How to set AD and DNS

Discussion in 'DNS Server' started by Guest, Jul 9, 2004.

  1. Guest

    Guest Guest

    I have 3 domains in my organization and I want to know what is the proper
    way to set my DNS and AD. I want all to be integrated if possible.

    Win2k3 DC running DNS
    Win2k DC running DNS

    Win2k3 DC running DNS

    Win2k DC running DNS

    1. In domain 1 can I do integrated zones since one is 2000 and the other is
    2003 server?
    2. Can domain1 and domain2 do integrated since they both have 2003 servers
    in them?
    3. On domain1 should I create the all zones for and and
    then delegate them to the DC's in those domains?
    4. If they are all Integrated is it necessary to take's DC and
    setup a secondary zone for for replication?
    5. In my replication settings what option should I choose since I have a
    mixture of Win2k and Win2k3?

    Guest, Jul 9, 2004
    1. Advertisements

  2. Hello hrm_admin,

    answers inline.

    Gruesse - Sincerely,

    Ulf B. Simon-Weidner

    Yes, but you just can replicate the DNS-Database to all AD Controllers
    in the Domain.
    You either create the zones there or you delegate them to other servers,
    not both. I guess you want the zones on the domain controllers in each
    domain, then you create the zone on domain1, create and on the DCs in the specific domain and set the forwarders there
    to is forwarding usually to your ISP. And create the
    delegations on for yy and zz to the dns-servers for those
    Not necessary - if you want the records to be available also on the DC
    of the rootdomain you can do that, or since you are running WS2k3 on yy
    it might be able to replicate that zone to all active directory domain
    controllers which are dns-servers which will replicate them to all WS2k3
    DCs and DNS-Servers. But I haven't tested that if it's working in a
    mixed WS2k3 and W2k Domain.
    On the domains where W2k-Servers are, you'll have to set them just to AD
    Integrated, on the domains where all DNS-Servers run WS2k3 you can
    choose where you want the informations - up to you.

    A big issue you are missing is that the domain is needed
    from all clients to find the GCs. It's a best practice that you make it
    available on all DNS-Servers, also in the subdomains. Windows Server
    2003 sets this zone per default to replicate to all DC-DNS-Servers in
    the _Forest_ - using W2k best practice is to create the
    zone on the same DNS-Servers which host the zone, make it Active
    Directory integrated, and create a secondary zone of the
    zone on each DNS-Servers on and
    Ulf B. Simon-Weidner [MVP], Jul 9, 2004
    1. Advertisements

  3. Guest

    Guest Guest

    Ok that is great information, but I might have more questions for you, but I
    have to leave for the day and won't be back until Mon.
    Guest, Jul 9, 2004
  4. Sure - enjoy your weekend and post back if you have other questions.
    Ulf B. Simon-Weidner [MVP], Jul 9, 2004
  5. Guest

    Roger Abell Guest

    You have said nothing about where these domains are.
    It might for example be quite feasible for you to just let
    the DNS servers of the forestroot domain hold
    and (other than reverse zone) not use any other zones,
    nor run DNS on other DCs.
    It is not just a matter of what one can do but of what
    logically fits how your deployment is mapped in space.
    Roger Abell, Jul 10, 2004
  6. Guest

    Guest Guest

    Let me give you a little more insight as to how I have this set now. is setup on my root DNS DC which is Win2k3. I have then right
    clicked on that domain and done a delegation for and
    pointing to their respective DC's in the two domains. Is that part correct?
    Then on which is Win2k3 I setup as a AD-integrated zone
    and it replicates to all DC's in AD domain. Is that right? is
    setup on the DC running Win2k in that domain as a AD-Integrated zone as
    well. Is that correct? Then on my zone transfer tab I have set all the
    IP's for my Name servers in the list and also did the same on the Name
    Servers tab. All these domains are remote locations so what I then did was
    on I setup secondary zones for and Is that OK?
    On I again setup secondary zones for and Is that
    correct? Lastly on I setup secondary zones for and Is that correct? All the talked about settings have been done
    for Reverse lookup as well. On the last part you spoke about
    I see that zone on my DC DNS W2k3 server. On my on my
    win2k DC DNS server I do not see that zone so I created it as a secondary.
    In the Replications settings in on the forest root server
    ( should it be set to All DNS Servers in the AD forest or All DC's in
    the AD domain

    I hope this doesn't make things confusing, I just want to be concise and
    accurate so you understand what I have. If I do have everything right I
    still don't understand why in my domain DNS DC when I look at the
    A records I am not seeing all of them. If I go to DNS DC I do see
    them all. It explains why from the DNS DC I can't ping things in
    the domain.

