet Mask . . . . . . . . . . . :
255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.80 DNS Servers . . . . . . . . . . . :
192.168.1.1
192.168.1.22 Primary WINS Server . . . . . . . : 192.168.1.1Thank you both for the extended help, it's , as always, greatly appreciated.
I made an item bold which i think appears suspicious. the IPCONFIG results show a dns suffix search list of just
phippsny.org and doesn't show jacwf.phippsny.org. I removed the manual listing within the NIC properties of both servers and my workstation, but it still does appear. I checked the Default domain GPO and Default Domain Controller GPO and don't see anything specifically enabling the setting placing the DNS suffix.
On 5/18/07, Akomolafe, Deji > wrote:
Try what Al says, and let's see the results.
In the meantime....
>>>I've seen instances where dns/ad replication issues sometimes take a day or two....
Not in this instance, no. Should not take minutes, much less hour or days. If you create a record and ask the server for the record, it should just fetch it and hand it over to you - unless you are having "other issues"
>>>Additionally, as it stands i don't have the dns suffices explicitly defined in and of the DC's NIC properties --- should i enable this feature.
A short explanation of the suffixes and how they impact resolutions - the suffixes that you create on a DNS servers (in TCP/IP) have no bearing on how it resolves a lookup request on behalf of a client. The suffixes on the clients is what determines what the DNS server sends back in response. There is more to this, but it will only lead us down a different path. Suffice to say, your clients will append the suffix of the domain name to which they belong IF they ask for a single-labeled record (like "Angel"). If they get negative response to that query, and you are assigning suffixes through GPO, then the client retries the query by appending the suffixes that it got from GPO. If you don't use GPO for suffixes, then the client looks for suffixes defined in TCP/IP and append them to the query.
So, when you are sitting at a client's console and asking for "Angel", your client is actually looking for "Angel.whatever-suffixes-is-defined-wherever". This is the query that it sends to the DNS server. The suffix that you have defined on/for the DNS server has no bearing in this scenario, unless the lookup request is coming from the DNS server itself - in which case it will be acting as a "DNS client".
Hope that makes sense.
So, to go back to our regularly-schedule program, do the simple query that Al suggested, then give us the reqult. It will be helpful if you could send the result of "ipconfig /all" from both the DNS server and the client you are performing the lookup from.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Al MulnickSent: Fri 5/18/2007 1:07 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Try a query for aaracena.jacwf.phippsny.org
Nslookup aaracena.jacwf.phippsny.org
What do you get?
How about for angel.jacwf.phippsny.org ?
From any of the dns servers? Are the responses the same from each?
(be sure to use the exact question.)
On 5/18/07, hboogz < hboogz@gmail.com> wrote:
Okay, Here goes:I made the changes as indicated by Deji and i re-created the delegation using the steps provided. I restarted all DC's, but the shortname resolution from any clients,servers in the parent company do not resolve just yet. I am going to wait a day for everything to get re-adjusted/reaquainted with each other again..=)
But preliminary nslookup tests from within any client at company.org shows that it doesn't even know of a
site.company.org subdomain.. look at the following nslookup example from my workstation(member of
company.org)C:\WINDOWS>nslookupDefault Server: phdc1.phippsny.orgAddress:
192.168.1.1> set d2> angelServer: phdc1.phippsny.orgAddress:
192.168.1.1------------SendRequest(), len 36 HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS: angel.phippsny.org, type = A, class = IN ------------------------
Got answer (95 bytes): HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS: angel.phippsny.org, type = A, class = IN AUTHORITY RECORDS: ->
phippsny.org type = SOA, class = IN, dlen = 35 ttl = 3600 (1 hour) primary name server =
phdc1.phippsny.org responsible mail addr = admin serial = 82327 refresh = 900 (15 mins)
retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour)------------***
phdc1.phippsny.org can't find angel: Non-existent domain >==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=The following is the same nslookup query from within a server at the
site.company.org domain.C:\>nslookupDefault Server:
phjacdc1.jacwf.phippsny.orgAddress: 192.168.31.3> set d2> angel Server:
phjacdc1.jacwf.phippsny.orgAddress: 192.168.31.3------------SendRequest(), len 42 HEADER:
opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS:
angel.jacwf.phippsny.org , type = A, class = IN------------------------Got answer (81 bytes): HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0 QUESTIONS:
angel.jacwf.phippsny.org, type = A, class = IN ANSWERS: -> angel.jacwf.phippsny.org
type = CNAME, class = IN, dlen = 11 canonical name = aaracena.jacwf.phippsny.org
ttl = 3600 (1 hour) -> aaracena.jacwf.phippsny.org type = A, class = IN, dlen = 4
internet address = 192.168.31.250 ttl = 1200 (20 mins)------------Name:
aaracena.jacwf.phippsny.orgAddress: 192.168.31.250 Aliases:
angel.jacwf.phippsny.org>I've seen instances where dns/ad replication issues sometimes take a day or two to resolve themselves after the necessary resolution steps have been implemented. So, i'll report back on this resolution issue tomorrow.
