| Author | Messages | |
AD00000582
Posts:0
 | | 05/17/2006 1:09 AM |
| At the very
least it (DNS) should be on ONE of the DCs.
I personally do not have an issue with DNS
running on all of my DCs - -- which it is. I have heard/read all the arguments
for and against. I still have no issue - - (Searching for wood to knock) I™ve
not had an issue/conflict once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Krenceski, William
Sent: Wednesday, May 17, 2006 7:38
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] DNS on a DC
or NOT
I was reading Carlos's
blog about not running DNS on the PDC emulator. It all makes perfect sense to
not have DNS running on it. In my relatively small setup we have @60 servers,
560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site
with one at each remote site. All DC's are GC and DNS. I always thought that in
order for DNS to work as AD integrated you're DNS servers had to be
DC's. If that is NOT true my face is red for believing so for so
long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx
Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. | | | |
| AD00000928
Posts:0
| | 05/17/2006 1:23 AM |
| I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's. If that is NOT true my face is red for believing so for so long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx | | | |
| wkrenceski
Posts:0
| | 05/17/2006 1:29 AM |
| This one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
ASBSent: Wednesday, May 17, 2006 9:20 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or
NOT
Which blog entry...
-ASB
On 5/17/06, Krenceski,
William
wrote:
I was reading Carlos's blog about not
running DNS on the PDC emulator. It all makes perfect sense to not have DNS
running on it. In my relatively small setup we have @60 servers, 560pc's, on 8
networks (some remote some vlans). I have 2 DC's at my main site with one at
each remote site. All DC's are GC and DNS. I always thought that in order for
DNS to work as AD integrated you're DNS servers had to be DC's. If that
is NOT true my face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxxConfidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. | | | |
| AD000001545
Posts:0
| | 05/17/2006 1:46 AM |
| Let me put that into perspective (and from reading the post again I
thought it came across), the blog entry refers to networks with a large
client load. I don't mean do NOT have DNS on your server it recommends
(Option 2) releasing some of the load with the two registry settings,
i.e. *LdapSrvPriority *and *LdapSrvWeight*.which is explained in the
entry :)
These settings I have only ever used on large networks when I have
noticed a large amount of DNS traffic being routed to the PDC DNS
Service. :)
Does that explain the post if not just let me know what more information
you need and I will explain it :)
Carlos Magalhaes
ASB wrote:
Which blog entry...
-ASB
On 5/17/06, *Krenceski, William* > wrote:
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on
it. In my relatively small setup we have @60 servers, 560pc's, on
8 networks (some remote some vlans). I have 2 DC's at my main site
with one at each remote site. All DC's are GC and DNS. I always
thought that in order for DNS to work as AD integrated you're DNS
servers had to be DC's. If that is NOT true my face is red for
believing so for so long.
**
**
*William Krenceski*
*Network Administrator*
*wkrenceski@xxxxxxx*
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:822
| | 05/17/2006 1:56 AM |
| If your DNS is integrated, find a big piece of wood to
knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated
if threatened badly enough.
I recently ran into a nasty DNS problem in an integrated
DNS where DNS would start but wouldn't actually respond to anything. It appears
to be related to a possible AD Replication bug I found though. I have to
research a little more and see if it was one off or I can duplicate at will.
Once I removed the items causing the issue replication worked again and DNS came
back to life.
But enough about DNS, I don't speak about services that
start with D. You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL
Server... You get the drift. ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: Wednesday, May 17, 2006 9:05 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I™ve not had an issue/conflict
once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote
some vlans). I have 2 DC's at my main site with one at each remote site. All
DC's are GC and DNS. I always thought that in order for DNS to work as AD
integrated you're DNS servers had to be DC's. If that is NOT true my
face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are
hereby notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank
you. | | | |
| AD00000928
Posts:0
| | 05/17/2006 2:02 AM |
| This one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or NOT
Which blog entry...
