DNS configuration Multi-Domain environment

2012-02-08

Question

_{Wednesday, February 8, 2012 12:38 AM}

Hello,

I recently took a position in which I am managing a multi-server environment. Previously I have experience with small businesses that normally have 1 DC and 1 DNS thus I am familiar with configuring DNS with forwarders out to the ISPs DNS. The environment I took over has some issues, such as one of the DCs was unable to resolve itself, I was able to clear the config and fix this but logon to the AD is still slow and resolving addresses also seems slow.

The environment has 3 Domain Controllers all running DNS, domain integrated. There are no forwarders setup the checkbox for "use root hints" is selected and it appears the default root hints are there. I have never setup DNS like this so I am really not sure if this is correct or if I should be doing something different. One of the domain controllers is going to be going away shortly but currently and then we will be down to 2 so I was thinking of just setting up Forwarders on the two and having one as the primary and one the secondary... I cannot really find much information on the web on what is correct and what is not. I am looking for suggestions and/or a suggestion of where to research best practices on this.

Thanks

All replies (12)

_{Wednesday, February 8, 2012 1:32 AM}

There is no correct or incorrect answer with regard to DNS configuration. It depends on your needs. For your scenario, you can definately go either way. If you want to use the root hints, or set them up as forwarders, its up to you. Many admins like to foward to their ISP's DNS, or public DNS servers. I usually do not go with that configuration.

Generally, in an infrastructure with many DNS servers, you may want to have 2 in the datacenter that use root hints. The other DNS servers in the org will forward to these two so that they can take advantage of caching and reducing network bandwidth to the internet with regard to DNS requests.

If you are having slow logon time and you think its DNS related, make sure that you do not have a DNS "flow" problem. In your case, it doesnt sound like it, but I have seen others that would point the DNS to their router, and then their router points to their internal DNS, which then forwards to the ISP.

Guides and tutorials, visit ITGeared.com.

_{Wednesday, February 8, 2012 7:56 AM}

Hi,

Thanks for posting here.

Agree with Jorge. Just FYI, if we are going to set external name resolution by using forwarder instead root hits then we have to first delete the root "." zone on that DNS server , please refer to the suggestions in the KB article below:

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/kb/825036/

Thanks.

Tiger Li

TechNet Community Support

_{Wednesday, February 8, 2012 8:10 AM | 1 vote}

Hi PCGuy1184,

In case you have multiple DNS servers then certain practices always helps:

1. One primary DNS server should point only to itself for DNS name resolution.

2. All other DNS servers point to primary DNS servers and then to itself for DNS name resolution.

3. You should configure forwarders on all DNS server in order to resolve external names more quickly.

For this DC not able to resolve itself, please check the DNS pointing on this and correct it as per my recomandations. Then do a ipconfig /registerdns and restart netlogon service. This should get all the records registered in DNS and should take care of slow logon issues.

Also you might have to manually create Host(A) record with no names for just Domain Name Resolution to happen in case they are not there.

You can also look at these links for more info:

http://technet.microsoft.com/en-us/library/cc778439(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc794767(WS.10).aspx

Thanks

Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you

_{Wednesday, February 8, 2012 1:03 PM}

Everyone,

Thank you very much for the information. I will start looking into this information and squaring up my environment. From the sounds of it neither way is technically wrong it's just preference of the administrator?

I have also noticed something else strange last night. I have a few Linux Machines that I am unable to ping by name, I created host A recorders for them and can preform a NSLookup successfully but still unable to ping by name is this normal? The firewall is not blocking it as I can connect/ping by IP address.

_{Wednesday, February 8, 2012 2:14 PM}

Hi PCGuy1184,

THat depends on how you're pinging, and if there is a Search Suffix on the machine. For example, if your AD DNS domain name is domain.com, then all machines joined to your domain will have a Primary DNS Suffix of domain.com, which will also be applied to the machine as its Search Suffix. Therefore, from such a machine, if you ping machine1, the search suffix will be suffixed, resulting in a lookup of machine1.domain.com, which then it will send it to DNS and will resolve from the DNS zone, domain.com.

If pining single name wtihout a suffix, then one of two things will happen. If there is no search suffix on a WIndows machine, it will assume NetBIOS, so it will be a broadcast, also assuming WINS is not in play.

The best way to answer it for you is to see an ipconfig /all from the workstation you want to ping, the name you're pinging, and if the hostname you are pinging exists under the zone.

Ace

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, February 8, 2012 2:22 PM | 1 vote}

In addition to JM and Tiger's, and exMS's suggestions, maybe the following diagram will help a bit with your AD DNS infrastructure? It shows a wireless AP and port translations for VPN, if that is needed, too, but if not, at least the DNS settings may help? And note, this is just a serving suggestion, as when you buy pre-packed food with a picture on the box. :-)

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, February 8, 2012 9:01 PM}

So guys here are my findings and I actually found another DNS server after reviewing more and more. I just walked into this job and there is really no documentation also the IP schema is messed up. Here is the information I found as follows

OldDC - Primary Integrated DNS IP 204.130.217.9 / 172.27.21.50 (Do not know what this address is for) - also performs DHCP for 204.130.217.x network.
DNS1 - 204.130.217.22 (DC01)
DNS2 - 204.130.217.23 (DC02)

DC-01 - Primary Integrated DNS IP 204.130.217.22
DNS1 - 204.130.217.22 (DC01)
DNS2 - 204.130.217.9 (OldDC)

