The issue described by both Roger and Linton is called the 'island problem', and is described in KB article 275278. Basically, it involves specific DNS records registered by the domain controllers in the _Msdcs.ForestDnsName DNS domain. These CNAME records are required for replication. Let's say we have several DCs in a domain, each of which is also a DNS server with AD-integrated DNS. Each points to itself for DNS. When the DC registers that CNAME, it'll do it in the DNS server it points to (itself). Since the other DCs need to resolve that name to replicate, and since they're only looking at their own copy of DNS (which doesn't yet contain that record - it's AD-integrated and hasn't been replicated yet), you're in a catch-22.
In the scenarios of the Branch Office Deployment Guide, the DNS servers in teh forest root are authoritative for _Msdcs.ForestDnsName, so that's the only place this can become an issue. The DCs in the other domains have to find a authoritative DNS server for that zone to register their CNAME, and it can't possibly be themselves, so there's no problem. Dave -----Original Message----- From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 4:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Design Guidance Hi Roger, What you describe is discussed in the Branch Office Planning Guide. However, it pertains to DCs in the root domain only. I've read further docs/KBs stating that for DCs belonging to all other domains in the forest, they should point to themselves as the primary DNS server, and use another for secondary. Linton -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 4:56 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Design Guidance I'm trying to remember the specifics, but in a nutshell DC's that point to themselves can end up getting orphaned. IIRC, it is caused because DNS replication stops, since they only know about themselves. I'll try to dig out the documentation I had on it, but I can't promise I'll find it. We first saw this over a year ago. -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Monday, March 03, 2003 2:54 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD Design Guidance > > > Hi Roger, > > How do the DC records get scavenged? NETLOGON refreshes them > periodically, so I would think they would never be subject to > scavenging (unless of course you turned the refresh interval down). > > -gil > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, March 03, 2003 12:31 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD Design Guidance > > > I'd bet you have replication issues. > > The problem when they point only to themselves, and you have > scavenging enabled, is that it is possible for the DC records > to fall out of DNS. Its not pretty (I saw it happen once > here). The only fix is to do what I'd call next closest > neighbor DNS - have every DC/DNS combination pointing to its > next closest DNS choice. > > For instance, I have 4 offices with DC's, connected in a mesh > WAN envrionment. I have 2 DC's here, and one each in the > other 3 offices. The two here point to each other as primary, > and one of the remote offices as secondary. All remote > offices point to the two here. That way, the servers are > always registering to a different DNS server than the one they manage. > > The only time this wasn't the case was when I built the first > DC - then it pointed to itself. Once they were all built, I > changed that one to fit the scheme. > > -------------------------------------------------------------- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 03, 2003 12:56 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > Roger, > > > > They are pointing to themselves as primary and their oposite as > > secondary. Should this be reversed? The same for Wins? > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 03, 2003 12:26 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > Hmm... > > > > Open up a command prompt on one of them and type "ipconfig /all" > > > > Make sure they are still pointing at the other one as > primary. Network > > issues will force changes there, and then they start losing > track of > > each other. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 03, 2003 11:58 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > Hi Roger, > > > > > > Each DC is also the DNS server for the domain. So, each points to > > > the other and themself as well. > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 03, 2003 10:42 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > What DNS servers are the domain controllers pointing to? > > > > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, February 28, 2003 3:31 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > Marc, > > > > > > > > 1. Yes, both locations are setup as separate sites > > > > > > > > 2. The DNS Event log on the DC in Office B reports 5509 events > > > > often, received an invalid DNS update from 10.64.3.2 (Master in > > > > Office A) - packet rejected > > > > > > > > 3. No Directory Service Errors but there are numerous > FRS errors > > > > showing issues with replicating from Office A to Office B > > > > > > > > The File Replication Service is having trouble enabling > > replication > > > > from