"sawyer" <> wrote in message
news:AFF927C3-BD25-476D-8CF0-...
> Ace
>
> This is how this question got posted to this news group. I agree with you
> about an AD integrated DNS zone being in two locations in AD, and I have
> seen this happen before, but the reason why I posted this particular
> question to the newsgroup, is I am trying to either debunk of prove that
> there is a self defense mechanism in AD that prevents a zone from loading
> if AD finds corrupted records in the zone. Below is the conversation
> thread regarding this issue. I have delted the names to protect the
> inocent
I wouldn't call it a 'self defense' mechanism, but if there's anything
corrupted, there's a dupe zone or there are problems contacting AD for any
reason (netlogon or other errors), including dupe zones causing it, or even
using an ISP's DNS or the router/firewall as DNS, (or other a non-internal
DNS that doesn't have a copy or reference to the zone data effectively
causing the DC to not be able to "find" AD), the zone will fail to load.
>
> #4 I'm not saying don't do it, it's a good idea.
> Im just saying be more regular about backing up the zone. Use dnscmd in a
> job every night or something like that.
You can do that, but I think it's overhead. If the zone is AD Integrated, a
simple System State backup will back it up. However, if the zone is
corrupted (whether from one record or some other reason), the corrupted data
will be backed up making it useless for restoring.
>
> It doesn't matter how they get corrupted. Any single entry corruption
> will do this in ad integration. Nothing to do with AD integration, but
> its rather the FEATURE included by AD integration that wipes the entire
> zone, because of what can be an integration failure. I think if you think
> back 2.5 years ago, youll probably know what I mean. This tends to happen
> if you get a 4010 error in DNS (we've had 2 or 3 in kbb.com in the year or
> so) which tends to happen if someone is using DNS admin tool and maybe
> creating and deleting entries when they set servers up.
> I double checked and this is still a feature in the latest versions of ad
> / dns.
Sure, if there's corruption in the records, or if someone else manually
created a copy of the zone, that will surely cause it, too. I remember
working at a 5000 user system with 30 DCs. A new DC was setup at one of the
remote locations by someone in the domain admin group, and what they did is
manuall created the forest root zone on that DC. It effectively created a
dupe causing the correct zone to disappear (since the correct one is now the
dupe), and the zone he created, which only had about 3 or 4 records, appear
on all DCs. No need telling you what issues that caused.
>
> Some basic info:
> http://searchwindowsserver.techtarge...342778,00.html
>
> http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
>
> http://www.eggheadcafe.com/software/...ning-afte.aspx
>
>
>
>
> #3 Never heard of a AD integrated zones getting corrupted due AD
> replication.
AD replication will not cause zone corruption, however if there are any
issues with replication, such as a USN Rollback or other NTFRS issues, that
will surely do it, along with corrupting or causing issues on a wider
scaled.
> We have been replicating corp.kbb.com, cdmdata.com,lvdmz.com, ect all of
> our zones currently are AD integrated accept kbb.com.
You are implying you do this manually. This happens by default, not
manually.
> We will however have to delete the secondary zones off of all the DC\DNS
> servers before we change the kbb.com zone to AD integrated. Part of a
> system state backup on a DC \DNS is backing up all * AD integrated DNS
> zones* it does not backup standard primary zones, these zones need to be
> backed up manually.
Yep, that's correct. System State backups up system data, IIS, AD database,
COM info, etc. DNS AD integrated zones are part of the AD database, but it
can be in different "logical" portions of the physical database, depending
on its replication scope.
And you don't have to delete the secondaries. The DCs will remove them for
you.
>
> #2 My only suggestion is that from experience with AD integrated zones, a
> small corruption in transfer removes the zone compeltely (by design), so
> just want to recommend that we start taking daily backups of the zone and
> keeping them in a easily locatable place in case we run into that.
I'm not sure who quoted this, but AD Integraged zones do not "transfer" from
DC to DC. It's AD replication.
>
> #1 I want to convert the kbb.com zone to AD integrated. Right now this DNS
> zone is a standard primary zone which means the zone doesn't use AD
> replication to copy the zone to the other DNS servers in the company, we
> have to manually create secondary zones on all of our DNS servers, and
> then manually setup secondary zones on all DNS servers,
Which is a huge administrative overhead that is not necessary. Using AD
integrated zones will populate all DCs within its replication scope
automatically.
> and then configure DNS replication from the DC1 to all the other DC\DNS
> servers that require a copy of this zone. Because all of our DC's are DNS
> servers, and the entire company accesses records in the kbb.com zone, it
> makes more sense to make this zone AD integrated and let AD replicate the
> zone to all the other DC\DNS servers.
Yep. If you want any zone to appear on all DCs, and you have child domains,
set the replication scope to Forest wide. Otherwise, if one domain in the
forest, Domain wide will suffice.
>
> Also when we shut down DC1 it is possible that any DC\DNS server that has
> a copy of the kbb.com zone will try and do a DNS zone transfer from DC1,
> and if this happens the secondary zone will shut down and stop servicing
> DNS request for kbb.com. I see no reason to keep this zone as a standard
> primary zone, it should be AD integrated. We can continue to transfer this
> zone once it is AD integrated to 3rd party appliances the same way we do
> today
That's correct. AD Integrated zOnes still follow the RFCs defining how DNS
works, so you can simply allow a secondary on a third party. You must set
zone transfer allowance manually on the zone if you want to do this. By
default, AD integrated zones have this feature unchecked (disabled).
I hope this helps.
Ace
Similar Threads
Linear Mode