-ASB
On 5/17/06, Krenceski, William wrote:
I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's. If that is NOT true my face is red for believing so for so long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx | | | |
| listmail
Posts:822
| | 05/17/2006 2:13 AM |
| SO you are concerned about overall load then. This is something that is
addressed in larger orgs often by segregating the PDC off in its own logical
site which is hung off the main site it would normally be part of. That
means it will usually not be used for autocoverage of other WAN sites and it
will not become a large site bridgeheadΏ] and naturally avoided by any
Exchange in that site if Exchange for some reason decides to beat on it due
to some bad decision by an Exchange admin during configuration. This is
especially helpful if you have a large legacy client load or lots of stupid
applications that are using the old NET API (or WinNT provider) primarily
which already overly target PDCs.
joe
Ώ] I recall asking way back at the 2003 RAP/RDP conference for a switch to
say use all DCs but these special ones for bridgeheads, I would rather
manage exceptions than manage the ones that are the ones to be used. Best is
to be able to specify either way.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Carlos Magalhaes
Sent: Wednesday, May 17, 2006 9:44 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or NOT
Let me put that into perspective (and from reading the post again I thought
it came across), the blog entry refers to networks with a large client load.
I don't mean do NOT have DNS on your server it recommends (Option 2)
releasing some of the load with the two registry settings, i.e.
*LdapSrvPriority *and *LdapSrvWeight*.which is explained in the entry :)
These settings I have only ever used on large networks when I have noticed a
large amount of DNS traffic being routed to the PDC DNS Service. :)
Does that explain the post if not just let me know what more information you
need and I will explain it :)
Carlos Magalhaes
ASB wrote:
> Which blog entry...
>
> -ASB
>
>
> On 5/17/06, *Krenceski, William* > wrote:
>
> I was reading Carlos's blog about not running DNS on the PDC
> emulator. It all makes perfect sense to not have DNS running on
> it. In my relatively small setup we have @60 servers, 560pc's, on
> 8 networks (some remote some vlans). I have 2 DC's at my main site
> with one at each remote site. All DC's are GC and DNS. I always
> thought that in order for DNS to work as AD integrated you're DNS
> servers had to be DC's. If that is NOT true my face is red for
> believing so for so long.
>
>
>
> **
> **
> *William Krenceski*
> *Network Administrator*
> *wkrenceski@xxxxxxx*
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 05/17/2006 2:38 AM |
| Interesting stuff joe ......
Many of us have used ADI zones for many (well 7+) years now
with little or no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI
zones offer huge advantages to a typical org over BIND text files. [I won't
expand upon these advantages here, since they are well
documented.]
Have you encountered an isolated issue or a true show
stopper which we should all sit up and take note of?? :)
With regard to running DNS on a DC - if an existing DNS
implementation exists that can support AD, then use it. Otherwise, I see DNS as
a VERY minor overhead, compared with the other services that a DC provides and
would not hesitate to install DNS on a (or indeed every) DC.
my 2 penneth.
Thanks,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 17 May 2006 14:55To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
If your DNS is integrated, find a big piece of wood to
knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated
if threatened badly enough.
I recently ran into a nasty DNS problem in an integrated
DNS where DNS would start but wouldn't actually respond to anything. It appears
to be related to a possible AD Replication bug I found though. I have to
research a little more and see if it was one off or I can duplicate at will.
Once I removed the items causing the issue replication worked again and DNS came
back to life.
But enough about DNS, I don't speak about services that
start with D. You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL
Server... You get the drift. ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: Wednesday, May 17, 2006 9:05 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I™ve not had an issue/conflict
once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote
some vlans). I have 2 DC's at my main site with one at each remote site. All
DC's are GC and DNS. I always thought that in order for DNS to work as AD
integrated you're DNS servers had to be DC's. If that is NOT true my
face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are
hereby notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank
you.PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| wkrenceski
Posts:0
| | 05/17/2006 2:48 AM |
| I'm clear now...
Yeah, our infrastructure is very tiny compared to what you were
referencing. I believe a little tweaking the registry will at least
allow us to share the load a little better.
