Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 7, 2020 10:35 PM
Hello,
I have a software that uses DNS and reverse DNS of company domain to work properly.
At the moment, in the company, there are two domain controllers.
Both of them has got AD, DHCP and DNS services.
I would improve, if it is possible DNS replication time between these two domain controllers.
These two DC are in the same VLAN.
How can I check it?
Is it possibile decrease DNS replication time?
How can I check if all, about DNS, work properly?
Thanks so much!
Federico
All replies (8)
Thursday, July 9, 2020 10:35 AM ✅Answered
In addition, dns replica is AD replica related question, please feel free to post it in AD forum. And I have consulted with AD engineer and confirm that there is no way to improve DNS replica time in the same site.
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, July 8, 2020 2:02 AM
You can run this command from one of your DCs:
dcdiag /test:dns /v /s:localhost
If you are running Active Directory-Integrated zones (which you probably are) , since these DCs are in the same vlan and most likely in the same AD site, intra-site replication will happen pretty frequently, if not immediately.
Seth
A user just like you
Wednesday, July 8, 2020 2:28 AM
Hi Federico,
Thanks for your posting here.
>>These two DC are in the same VLAN.
How can I check it?
Is it possibile decrease DNS replication time?
Could you please tell us the two DC are in same site or in different site? If they are in same site, DC Replication speed is very fast and you don't need to improve. If they are in different site, you could refer to the following article to speed up DC Replication:
https://www.mowasay.com/2017/08/speed-up-active-directory-dns-replication-between-sites/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
>>How can I check if all, about DNS, work properly?
You can run the dcdiag command using the option /test:DNS. Test options include a DNS basic test and tests for forwarders and root hints, delegation, DNS dynamic updates, DNS record registration, and Internet name testing.
In addition,since your question is more related with AD replica which our forum doesn't focus on. If you have other questions about AD replica, I would suggest you post it in the AD forum for better answers. Here is the link:
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, July 9, 2020 5:18 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, July 9, 2020 8:16 AM
Hi all,
thanks for your replies.
I have new informations about this topics
@Seth I have runned "dcdiag /test:dns /v /s:localhost" command on a Domain Controller.
This is the output:
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server localhost.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=PE,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=PE,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=PE-DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC-002,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PE-DC-001
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
.........................DC-001 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PE-DC-001
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... PE-DC-001 passed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : PE
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : PE.local
Starting test: DNS
Test results for domain controllers:
DC: PE-DC-001.PE.local
Domain: PE.local
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2016 Datacenter (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Microsoft Hyper-V Network Adapter:
MAC address is 00:15:5D:A5:9A:01
IP Address is static
IP address: 172.29.40.11
DNS servers:
127.0.0.1 (pe-dc-001.pe.local.) [Valid]
172.29.40.12 (pe-dc-002.pe.local.) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
8.8.4.4 (<name unavailable>) [Valid]
8.8.8.8 (<name unavailable>) [Valid]
TEST: Delegations (Del)
Delegation information for the zone: PE.local.
Delegated domain name: _msdcs.PE.local.
DNS server: pe-dc-001.pe.local. IP:172.29.40.11 [Valid]
DNS server: pe-dc-002.pe.local. IP:172.29.40.12 [Valid]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone PE.local
Test record dcdiag-test-record deleted successfully in zone PE.local
TEST: Records registration (RReg)
Network Adapter [00000001] Microsoft Hyper-V Network Adapter:
Matching CNAME record found at DNS server 172.29.40.11:
d7d7aaf2-319a-49b3-85b3-0e82ede30113._msdcs.PE.local
Matching A record found at DNS server 172.29.40.11:
PE-DC-001.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.24075cd3-f20b-4e8e-a2fc-013a5d19fbf4.domains._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kerberos._tcp.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kerberos._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kerberos._udp.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kpasswd._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_kerberos._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.gc._msdcs.PE.local
Matching A record found at DNS server 172.29.40.11:
gc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_gc._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.11:
_ldap._tcp.pdc._msdcs.PE.local
Matching CNAME record found at DNS server 172.29.40.12:
d7d7aaf2-319a-49b3-85b3-0e82ede30113._msdcs.PE.local
Matching A record found at DNS server 172.29.40.12:
PE-DC-001.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.24075cd3-f20b-4e8e-a2fc-013a5d19fbf4.domains._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kerberos._tcp.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kerberos._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kerberos._udp.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kpasswd._tcp.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_kerberos._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.gc._msdcs.PE.local
Matching A record found at DNS server 172.29.40.12:
gc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_gc._tcp.Default-First-Site-Name._sites.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.PE.local
Matching SRV record found at DNS server 172.29.40.12:
_ldap._tcp.pdc._msdcs.PE.local
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 172.29.40.11 (pe-dc-001.pe.local.)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS delegation for the domain _msdcs.PE.local. is operational on IP 172.29.40.11
DNS server: 172.29.40.12 (pe-dc-002.pe.local.)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS delegation for the domain _msdcs.PE.local. is operational on IP 172.29.40.12
DNS server: 8.8.4.4 (<name unavailable>)
All tests passed on this DNS server
DNS server: 8.8.8.8 (<name unavailable>)
All tests passed on this DNS server
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: PE.local
PE-DC-001 PASS PASS PASS PASS PASS PASS n/a
......................... PE.local passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
@Candy
I had a look in "Active Directory Sites and Services".
I have seen that two domain controller servers are in the "Default-First-Site-Name".
*In addition,since your question is more related with AD replica which our forum doesn't focus on. If you have other questions about AD replica, I would suggest you post it in the AD forum for better answers.
*Thanks for this suggestion. I have asked in this forum due to it is about DNS.
Best regards
Federico
Thursday, July 9, 2020 8:34 AM
Hi Federico,
Thanks for your updating.
>>I had a look in "Active Directory Sites and Services".
I have seen that two domain controller servers are in the "Default-First-Site-Name".
From the picture you posted, I did not see anything wrong. And the two DC are in same site, you don't need to decrease AD replica time.
What's the exactly problem now?
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, July 9, 2020 9:35 AM
Hi Candy,
Thank you for your answer.
An external SSO authentication system asked me to verify DNS replication, since this system, within the network, uses DNS and reverse DNS to identify the computer on the network.
I asked you if there are any possible improvements to increase the performance of this SSO system.
This SSO for computer authentication uses Active Directory because laptops are joined to the domain.
I hope to be clear.
Thank you!
Federico
Thursday, July 9, 2020 10:04 AM
Hi ,
From the perspective of DNS replication, there is no problem in your environment, and generally the replication speed of the same site will normally not exceed 18 seconds. You don't need to improve DNS replica when two DCs are in the same site.
For SSO system, please understand, I am not familiar with it. You would better consult SSO engineer for further help. In your current environment, there is no need to perform improvements on DNS replica when two DC are in the same site.
Hope this can help you understand better. If you have anything unclear , please feel free to let me know.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]