    Guest, Jul 12, 2004
  7. Hello hrm_admin,

    answers inline

    OK for now.
    Are you sure you need secondaries for every zone? Do you expect a lot
    of name resolutions across domains? You know that every DNS-Server
    caches the responses from other zones for 1 day?
    If you want it that way, then it's correct
    See above
    That's OK - IIRC your dns is WS2k3 and the is WS2k3
    too, so it will replicate automatically if set by default.
    All DNS Servers in the AD _forest_
    The A-Records should appear in each zone, either in the primary or
    secondary zone - might need some time to replicate.

    If you can't ping - did you configure the forwarding from yy and zz to
    xx? It's set in the DNS-Servers Properties. Then check that replication
    is working and zone transfers are working. And to make sure you are not
    running into setup issues I'd point the DNS-Servers in every domain to
    the same machine (A to A and B to A). I would also have waited with
    secondary zones of every domain until all the primary zones work well.

    Ulf B. Simon-Weidner [MVP], Jul 12, 2004
  8. Guest

    Guest Guest

    I will go ahead and remove the secondary zones.

    About pointing my and DNS forwarders to should it
    be All other DNS domains points to dns server or do I have to add the
    domain in the box and then it IP address? If I try and add the domain name
    and point it to dns server I get this message, "The server forwarders
    cannot be updated. The zone already exists." I then have to cancel what I

    You mean point to itself for DNS and and point to DC? Just want to make sure I got that right. . If I have this set
    right, which sounds like for the most part what else would I try so that can resolve names in domain? How do you tell if
    replication is working other then by looking at the zones?

    Thanks again.
    Guest, Jul 12, 2004
  9. Guest

    Scott Micale Guest

    One other question. On and DNS Servers should I see in the zone list?

    Scott Micale, Jul 13, 2004
  10. Hello Scott,

    inline again

    You are going to configure it in the All other domains box. Yy and zz
    are asking xx, xx is forwarding to your ISP.
    I'd set the TCP/IP-Client _in every domain_ to the same machine, so if
    you have two dns-servers in any domain have them both use the same
    dns-server as primary and the other as secondary. will be able to resolve because you set the
    forwarders, and remember that you can't use shortnames for machines in
    other dns-domains, so a ping from a server in
    should work.
    AD-Replication: replmon out of the support tools
    DNS: If you have secondaries you can try the zone transfer (there's a
    load from master or anything like that in the context menu of the
    zone), if you don't have secondaries you have either AD-Replication
    (see above) or nothing to check.

    Get familiar with nslookup - start nslookup without parameters on any
    Use "server %ipadress%" to configure nslookup which server to query
    Use "set type=A" to configure nslookup to ask for host records, then
    query your servername, e.g. ""
    Use "set type=SOA" to find out if a server has a writeable copy of the
    zone, then enter the zone, e.g. ""
    Use "set type=NS" to find out who the nameservers for a specific zone
    are (primary and secondary), then enter the zone, e.g. "".

    Try to resolve every domain from every dns-server, it should work if
    you have everything configured right.
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
  11. No - you are only supposed to see the zones which the current servers
    hosts in the zone list. So if you have the replication scope of all
    three domains set to
    W2k: "Active Directory integrated"
    WS2k3: "All DNS Domain Controllers in the Active Directory Domain"
    ยด "All Domain Controllers in the Active Directory Domain"

    Then you are not supposed to see those zones in any other domain.

    If you have a zone set to "All DNS Domain Controllers in the Active
    Directory Forest" on a WS2k3 Server, and you have other WS2k3 Servers
    in other domains, you will be able to see those zones on them as well.
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
  12. Guest

    Scott Micale Guest

    Ok, I am wondering now if this is my problem. On domain DNS DC I
    have replication set to "All Domain Controllers in the Active
    Directory Domain". This is my Win2k3 box. If I look on my DC DNS server in (w2k3) and see what list of zones are there I see the zone.
    From what you said in your previous post that should not be there. I think
    that is why I can't ping some machines in from because is using the zone in instead of talking to to resolve names. With that said I tried going into's zone list and deleting from it and it won't let me. What
    should I try?