As for Joe.....we actually are AD Integrated DNS and have been since
win2k came out. I don't have any wood handy but I have plenty of Formica
around me just in case. If There were an environment that Microsoft was
built for it is ours. Most of the problems that come up on this list are
directed at much larger environments for which I am thankful for. I get
a lot of good info from the list and am thankful that you guys take time
out of you're day to answer our questions.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, May 17, 2006 10:01 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a DC or NOT
SO you are concerned about overall load then. This is something that is
addressed in larger orgs often by segregating the PDC off in its own
logical site which is hung off the main site it would normally be part
of. That means it will usually not be used for autocoverage of other WAN
sites and it will not become a large site bridgeheadΏ] and naturally
avoided by any Exchange in that site if Exchange for some reason decides
to beat on it due to some bad decision by an Exchange admin during
configuration. This is especially helpful if you have a large legacy
client load or lots of stupid applications that are using the old NET
API (or WinNT provider) primarily which already overly target PDCs.
joe
Ώ] I recall asking way back at the 2003 RAP/RDP conference for a switch
to say use all DCs but these special ones for bridgeheads, I would
rather manage exceptions than manage the ones that are the ones to be
used. Best is to be able to specify either way.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Carlos
Magalhaes
Sent: Wednesday, May 17, 2006 9:44 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or NOT
Let me put that into perspective (and from reading the post again I
thought it came across), the blog entry refers to networks with a large
client load.
I don't mean do NOT have DNS on your server it recommends (Option 2)
releasing some of the load with the two registry settings, i.e.
*LdapSrvPriority *and *LdapSrvWeight*.which is explained in the entry :)
These settings I have only ever used on large networks when I have
noticed a large amount of DNS traffic being routed to the PDC DNS
Service. :)
Does that explain the post if not just let me know what more information
you need and I will explain it :)
Carlos Magalhaes
ASB wrote:
> Which blog entry...
>
> -ASB
>
>
> On 5/17/06, *Krenceski, William* > wrote:
>
> I was reading Carlos's blog about not running DNS on the PDC
> emulator. It all makes perfect sense to not have DNS running on
> it. In my relatively small setup we have @60 servers, 560pc's, on
> 8 networks (some remote some vlans). I have 2 DC's at my main site
> with one at each remote site. All DC's are GC and DNS. I always
> thought that in order for DNS to work as AD integrated you're DNS
> servers had to be DC's. If that is NOT true my face is red for
> believing so for so long.
>
>
>
> **
> **
> *William Krenceski*
> *Network Administrator*
> *wkrenceski@xxxxxxx*
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| JefTek
Posts:52
| | 05/17/2006 3:14 AM |
| We have it on all of our DCs as well worldwide and have not seen an issue.
But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used.
I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :(
Does anyone use DNS Application partitions for certain zones?
Date: Wed, 17 May 2006 09:56:16 -0400From: abaker@xxxxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or NOT
Depending on how many DCs youhave in your environment, this might be a non-issue overall.
We have DNS on all our DCs, and no adversity has been observed thus far...
-ASB
On 5/17/06, Krenceski, William wrote:
This one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or NOT
Which blog entry...
-ASB
On 5/17/06, Krenceski, William wrote:
I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's. If that is NOT true my face is red for believing so for so long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx
Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta | | | |
| skwan
Posts:4
| | 05/17/2006 3:22 AM |
| Oh ye of little faith.*
_____
* My personal views and not those of my
employer, of course.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, May 17, 2006 6:55
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a
DC or NOT
If your DNS is integrated, find a big
piece of wood to knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will
run it integrated if threatened badly enough.
I recently ran into a nasty DNS problem in
an integrated DNS where DNS would start but wouldn't actually respond to
anything. It appears to be related to a possible AD Replication bug I found
though. I have to research a little more and see if it was one off or I can
duplicate at will. Once I removed the items causing the issue replication
worked again and DNS came back to life.
But enough about DNS, I don't speak about
services that start with D. You have to draw the line somewhere. DFS, DNS,
DHCP, Damn SQL Server... You get the drift. ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig Cerino
Sent: Wednesday, May 17, 2006 9:05
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a
DC or NOT
At the very
least it (DNS) should be on ONE of the DCs.
