How to set AD and DNS

Discussion in 'DNS Server' started by Guest, Jul 9, 2004.

  1. Guest

    Guest Guest

    I have 3 domains in my organization and I want to know what is the proper
    way to set my DNS and AD. I want all to be integrated if possible.

    Domain1
    xx.com
    Win2k3 DC running DNS
    Win2k DC running DNS

    Domain2
    yy.xx.com
    Win2k3 DC running DNS

    Domain3
    zz.xx.com
    Win2k DC running DNS

    1. In domain 1 can I do integrated zones since one is 2000 and the other is
    2003 server?
    2. Can domain1 and domain2 do integrated since they both have 2003 servers
    in them?
    3. On domain1 should I create the all zones for yy.xx.com and zz.xx.com and
    then delegate them to the DC's in those domains?
    4. If they are all Integrated is it necessary to take yy.xx.com's DC and
    setup a secondary zone for xx.com for replication?
    5. In my replication settings what option should I choose since I have a
    mixture of Win2k and Win2k3?

    -Cheers
     
    Guest, Jul 9, 2004
    #1
    1. Advertisements

  2. Hello hrm_admin,

    answers inline.

    --
    Gruesse - Sincerely,

    Ulf B. Simon-Weidner


    Yes, but you just can replicate the DNS-Database to all AD Controllers
    in the Domain.
    You either create the zones there or you delegate them to other servers,
    not both. I guess you want the zones on the domain controllers in each
    domain, then you create the zone xx.com on domain1, create yy.xx.com and
    zz.xx.com on the DCs in the specific domain and set the forwarders there
    to xx.com. xx.com is forwarding usually to your ISP. And create the
    delegations on xx.com for yy and zz to the dns-servers for those
    domains.
    Not necessary - if you want the records to be available also on the DC
    of the rootdomain you can do that, or since you are running WS2k3 on yy
    it might be able to replicate that zone to all active directory domain
    controllers which are dns-servers which will replicate them to all WS2k3
    DCs and DNS-Servers. But I haven't tested that if it's working in a
    mixed WS2k3 and W2k Domain.
    On the domains where W2k-Servers are, you'll have to set them just to AD
    Integrated, on the domains where all DNS-Servers run WS2k3 you can
    choose where you want the informations - up to you.


    A big issue you are missing is that the _msdcs.xx.com domain is needed
    from all clients to find the GCs. It's a best practice that you make it
    available on all DNS-Servers, also in the subdomains. Windows Server
    2003 sets this zone per default to replicate to all DC-DNS-Servers in
    the _Forest_ - using W2k best practice is to create the _msdcs.xx.com
    zone on the same DNS-Servers which host the xx.com zone, make it Active
    Directory integrated, and create a secondary zone of the _msdcs.xx.com
    zone on each DNS-Servers on yy.xx.com and zz.xx.com.
     
    Ulf B. Simon-Weidner [MVP], Jul 9, 2004
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Ok that is great information, but I might have more questions for you, but I
    have to leave for the day and won't be back until Mon.
     
    Guest, Jul 9, 2004
    #3
  4. Sure - enjoy your weekend and post back if you have other questions.
     
    Ulf B. Simon-Weidner [MVP], Jul 9, 2004
    #4
  5. Guest

    Roger Abell Guest

    You have said nothing about where these domains are.
    It might for example be quite feasible for you to just let
    the DNS servers of the forestroot domain hold xx.com
    and (other than reverse zone) not use any other zones,
    nor run DNS on other DCs.
    It is not just a matter of what one can do but of what
    logically fits how your deployment is mapped in space.
     
    Roger Abell, Jul 10, 2004
    #5
  6. Guest

    Guest Guest

    Let me give you a little more insight as to how I have this set now.

    xx.com is setup on my root DNS DC which is Win2k3. I have then right
    clicked on that domain and done a delegation for yy.xx.com and zz.xx.com
    pointing to their respective DC's in the two domains. Is that part correct?
    Then on yy.xx.com which is Win2k3 I setup yy.xx.com as a AD-integrated zone
    and it replicates to all DC's in AD domain. Is that right? zz.xx.com is
    setup on the DC running Win2k in that domain as a AD-Integrated zone as
    well. Is that correct? Then on my zone transfer tab I have set all the
    IP's for my Name servers in the list and also did the same on the Name
    Servers tab. All these domains are remote locations so what I then did was
    on xx.com I setup secondary zones for yy.xx.com and zz.xx.com. Is that OK?
    On yy.xx.com I again setup secondary zones for xx.com and zz.com. Is that
    correct? Lastly on zz.xx.com I setup secondary zones for xx.com and
    yy.xx.com. Is that correct? All the talked about settings have been done
    for Reverse lookup as well. On the last part you spoke about _msdcs.xx.com
    I see that zone on my yy.xx.com DC DNS W2k3 server. On my on my zz.xx.com
    win2k DC DNS server I do not see that zone so I created it as a secondary.
    In the Replications settings in _msdcs.xx.com on the forest root server
    (xx.com) should it be set to All DNS Servers in the AD forest or All DC's in
    the AD domain xx.com

    I hope this doesn't make things confusing, I just want to be concise and
    accurate so you understand what I have. If I do have everything right I
    still don't understand why in my yy.xx.com domain DNS DC when I look at the
    A records I am not seeing all of them. If I go to xx.com DNS DC I do see
    them all. It explains why from the yy.xx.com DNS DC I can't ping things in
    the xx.com domain.