Additionally, as it stands i don't have the dns suffices explicitly defined in and of the DC's NIC properties --- should i enable this feature.
On 5/18/07, Al Mulnick < amulnick@gmail.com
> wrote:
And the forwarders? Don't forget the forwarders.
On 5/18/07, hboogz < hboogz@gmail.com> wrote:
i'm setting up an optiplex as we speak! And i'll make sure that this optiplex points to itself as the preferred DNS and the 1st DC in the child for secondary.
On 5/18/07, Akomolafe, Deji > wrote:
>>>but outside of installing 2k3 onto a dell optiplex
And, what's wrong with doing so? You think DCs are too proud tobe seen in Optiplexes? :-p
The way you are setup right now, you are one "ooops!" away from sleepless nights of disaster recover. An additionalDC installed on even the cheapest and most basic piece of "Fry's"no-name PCwill do you a lot of goods. If your standards are too high for such things, then just install an additional virtualDC.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Fri 5/18/2007 7:21 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Sounds like a great workable topology change.I'm going to implement the change this afternoon ( summer hours are in effect, Yippe! )I do know i need another DC, but outside of installing 2k3 onto a dell optiplex, there isn't any more money available for another server.
On 5/18/07, Al Mulnick < mailto:amulnick@gmail.com
> wrote:
Using Deji's topology is going to work just as well and greatly simplify your environment and make it as reliable as it would get (you should deploy a second dc in the child domain - you know that right?). Captain's choice on that as delegation would likely work just fine and it is in keeping with DNS standards to delegate a child zone like that.
Be sure that your shortname resolution is functioning. I think from your last post that it's not, although WINS (netbios) resolution seems to eventually work. That's not what you want and is likely a symptom of your shortname resolution issues. (suffix search order).
When you try to resolve using fqdn, why does it fail if you add in a cname record? That's not expected at all if the zones are hosting the records. We may have to come back to that. Use nslookup vs. ping. Use the D2 option to see what it's doing and post results. I think that will help to show where the issue is.
On 5/17/07, Akomolafe, Deji > wrote:
How about we re-write this.....
From the DNS Server
Parent domain: 2 DC's. 1st DC pointing to itself as preferred DNS and2nd DNSas secondary, and Forwarders set out to ISP DNS.
2nd DC pointing to itself aspreffered DNS and1st DNSas secondary, and Forwarders set out to ISP DNS.
NOTE: You could point each DC to each other for primary as well, but the above should work.
Forest root domain: company.orgChild domain:
site.company.org delegated to the child DNS server (you just r-click on company.com
and select "New Delegation, type in site and put in the IP addresses of the child DNS server)
Child Domain:DC's preferred DNS server is pointing to itself as preferred DNS, and Forwarders set out to the 2 parent DNS servers
In DHCP scope for the child domain, ensure that the ONLY DNS server specified for your clients is the child DNS server. What you want to ensure here is that your internal clients are using only your internal DNS servers for lookup. So, if you are not assigning IP addresses through DHCP, you want to be sure that your manual entries in TCP/IP only specifies the internal DNS server. You should do the same thing at the parent level also, using only the 2 internal DNS servers.
After you have done this, if your lookups still fail, let us see how you are performing the lookup query.
Sincerely, _____ (, / | /) /) /)
/---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: hboogzSent: Thu 5/17/2007 3:12 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
Thanks for the response Al. Now, let me clear up my design and issue.Design:Forest root domain:
company.orgChild domain: site.company.org Parent domain: 2 DC's. 1 DC pointing to itself as preferred DNS and Forwarders set out to ISP DNS.
2nd DC pointing to 1st DC for preffered DNS and itself as secondary. Its Forwarders are only set to 1st DC. Child Domain:DC's preferred DNS server is pointing to 1st DC in parent domain as preferred DNS server
Pointing to itself for secondary DNSForwarders only set to 1st DC at parent domain and ISP DNS in as secondary(below 1st DC) The link between both sites isn't physically far and a T1 connection is at the child domain site, so i'm not too worried about the reliance and latency normally associated with this design.
I followed the following article: http://support.microsoft.com/kb/825036 and
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1246254,00.html?bucket=ETA&topic=305575Which brings me to my other question. Specifically, the part of the above article that reads:Delegate the _msdcs zone in a multiple domain environment.
I'm not sure how to accomplish that , but more importantly, the in-the-feild benefit(s) ? When i mention not resolvable, i specifically mean: whenever i create a new rr in the child domain. cname or a, the newly created rr is not pingable/resolvable from a workstation within the child domain.
The above design helped resolve issues with users in the child domain not being able to log into OWA. Previously, i had an all primary and secondary zone file setup between DNS servers. reverse and forward zones.
Since i have such a relatively small implementation of DNS, could you explain how i could possibly benefit from implementing stub zones ?Best Regards,When i mention resolveable: I'm referring to when i try to ping a client by its newly create rr, either cname or a record from a workstation.