I personally do not have an issue with DNS
running on all of my DCs - -- which it is. I have heard/read all the
arguments for and against. I still have no issue - - (Searching for wood
to knock) I™ve not had an issue/conflict once.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Krenceski, William
Sent: Wednesday, May 17, 2006 7:38
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] DNS on a DC
or NOT
I was reading Carlos's
blog about not running DNS on the PDC emulator. It all makes perfect sense to
not have DNS running on it. In my relatively small setup we have @60 servers,
560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site
with one at each remote site. All DC's are GC and DNS. I always thought that in
order for DNS to work as AD integrated you're DNS servers had to be
DC's. If that is NOT true my face is red for believing so for so
long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity named
above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are
hereby notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank you. | | | |
| amulnick
Posts:163
| | 05/17/2006 3:29 AM |
| William figured it was best to leave it alone without registry tweaks
(assuming anyone can read this email, I'm hoping I read that right -
William, you likely don't have to worry about it.) Carlos was aiming
that concept at people that have overloaded PDCe's and might need to
off-load some services. You're not likely one of those folks and
should consider leaving it as is.
I recently had an off-line conversation about Active Directory
integrated DNS and have been considering filing a bug/dcr or sets of
both. In large environments, active directory DNS can become an
issue, especially over time. Logging is something that's next to
impossible to get from it. The trade-off of course is the stellar
replication model that integrated uses. Can be tough to decide which
is better: the better replication and living with the ACL's/lack of
logging etc.
Some areas it fits into well. I'm a fan, but there are trade-offs.
On 5/17/06, neil.ruston@xxxxxxxxxxxxx wrote:
Interesting stuff joe ......
Many of us have used ADI zones for many (well 7+) years now with little or
no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI zones offer huge
advantages to a typical org over BIND text files. [I won't expand upon these
advantages here, since they are well documented.]
Have you encountered an isolated issue or a true show stopper which we
should all sit up and take note of?? :)
With regard to running DNS on a DC - if an existing DNS implementation
exists that can support AD, then use it. Otherwise, I see DNS as a VERY
minor overhead, compared with the other services that a DC provides and
would not hesitate to install DNS on a (or indeed every) DC.
my 2 penneth.
Thanks,
neil
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joe
Sent: 17 May 2006 14:55
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a DC or NOT
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a DC or NOT
If your DNS is integrated, find a big piece of wood to knock on... Or keep
it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated if threatened
badly enough.
I recently ran into a nasty DNS problem in an integrated DNS where DNS would
start but wouldn't actually respond to anything. It appears to be related to
a possible AD Replication bug I found though. I have to research a little
more and see if it was one off or I can duplicate at will. Once I removed
the items causing the issue replication worked again and DNS came back to
life.
But enough about DNS, I don't speak about services that start with D. You
have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL Server... You get
the drift. ;)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Craig Cerino
Sent: Wednesday, May 17, 2006 9:05 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a DC or NOT
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] DNS on a DC or NOT
At the very least it (DNS) should be on ONE of the DCs.
I personally do not have an issue with DNS running on all of my DCs - --
which it is. I have heard/read all the arguments for and against. I still
have no issue - - (Searching for wood to knock) I've not had an
issue/conflict once.
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Krenceski, William
Sent: Wednesday, May 17, 2006 7:38 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] DNS on a DC or NOT
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] DNS on a DC or NOT
I was reading Carlos's blog about not running DNS on the PDC emulator. It
all makes perfect sense to not have DNS running on it. In my relatively
small setup we have @60 servers, 560pc's, on 8 networks (some remote some
vlans). I have 2 DC's at my main site with one at each remote site. All DC's
are GC and DNS. I always thought that in order for DNS to work as AD
integrated you're DNS servers had to be DC's. If that is NOT true my face is
red for believing so for so long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx
Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the use of
the individual or entity named above. If the reader of this message is not
the intended recipient, or the employee or agent responsible to deliver it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error please notify
the author immediately by replying to this message and deleting the original
message. Thank you.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| AD000001545
Posts:0
| | 05/17/2006 3:41 AM |
| Neil,
I dont agree with you. when you say "compared with the other services
that a DC provides" which services are your refering to (I was refering
in my post to non AD "Suite" services i.e. NOT: AD Replication, FRS, DFS)
I would like to know what other services you are referring to...