    Thanks
     
    Guest, Jul 12, 2004
    #6
  7. Hello hrm_admin,

    answers inline

    OK for now.
    Are you sure you need secondaries for every zone? Do you expect a lot
    of name resolutions across domains? You know that every DNS-Server
    caches the responses from other zones for 1 day?
    If you want it that way, then it's correct
    See above
    That's OK - IIRC your xx.com dns is WS2k3 and the yy.xx.com is WS2k3
    too, so it will replicate automatically if set by default.
    All DNS Servers in the AD _forest_
    The A-Records should appear in each zone, either in the primary or
    secondary zone - might need some time to replicate.

    If you can't ping - did you configure the forwarding from yy and zz to
    xx? It's set in the DNS-Servers Properties. Then check that replication
    is working and zone transfers are working. And to make sure you are not
    running into setup issues I'd point the DNS-Servers in every domain to
    the same machine (A to A and B to A). I would also have waited with
    secondary zones of every domain until all the primary zones work well.

    HTH
     
    Ulf B. Simon-Weidner [MVP], Jul 12, 2004
    #7
  8. Guest

    Guest Guest

    I will go ahead and remove the secondary zones.

    About pointing my yy.xx.com and zz.xx.com DNS forwarders to xx.com should it
    be All other DNS domains points to xx.com dns server or do I have to add the
    domain in the box and then it IP address? If I try and add the domain name
    and point it to xx.com dns server I get this message, "The server forwarders
    cannot be updated. The zone already exists." I then have to cancel what I
    did.

    You mean point xx.com to itself for DNS and yy.xx.com and zz.xx.com point to
    xx.com DC? Just want to make sure I got that right. . If I have this set
    right, which sounds like for the most part what else would I try so that
    yy.xx.com can resolve names in xx.com domain? How do you tell if
    replication is working other then by looking at the zones?

    Thanks again.
     
    Guest, Jul 12, 2004
    #8
  9. Guest

    Scott Micale Guest

    One other question. On yy.xx.com and zz.xx.com DNS Servers should I see
    xx.com in the zone list?


     
    Scott Micale, Jul 13, 2004
    #9
  10. Hello Scott,

    inline again

    You are going to configure it in the All other domains box. Yy and zz
    are asking xx, xx is forwarding to your ISP.
    I'd set the TCP/IP-Client _in every domain_ to the same machine, so if
    you have two dns-servers in any domain have them both use the same
    dns-server as primary and the other as secondary.

    yy.xx.com will be able to resolve server1.xx.com because you set the
    forwarders, and remember that you can't use shortnames for machines in
    other dns-domains, so a ping server1.xx.com from a server in yy.xx.com
    should work.
    AD-Replication: replmon out of the support tools
    DNS: If you have secondaries you can try the zone transfer (there's a
    load from master or anything like that in the context menu of the
    zone), if you don't have secondaries you have either AD-Replication
    (see above) or nothing to check.

    Get familiar with nslookup - start nslookup without parameters on any
    machine:
    Use "server %ipadress%" to configure nslookup which server to query
    Use "set type=A" to configure nslookup to ask for host records, then
    query your servername, e.g. "server1.yy.xx.com"
    Use "set type=SOA" to find out if a server has a writeable copy of the
    zone, then enter the zone, e.g. "yy.xx.com"
    Use "set type=NS" to find out who the nameservers for a specific zone
    are (primary and secondary), then enter the zone, e.g. "yy.xx.com".

    Try to resolve every domain from every dns-server, it should work if
    you have everything configured right.
     
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
    #10
  11. No - you are only supposed to see the zones which the current servers
    hosts in the zone list. So if you have the replication scope of all
    three domains set to
    W2k: "Active Directory integrated"
    Or
    WS2k3: "All DNS Domain Controllers in the Active Directory Domain"
    ยด "All Domain Controllers in the Active Directory Domain"

    Then you are not supposed to see those zones in any other domain.

    If you have a zone set to "All DNS Domain Controllers in the Active
    Directory Forest" on a WS2k3 Server, and you have other WS2k3 Servers
    in other domains, you will be able to see those zones on them as well.
     
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
    #11
  12. Guest

    Scott Micale Guest

    Ok, I am wondering now if this is my problem. On xx.com domain DNS DC I
    have xx.com replication set to "All Domain Controllers in the Active
    Directory Domain". This is my Win2k3 box. If I look on my DC DNS server in
    yy.xx.com (w2k3) and see what list of zones are there I see the xx.com zone.
    From what you said in your previous post that should not be there. I think
    that is why I can't ping some machines in xx.com from yy.xx.com because
    computer.yy.xx.com is using the zone in yy.xx.com instead of talking to
    computer.xx.com to resolve names. With that said I tried going into
    yy.xx.com's zone list and deleting xx.com from it and it won't let me. What
    should I try?