On 5/17/07, Al Mulnick > wrote:
That's not really enough information. When you say "...are not resolvable,..." can you give an example? Basically, this is DNS. Not complex or anything like that and there is no magic. You must be able to resolve the record from the client when you make the query. For example, if you are looking for a dc in the root, you'd make a query to dns server (likely your dc in
subdomain.rootdomain.com) and ask for
rr.rootdomain.com. If you don't ask for that, you won't get a result. By default when you join a domain, your client will configure itself to use its domain as the dns suffix search information. If you ask for a record by shortname, you'll really be asking for
host.subdomain.rootdomain.com on the wire. Of course, there's only one server there, so your request fails and never asks for rootdomain information.
Pay attention to your suffix search configuration. Delegate the zone? I can't for the life of me think of a reason in the environment you described why I'd want to do it that way. I know for larger orgs I might consider such a thing, but for what you described, I'd use stub zones.
I also have to ask if you're sure you want to use root/child domain structure. Not as common as it used to be. Why the added complexity? Al
On 5/17/07, hboogz > wrote:
Thanks Jorge - How exactly do you implement the following recommendation ? i've also read about delegating the ._msdcs.. zone --- where/how would i accomplish that ?
I've noticed that now that i've converted all zones to AD-integrated, when i create a new record or a CNAME the records are not resolvable, I know that across domains dns replication won't kick in until AD replication kicks in, but is there a way for me to manually replicaite the zone changes using dnscmd ?
I have a single child domain that points to a forest root dns server and its forwarding to the same forest root dns server, so i imagine any record additions/deletions in the child domain will only take place once the zone has been replicated across.
On 5/15/07, Almeida Pinto, Jorge de <
mailto:jorge.de.almeida.pinto@logicacmg.com> wrote:
If _MSDCS.. is a sub-domain of . and you have not setup forwarding and/or secondary zones, you will experience issues with name resolution and even with replication….
A common configuration for a W2K3 AD env. is:
� .
� repl. Scope in domain wide DNS app NC of forest root domain (replicates to all DCs in the domain that ALSO host DNS services)
� _msdcs..
� repl. Scope in forest wide DNS app NC (replicates to all DCs in the forest that ALSO host DNS services)
� . or ..
� repl. Scope in domain wide DNS app NC of its own domain (replicates to all DCs in the domain that ALSO host DNS services)
� On DNS servers in a parent domain configure DNS delegation for the child domain
� On DNS servers in a child domain configure DNS forwarding to the parent domain. You can configure this on a per server basis or configure forwarding within AD. For the latter you cannot use the DNS GUI, but you must use the DNSCMD CLI-tool. (DnsCmd /ZoneAdd /DsForwarder /DP [FQDN | domain | forest | legacy])
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU ISA Eindhoven)
�
Addr. : Kennedyplein 248, 5611 ZT, Eindhoven
-
Addr. : P.O. Box 7089, 5605 JB, Eindhoven
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-
26.26.62.80
*
E-mail :
________________________________________________________________
MVP Profile
� https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site
� https://mvp.support.microsoft.com/
MVP Overview
� https://mvp.support.microsoft.com/mvpexecsum
BLOG
�
http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: mailto:ActiveDir-owner@mail.activedir.org
[mailto:mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz
Sent: Friday, May 04, 2007 22:16To: mailto:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DNS Child Domain Settings ?
ok. what i figured..I've made the change to the child, but for some reason i still get this error from dcdiag from the DNS servers in the root domain.Testing server: jacwf\PHJACDC1
Starting test: Connectivity * Active Directory LDAP Services Check The host 9a01e97a-0554-4b47-b4cc-587bf6105197._msdcs.phippsny.org could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
......................... PHJACDC1 failed test Connectivityi've also read about delegating the ._msdcs.company.org zone --- should this be a possible solution ?i've just converted to ad-integrated zones from all standard primary and secondary zones...
On 5/4/07, Brian Desmond wrote:
What they're saying is you should set the forwarders on the child domain DNS server to be the parent domain DNS servers.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of hboogz [
hboogz@gmail.com]Sent: Friday, May 04, 2007 3:57 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS Child Domain Settings ?
I'd like some clarification on how the following excerpt from a searchwinit.com
article should be interperted and implemented." In a parent/child domain environment, there should be an authoritative name server in each child domain. All clients (workstations, servers, DCs) in that domain should point to this name server for a DNS. To make this work, you must create a delegation for the child domain in the root domain and add the IP address of all DNS servers in the child domain to that delegation. In addition, in the child domain's name servers, they must forward back to the parent's DNS servers."
I have a parent/child domain setup. I've setup the delegation in the parent/root domain DNS server and pointed the delagation to the single DNS server in the child domain( which is a win2k3 r2 ad box)
I don't quite follow the "forward back to the parent's DNS servers" part. In my root domain i have two dns/ad-integrated zones/ad servers. In the child domain i have a single ad/dns/ad-int zone'd box -- should i adjust its (child dns/ad box) nic to point back to one of the root domain DNS servers and the secondary point to itself(child dns/ad) and setup forwarders to just point back to the root domains DNS servers?
I'm having some weird exchange/owa issue with only child domain users, and of course i'm thinking it could be dns related, hence the above.As always, thanks.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
|
|