Carlos Magalhaes
neil.ruston@xxxxxxxxxxxxx wrote:
Interesting stuff joe ......
Many of us have used ADI zones for many (well 7+) years now with
little or no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI zones offer
huge advantages to a typical org over BIND text files. [I won't expand
upon these advantages here, since they are well documented.]
Have you encountered an isolated issue or a true show stopper which we
should all sit up and take note of?? :)
With regard to running DNS on a DC - if an existing DNS implementation
exists that can support AD, then use it. Otherwise, I see DNS as a
VERY minor overhead, compared with the other services that a DC
provides and would not hesitate to install DNS on a (or indeed every) DC.
my 2 penneth.
Thanks,
neil
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *joe
*Sent:* 17 May 2006 14:55
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] DNS on a DC or NOT
If your DNS is integrated, find a big piece of wood to knock on... Or
keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated if
threatened badly enough.
I recently ran into a nasty DNS problem in an integrated DNS where DNS
would start but wouldn't actually respond to anything. It appears to
be related to a possible AD Replication bug I found though. I have to
research a little more and see if it was one off or I can duplicate at
will. Once I removed the items causing the issue replication worked
again and DNS came back to life.
But enough about DNS, I don't speak about services that start with D.
You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL
Server... You get the drift. ;)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Craig Cerino
*Sent:* Wednesday, May 17, 2006 9:05 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] DNS on a DC or NOT
At the /very/ least it (DNS) should be on ONE of the DCs.
I personally do not have an issue with DNS running on all of my DCs -
-- which it is. I have heard/read all the arguments for and against. I
still have no issue - - (Searching for wood to knock) I™ve not had an
issue/conflict once.
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Krenceski,
William
*Sent:* Wednesday, May 17, 2006 7:38 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* [ActiveDir] DNS on a DC or NOT
I was reading Carlos's blog about not running DNS on the PDC emulator.
It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks
(some remote some vlans). I have 2 DC's at my main site with one at
each remote site. All DC's are GC and DNS. I always thought that in
order for DNS to work as AD integrated you're DNS servers had to be
DC's. If that is NOT true my face is red for believing so for so long.
**William Krenceski**
**Network Administrator**
**wkrenceski@xxxxxxx**
Confidentiality Notice: The information contained in this message may
be legally privileged and confidential information intended only for
the use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by
replying to this message and deleting the original message. Thank you.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent permitted
by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000333
Posts:0
| | listmail
Posts:822
| | 05/17/2006 4:19 AM |
| I would say that, in general, ADI zones probably work well
for most people. When it works and things are sunny everything is great, however
when the shape is more pear like it just adds unnecessary issues into the
puzzle. It is very much like most MSFT tech, when things work great, everyone is
happy, when it is broken, most people are at a complete loss of what to even
start to look at because of the levels of complexityΎ].
The times I have mostly encountered problems a number of
things had cropped up and I was there to sort things out and having DNS and AD
twisted together like a ball of rubber bands made life extremely painful. I also
dislike all of that crap in AD. I look at AD for one primary overriding thing,
everything else is second. It is my NOS directory. It is there for people to log
on in the morning. Hence I want userids and passwords, everything else is
addons.
When I hit this recent "POSSIBLE BUG"Ώ] I have
found, let me reiterate POSSIBLE as I got about 18 offline emails already about
it, DNS was all crapped outΐ] because of the AD Replication and the last thing
I needed was both AD replication and DNS dorked up at once, however, you don't
get much of a choice if everything is integrated. For instance, a replication
issue can go a little while without resolution, you just have some
inconveniences. If DNS is absolutely NOT responding, your level of pain and the
level of the issue has escalated drammatically, especially if that is your ONLY
DNS.