DC-02 - Primary Integrated DNS IP 204.130.217.23
DNS1 - 204.130.217.22 (DC01)
DNS2 - 204.130.217.23 (DC02)

Mail - Secondary DNS IP 172.27.18.4 - Also is a Exchange Server.
DNS1 - 172.27.18.4
DNS2 - 204.130.217.9

DHCP for the 204.130.217.x is giving out
DNS1 - 204.130.217.22 (DC01)
DNS2 - 204.130.217.23 (DC02)

DHCP for the 172.27.x.x is giving out
DNS1 - 204.130.217.9
DNS2 - 172.27.18.4

There are no forwarders setup so it is using root hints. Which appear to all be the defaults "a.root-servers.net - m.root-servers.net". Also the Mail server which is acting as a secondary is not listed under the msdcs.domain.local as a name server.

The plan is to remove the OldDc completely but right now it is handing out DHCP and is also the Print server so that will need to be migrated later. The environment is only 150PCs currently with plans add about 100 more machines by the end of net year.

My thoughts are to remove the OldDC (.9) from name servers and stop point any devices to that server for DNS. Set all of my devices/dhcp to point to (DC-01 and then to DC02 then set forwarders on DC01 and DC02 to point to my ISP, so in the end all devices will point to .22/.23. Then remove the DNS services from the Mail server as I don't see why the mail server would be running DNS.

After all of the information given does my strategy seem correct? Sorry as I said at the beginning I have never worked in an environment like this before and I am very "shy" to make the decision on my own as I really don't want to screw something up and bring the whole place down while I scramble to fix my mess so I am trying to be very cautious and map out my plan before I implement.

_{Thursday, February 9, 2012 12:11 AM}

Your plan sounds good. My recommendation is to schedule any changes you have during a maintenance window and follow the change management practices in that organization, if they have any. If they don't, start a new process. Changes should be reviewed by a change committe, scheduled, communicated, implemented, then closed.

This will ensure that when things dont go so well, you can implement pre-determined roll-back plans and that you are not the only one holding the bag. When things go well in IT, no one notices. However, when it doesnt go well...I am sure you know.

Interesting..that you are a public IP space on your local network. Nothing wrong with that, just expensive use of IPs.

Guides and tutorials, visit ITGeared.com.

_{Thursday, February 9, 2012 4:16 AM}

Jorge,

Thanks part of my process here is exactly what you are saying. I previously worked in a large environment that we had "Change Meetings" and weekly updates on processes like this. We do not have that in place here as well I am the IT guy but we are large enough that I do need to map this out and have a back out plan in place.

As I stated the IP Schema is messed up, the public IP range within the network. These addresses are not publically routable and are NAT'd to the outside. Changing that range is also on my list of things to do but it's behind a few other items. Right now the Router is giving out DHCP to some of the ranges and the old DC is giving out DHCP to some of the ranges. When I change the DHCP over to a new server I will be removing the 204.x.x.x range completely and moving it into the 172.27.x.x range.

I really appreciate everyone's help here I know I am asking alot I just would rather be 100% sure and have everything planned out before I make any changes!

Thanks!

_{Thursday, February 9, 2012 5:54 AM}

Curious, why are there a mix of two IP subnets? Are they both on the same wire, or is there a router separating them?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, February 9, 2012 1:20 PM | 1 vote}

I'm curious myself, only 2 weeks into the job here and I have nothing to go off of as the old IT guy was gone for a few months before I started. They had a vendor in here taking care of the day to day issues. Nothing makes sense here. They are using a Cisco Catalyst 3750 Layer 3 switch as a router which is handling all of the Vlans. They have 172.27.1.x - 172.27.18.x and then the 204.130.217.x network. The 204.130.217.x seems to be all of the servers/network equipment and administration area. My plan is to add Vlan 172.27.19.x for this and remove all of the 204.130.217.x from the network.

My concern right now is the slow network log on and random times where DNS won't resolve. I also have an old Novell server that is on its last leg and the Server that I have been referring to as Old DC which is still running DHCP, DNS, File and Print services which is also locking up quite a bit. Once DNS is handled I have to move the File and Print services. Then move my DHCP which is when I plan on removing the 204.130.217.x network. I am trying to be very cautious about my moves here and really try to research and verify. It's one thing making changes like this to a site that has 30 computers and a Server, but this site has over 150 computers and roughly 15 servers if you include all of the building maintenance servers and such. Add that with the fact I have no documentation and sometimes even no passwords well this is going to be a fun few months!

_{Friday, February 10, 2012 4:28 AM | 1 vote}

I agree, good plan to change the 204. networks to 172.

As long as all internal machines are using the DC's for their DNS address, and as long as there are no firewalls between the subnets, and they're not NAT'd, I don't see a problem. However, if there are any inconsistencies, that will cause problems, such as if there are duplicate zones. Looking at the list of subnets you mentioned, is difficult to ascertain what's where. Let's start by looking at and posting any event log errors on all of the DCs (DS and DNS related logs), as well as any issues on the client side.

Also, run:

**repadmin /replsum > c:\rep-replsummary.txt ** (provides a replication summary)

repadmin /showreps > c:\rep-showreps.txt (This switch shows if partitions have replicated or not)

**repadmin /showrepl dc01.domain.local /verbose /all /intersite> c:\rep-showrepl.txt ** (Helps understand the replication topology and replication failures)

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

DNS configuration Multi-Domain environment

Question

All replies (12)

Additional resources