    Thanks
     
    Scott Micale, Jul 13, 2004
    #12
  13. Guest

    Scott Micale Guest

    One last time with this question because I am missing something. On
    yy.xx.com if I look at my DNS TCP/IP settings on my dns server should it's
    primary point to itself or to the dns server in xx.com? I thought I was
    told awhile back that yy.xx.com's dns server should point to itself and not
    xx.com's dns server. I have though set my forwarders up on yy.xx.com to
    point to xx.com.
     
    Scott Micale, Jul 13, 2004
    #13
  14. Guest

    Scott Micale Guest

    Here are my server queries you spoke of. I am doing this from machine in
    the yy.xx.com domain.

    Default Server: skynet.hh.hrm.lan
    Address: 192.168.1.6
    Default Server: skynet.hh.hrm.lan
    Address: 192.168.1.6
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    Name: skynet.hh.hrm.lan
    Address: 192.168.1.6
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    hh.hrm.lan
    primary name server = skynet.hh.hrm.lan
    responsible mail addr = hostmaster
    serial = 5335
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    skynet.hh.hrm.lan internet address = 192.168.1.6
    Unrecognized command: set type NS
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    hh.hrm.lan nameserver = skynet.hh.hrm.lan
    skynet.hh.hrm.lan internet address = 192.168.1.6

    Below is the same query to the xx.com domain from a machine in the
    yy.xx.com:

    Default Server: skynet.hh.hrm.lan
    Address: 192.168.1.6
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    Name: nt_server.hrm.lan
    Address: 192.168.2.1
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    hrm.lan
    primary name server = skynet.hh.hrm.lan
    responsible mail addr = hostmaster
    serial = 1208
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    skynet.hh.hrm.lan internet address = 192.168.1.6
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    hrm.lan nameserver = skynet.hh.hrm.lan
    hrm.lan nameserver = nt_server.hrm.lan
    skynet.hh.hrm.lan internet address = 192.168.1.6
    nt_server.hrm.lan internet address = 192.168.2.1
    Skynet is my Primary DNS server in hh.hrm.lan. NT_Server is my primary in
    hrm.lan.

    This is a query done from the same machine in domain hh.hrm.lan to a machine
    in hrm.lan.
    Server: skynet.hh.hrm.lan
    Address: 192.168.1.6

    *** skynet.hh.hrm.lan can't find laston.hrm.lan: Non-existent domain
    the hh.hrm.lan domain. I can ping that netbios name and I do get replies,
    but if I ping laston.hrm.lan I get "Ping request could not find host
    laston.hrm.lan. Please check the name and try again."

    Should I start all over with my DNS? Blast it all and redo it. Seems like
    something is wrong. If I do that will I cause more things to go wrong?
     
    Scott Micale, Jul 13, 2004
    #14
  15. Hi Scott,

    I summarize your last three posts in this one - hopefully ;-)

    [Point yy.xx.com DNS-Servers to xx.com or yy.xx.com]
    At this point I'd prefer to set all DNS-Clients to the same server.

    Later I'd recommend to set all DNS-Servers in xx.com to the same server
    in xx.com, all DNS-Servers in yy.xx.com to the same server in yy.xx.com
    ....

    [xx.com zone appears in yy.xx.com, but is set to replicate to the
    DNS-Servers in the xx.com domain only]
    Check the replication scope again. You really need to get rid of this
    zone in yy.xx.com - if no other way then deleting the xx.com zone on
    xx.com, replicate the whole forest, see that everything is OK (replmon)
    and then reconfigure that thing including delegations, forwarders and
    net stop netlogon and net start netlogon on every server

    [server queries]
    This is supporting the assumption that xx.com is replicated to
    yy.xx.com - either this scope is set to all servers in the forest or
    you have two different replication scopes for xx.com on xx.com and on
    yy.xx.com. Since you had access problems, if nothing else is helping
    try to use credentials from xx.com to delete the zone on yy.xx.com, or
    whatever is necessary to get rid of that thing. Look at the events - I
    bet you have entries in there as well.
     
    Ulf B. Simon-Weidner [MVP], Jul 13, 2004
    #15
  16. Guest

    Scott Micale Guest

    Ok, your first 2 suggestions have been done and have been like that for
    awhile.

    Now about deleting the xx.com off of yy.xx.com I have tried that and
    everytime I try it says "Access is denied". So if I try and delete it off
    of xx.com is that going to mess anything else up? Should I also delete
    _msdsc_xx.com? When you say replicate the forest you mean recreate xx.com
    on xx.com and do the other things you suggested? I will wait to hear back
    from you before I attempt these steps. But like you say I think the xx.com
    zone in yy.xx.com's zone list is the problem.
     
    Scott Micale, Jul 13, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.