In scaled environments (read really really large and
decentralized for DNS) I have found that pushing DNS off to non-MSFT tool sets
is my preference. Again preference, sort of like I prefer to spell color as
color instead of as colour but prefer humour to humor. It isn't that I think it
is absolutely wrong like saying aluminum like aluminium. ;o) I feel that
delegated management of DNS is much better handled in BIND or QIP. I have even
seen in a small MSFT only environment (extranet forest for large
multinational) a case where MSFT integrated DNS was not working properly. I
didn't get much into the problem but when I got sick of hearing how much trouble
they kept running into I just told them to follow the corporate standard and
move to QIP. They had a couple of MSFT guys directly involved and they were
coming to bother me about it and I was like, I don't care, you aren't following
the corporate standard, I am not going to go try and figure out your one off.
Whatever problem they found, MSFT, or more accurately, the MSFT folks
involved weren't top shelf enough to work through it. And again... the thing
about services that start with D.
The security of the DNS entries doesn't bother me as I have
never personally encountered a case where someone was trying to hijack DC
records. Possibly if I ran into even a single case of that, it might be
something I would be concerned about.
Anyway, it is personal pref. First pref, not to use MSFT
DNS. Second pref if not getting the first is to not run integrated. Again
however, if in a completely MSFT shop (which I have never worked in), MSFT DNS
makes the most sense, you don't introduce complexity to not run MSFT DNS, that
would be insane.
You want an integrated DNS... Maybe MSFT should be putting
ADAM on DNS Member Servers. I could get behind running it integrated that way
though I still want to be able to say "I don't give a shit what else is
happening, give out addresses if you can start at all" and it needs to not be
something I have to go looking for on the web to enable. Oh and I should always
be able to run the management tools as well, there should not be any reason why
the management tools will not connect to a specific server. Maybe also you get
away from some of the silly security issues with ADI related to using security
principals that don't have domain affinity and could give some capabilty of real
DNS granular delegation like some products have.
joe
Ύ] I pray that if ADFS gets truly big, it never
breaks.
Ώ] What this possible bug may be related to is not
something most people would probably be doing, I was testing out some new
functionality of admod (Cross Domain moves) and did something that may
not normally be on a test matrix and my replication stopped dead but
repadmin wasn't reporting the stopped replication correctly. It could have been
a number of things, I am rebuilding a pristine environment to see if I can
duplicate the problem. Barring that I will go back to the non-pristine
environment and see if I can break it again. The key word here is possible, if I
had known for sure it was a for sure bug I would have said so. Emailing me
directly is not going to get any more info out of me on this than what I have
already given. :)
ΐ]
Defined as started and running but not responding to
anything.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Wednesday, May 17, 2006 10:23
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
DNS on a DC or NOT
Interesting stuff joe ......
Many of us have used ADI zones for many (well 7+) years now
with little or no issue, in various orgs sizes and types.
I'd like to hear more about this issue, since IMO, ADI
zones offer huge advantages to a typical org over BIND text files. [I won't
expand upon these advantages here, since they are well
documented.]
Have you encountered an isolated issue or a true show
stopper which we should all sit up and take note of?? :)
With regard to running DNS on a DC - if an existing DNS
implementation exists that can support AD, then use it. Otherwise, I see DNS as
a VERY minor overhead, compared with the other services that a DC provides and
would not hesitate to install DNS on a (or indeed every) DC.
my 2 penneth.
Thanks,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 17 May 2006 14:55To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
If your DNS is integrated, find a big piece of wood to
knock on... Or keep it around to bang your head on later.
I'll run DNS on DCs if I have to. I will run it integrated
if threatened badly enough.
I recently ran into a nasty DNS problem in an integrated
DNS where DNS would start but wouldn't actually respond to anything. It appears
to be related to a possible AD Replication bug I found though. I have to
research a little more and see if it was one off or I can duplicate at will.
Once I removed the items causing the issue replication worked again and DNS came
back to life.