    Scott Micale, Jul 13, 2004
  13. Guest

    Scott Micale Guest

    One last time with this question because I am missing something. On if I look at my DNS TCP/IP settings on my dns server should it's
    primary point to itself or to the dns server in I thought I was
    told awhile back that's dns server should point to itself and not's dns server. I have though set my forwarders up on to
    point to
    Scott Micale, Jul 13, 2004
  14. Guest

    Scott Micale Guest

    Here are my server queries you spoke of. I am doing this from machine in
    the domain.

    Default Server: skynet.hh.hrm.lan
    Default Server: skynet.hh.hrm.lan
    Server: skynet.hh.hrm.lan

    Name: skynet.hh.hrm.lan
    Server: skynet.hh.hrm.lan

    primary name server = skynet.hh.hrm.lan
    responsible mail addr = hostmaster
    serial = 5335
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    skynet.hh.hrm.lan internet address =
    Unrecognized command: set type NS
    Server: skynet.hh.hrm.lan

    hh.hrm.lan nameserver = skynet.hh.hrm.lan
    skynet.hh.hrm.lan internet address =

    Below is the same query to the domain from a machine in the

    Default Server: skynet.hh.hrm.lan
    Server: skynet.hh.hrm.lan

    Name: nt_server.hrm.lan
    Server: skynet.hh.hrm.lan

    primary name server = skynet.hh.hrm.lan
    responsible mail addr = hostmaster
    serial = 1208
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    skynet.hh.hrm.lan internet address =
    Server: skynet.hh.hrm.lan

    hrm.lan nameserver = skynet.hh.hrm.lan
    hrm.lan nameserver = nt_server.hrm.lan
    skynet.hh.hrm.lan internet address =
    nt_server.hrm.lan internet address =
    Skynet is my Primary DNS server in hh.hrm.lan. NT_Server is my primary in

    This is a query done from the same machine in domain hh.hrm.lan to a machine
    in hrm.lan.
    Server: skynet.hh.hrm.lan

    *** skynet.hh.hrm.lan can't find laston.hrm.lan: Non-existent domain
    the hh.hrm.lan domain. I can ping that netbios name and I do get replies,
    but if I ping laston.hrm.lan I get "Ping request could not find host
    laston.hrm.lan. Please check the name and try again."

    Should I start all over with my DNS? Blast it all and redo it. Seems like
    something is wrong. If I do that will I cause more things to go wrong?
    Scott Micale, Jul 13, 2004
  15. Hi Scott,

    I summarize your last three posts in this one - hopefully ;-)

    [Point DNS-Servers to or]
    At this point I'd prefer to set all DNS-Clients to the same server.

    Later I'd recommend to set all DNS-Servers in to the same server
    in, all DNS-Servers in to the same server in

    [ zone appears in, but is set to replicate to the
    DNS-Servers in the domain only]
    Check the replication scope again. You really need to get rid of this
    zone in - if no other way then deleting the zone on, replicate the whole forest, see that everything is OK (replmon)
    and then reconfigure that thing including delegations, forwarders and
    net stop netlogon and net start netlogon on every server

    [server queries]
    This is supporting the assumption that is replicated to - either this scope is set to all servers in the forest or
    you have two different replication scopes for on and on Since you had access problems, if nothing else is helping
    try to use credentials from to delete the zone on, or
    whatever is necessary to get rid of that thing. Look at the events - I
    bet you have entries in there as well.
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
  16. Guest

    Scott Micale Guest

    Ok, your first 2 suggestions have been done and have been like that for

    Now about deleting the off of I have tried that and
    everytime I try it says "Access is denied". So if I try and delete it off
    of is that going to mess anything else up? Should I also delete When you say replicate the forest you mean recreate
    on and do the other things you suggested? I will wait to hear back
    from you before I attempt these steps. But like you say I think the
    zone in's zone list is the problem.
    Scott Micale, Jul 13, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.