But enough about DNS, I don't speak about services that
start with D. You have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL
Server... You get the drift. ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: Wednesday, May 17, 2006 9:05 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I™ve not had an issue/conflict
once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote
some vlans). I have 2 DC's at my main site with one at each remote site. All
DC's are GC and DNS. I always thought that in order for DNS to work as AD
integrated you're DNS servers had to be DC's. If that is NOT true my
face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are
hereby notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank you.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies. | | | |
| listmail
Posts:822
| | 05/17/2006 4:22 AM |
| Too bad you couldn't
enable request logging in DNS itself. Auditing the entry is only going to tell
you at least one thing asked for it, once in the cache, who knows how many
asked. Scale is everything. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jef
KazimerSent: Wednesday, May 17, 2006 10:37 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: Re: [ActiveDir] DNS on a DC
or NOT
We have it on all of our DCs as well worldwide and have not seen an
issue. But a question about integrated zones. I
had an issue recently where a system owner wanted to know if people were
resolving an old CNAME for one of their systems. They wanted to remove it
from the zone, but wanted to verify it was not being used. I
thought about putting auditing on for the CNAME in question, and then just
collect the logs from the DNS servers. Unfortunately it was a non
integrated zone and this could not be done. :( Does anyone use DNS
Application partitions for certain
zones?
Date: Wed, 17 May 2006 09:56:16 -0400From: abaker@xxxxxxxxxTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or
NOT
Depending on how many DCs youhave in your environment, this might be a
non-issue overall.
We have DNS on all our DCs, and no adversity has been observed thus
far...
-ASB
On 5/17/06, Krenceski, William wkrenceski@xxxxxxx> wrote:
This
one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or
NOT
Which blog entry...
-ASB
On 5/17/06, Krenceski, William wkrenceski@xxxxxxx > wrote:
I was reading Carlos's blog about not running
DNS on the PDC emulator. It all makes perfect sense to not have DNS
running on it. In my relatively small setup we have @60 servers, 560pc's,
on 8 networks (some remote some vlans). I have 2 DC's at my main site with
one at each remote site. All DC's are GC and DNS. I always thought that in
order for DNS to work as AD integrated you're DNS servers had to be
DC's. If that is NOT true my face is red for believing so for so
long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm)
Mail beta. Windows Live(tm) Mail beta | | | |
| listmail
Posts:822
| | 05/17/2006 4:33 AM |
| Oh my... Stuart Kwan of the Ottawa Kwan clan.... Should
have known a thread combining DNS and AD could bring him out of the woodworkΏ].
:)
Good to see your post Stuart. Come to share any
interesting tidbits? How about ADI DNS running on members with ADAM?
joe
Ώ]
Good morning, gentleman, the temperature is 110 degrees.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Stuart
KwanSent: Wednesday, May 17, 2006 11:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
Oh ye of little
faith.*
_____
* My personal views and
not those of my employer, of course.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, May 17, 2006 6:55
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
If your DNS is
integrated, find a big piece of wood to knock on... Or keep it around to bang
your head on later.
I'll run DNS on DCs if
I have to. I will run it integrated if threatened badly
enough.
I recently ran into a
nasty DNS problem in an integrated DNS where DNS would start but wouldn't
actually respond to anything. It appears to be related to a possible AD
Replication bug I found though. I have to research a little more and see if it
was one off or I can duplicate at will. Once I removed the items causing the
issue replication worked again and DNS came back to
life.
But enough about DNS, I
don't speak about services that start with D. You have to draw the line
somewhere. DFS, DNS, DHCP, Damn SQL Server... You get the drift.
;)
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Craig
CerinoSent: Wednesday, May 17,
2006 9:05 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I™ve not had an issue/conflict
once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote
some vlans). I have 2 DC's at my main site with one at each remote site. All
DC's are GC and DNS. I always thought that in order for DNS to work as AD
integrated you're DNS servers had to be DC's. If that is NOT true my
face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged and
confidential information intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are
hereby notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying to this
message and deleting the original message. Thank
you. | | | |
| listmail
Posts:822
| | 05/17/2006 4:42 AM |
| Ah crap. There Al goes again. That didn't last
long.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
MulnickSent: Wednesday, May 17, 2006 11:26 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or
NOT | | | |
| JefTek
Posts:52
| | 05/17/2006 5:50 AM |
| joe,
I had considered the cache issue, but I figured that since it would be an integrated zone, it would exist on multiple DNS servers. So if each DNS server read the record once, it would generate enough audit flags to let us know it is still being used globally. :)
As I said, it was a standard primary zone, so it was not a viable option anyway. :(
I forget that auditiing applies to integrated zones, so I never think of utilizing it anyway.
thanks,
Jef
From: listmail@xxxxxxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: Re: [ActiveDir] DNS on a DC or NOTDate: Wed, 17 May 2006 12:13:49 -0400
Too bad you couldn't enable request logging in DNS itself. Auditing the entry is only going to tell you at least one thing asked for it, once in the cache, who knows how many asked. Scale is everything. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jef KazimerSent: Wednesday, May 17, 2006 10:37 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: Re: [ActiveDir] DNS on a DC or NOT
We have it on all of our DCs as well worldwide and have not seen an issue. But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used. I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :( Does anyone use DNS Application partitions for certain zones?
Date: Wed, 17 May 2006 09:56:16 -0400From: abaker@xxxxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] DNS on a DC or NOT
Depending on how many DCs youhave in your environment, this might be a non-issue overall.
We have DNS on all our DCs, and no adversity has been observed thus far...
-ASB
On 5/17/06, Krenceski, William wrote:
This one
http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] DNS on a DC or NOT
Which blog entry...
-ASB
On 5/17/06, Krenceski, William wrote:
I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's. If that is NOT true my face is red for believing so for so long.
William Krenceski
Network Administrator
wkrenceski@xxxxxxx
Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta | | | |
| dwells
Posts:53
| | 05/17/2006 6:54 AM |
| It's
not the thread's topic per se ... you inferred a criticism directed toward
his "@work" children ;0) ... haha
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Wednesday, May 17, 2006 12:21 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
Oh my... Stuart Kwan of the Ottawa Kwan clan.... Should
have known a thread combining DNS and AD could bring him out of the
woodworkΏ]. :)
Good to see your post Stuart. Come to share any
interesting tidbits? How about ADI DNS running on members with ADAM?
joe
Ώ]
Good morning, gentleman, the temperature is 110 degrees.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Stuart
KwanSent: Wednesday, May 17, 2006 11:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
Oh ye of little
faith.*
_____
* My personal views
and not those of my employer, of course.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, May 17, 2006 6:55
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
If your DNS is
integrated, find a big piece of wood to knock on... Or keep it around to bang
your head on later.
I'll run DNS on DCs
if I have to. I will run it integrated if threatened badly
enough.
I recently ran into a
nasty DNS problem in an integrated DNS where DNS would start but wouldn't
actually respond to anything. It appears to be related to a possible AD
Replication bug I found though. I have to research a little more and see if it
was one off or I can duplicate at will. Once I removed the items causing the
issue replication worked again and DNS came back to
life.
But enough about DNS,
I don't speak about services that start with D. You have to draw the line
somewhere. DFS, DNS, DHCP, Damn SQL Server... You get the drift.
;)
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Craig
CerinoSent: Wednesday, May
17, 2006 9:05 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] DNS on a DC or
NOT
At the very least it (DNS) should be on ONE of
the DCs.
I personally do not
have an issue with DNS running on all of my DCs - -- which it is. I have
heard/read all the arguments for and against. I still have no issue - -
(Searching for wood to knock) I™ve not had an issue/conflict
once.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Krenceski,
WilliamSent: Wednesday, May
17, 2006 7:38 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] DNS on a DC or
NOT
I was reading Carlos's blog about not running DNS on the PDC
emulator. It all makes perfect sense to not have DNS running on it. In my
relatively small setup we have @60 servers, 560pc's, on 8 networks (some
remote some vlans). I have 2 DC's at my main site with one at each remote
site. All DC's are GC and DNS. I always thought that in order for DNS to work
as AD integrated you're DNS servers had to be DC's. If that is NOT
true my face is red for believing so for so long.
William
Krenceski
Network
Administrator
wkrenceski@xxxxxxx
Confidentiality
Notice: The information contained in this message may be legally privileged
and confidential information intended only for the use of the individual or
entity named above. If the reader of this message is not the intended
recipient, or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any release, dissemination,
distribution, or copying of this communication is strictly prohibited. If you
have received this communication in error please notify the author immediately
by replying to this message and deleting the original message. Thank
you. | | | |
|
|