PA-FILE-01 (Office A) to PA-FILE-02 (Office > > > > B) for c:\winnt\sysvol\domain using the DNS name > > > > PA-FILE-01.penncolor.com. FRS will keep retrying. > Following are > > > > some of the reasons you would see this warning. > > > > > > > > [1] FRS can not correctly resolve the DNS name > > > > PA-FILE-01.penncolor.com from this computer. [2] FRS is > > not running > > > > on PA-FILE-01.penncolor.com. [3] The topology > information in the > > > > Active Directory for this replica has not yet replicated > > to all the > > > > Domain Controllers. > > > > > > > > This warning as well: > > > > The File Replication Service has enabled replication from > > PA-FILE-01 > > > > to PA-FILE-02 for c:\winnt\sysvol\domain after repeated retries. > > > > > > > > 4. The DC's don't "act" bogged down while physically at them. > > > > They're noticably bogged down from the client end with > regards to > > > > accessing resources. > > > > > > > > -----Original Message----- > > > > From: Marc Zukerman [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, February 28, 2003 3:20 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ActiveDir] AD Design Guidance > > > > > > > > > > > > Another few questions Casey: > > > > > > > > 1. Are the different locations set up as separate sites? 2. How > > > > healthy is DNS? WINS? Are there any errors? What's the > topology? > > > > 3. Are there any errors in the Directory > > Services logs on > > > > the domain controller? 4. Are the DCs bogged down? > > > > > > > > Marc Zukerman > > > > Senior Network Engineer > > > > Greenwich Technology Partners > > > > > > > > ----- Original Message ----- > > > > From: "Friese, Casey" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Friday, February 28, 2003 2:34 PM > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > Gil, thanks for the questions, here are the answers: > > > > > > > > Number of clients in Office A is ~25 > > > > Number of clients in Office B is ~250 > > > > > > > > There are a mix of 9x, 2000 and XP client, most are 2000. The > > > > symptoms show across all clients > > > > > > > > I'm not sure about the bandwidth > > > > > > > > It's a native Win2k domain. > > > > > > > > Hope this fills thing out. > > > > > > > > -----Original Message----- > > > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, February 28, 2003 2:24 PM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > A couple of questions to fill out the picture: > > > > > > > > How many clients at each site? > > > > What kinds of clients (ME/98, NT4, W2K, XP, etc) > > > > Do you have any idea of how much _available_ bandwidth > > there is on > > > > the link? Where is the PDC emulator? I'm guessing it is > > in office A > > > > where the first DC lives. > > > > > > > > -gil > > > > > > > > -----Original Message----- > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, February 28, 2003 12:00 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] AD Design Guidance > > > > > > > > > > > > I have uncovered what I believe is a problem with our Active > > > > Directory design. I'm looking for assurance that it is > indeed a > > > > problem judging from the symptoms that I am seeing and I'm also > > > > looking for recommendations on how to correct it. > > > > > > > > I've walked into the company just weeks after a > > consultant started > > > > implementing the AD design. Now, 8 months later and 10 servers > > > > later I believe that the design is flawed. Here are my > symptoms: > > > > > > > > Any administration activity done on the servers such as setting > > > > permissions/re-writing permissions, opening property > > sheets within > > > > Exchange System Manager, Viewing properties sheets of OU > > > > objects/group policies, etc. All of these tasks take a > > long period > > > > of time to complete or display. > > > > > > > > >From the client end we see hanging connections - one moment > > > > a share is > > > > >available, the next permission is denied or the > > connection can't be > > > > >made. Opening files from the network sluggish and at > times dhcp > > > > >settings are lost. > > > > > > > > We have 2 offices: > > > > Our HQ is in office A > > > > Our Datacenter is in office B > > > > > > > > Office A has 1 Windows 2000 Server and was the first > > server built in > > > > the Forest. This server is doing File/Print, DHCP, > WINS, DNS for > > > > it's location among doing it's specialized tasks for the domain. > > > > > > > > Office B has 9 Windows 2000 Servers - among those 9 is a > > DC, 1 is an > > > > E2K server and 1 is an ISA server. The DC provides file/print, > > > > DHCP, WINS, DNS for it's location. The E2K server is the mail > > > > server for both locations and the ISA server is the > Firewall for > > > > both locations. > > > > > > > > Office A is connected to Office B via 256kbps Split T1 > > used for both > > > > voice and data. Office B is connected to the internet > > via full T1 > > > > which is responsible for handling all internet requests. > > > > > > > > Both sites, office A and B, belong to the same parent domain > > > > - company.com with each client's dns set as > clientname.company.com > > > > > > > > First questions: Are there any flaws with the above > > design? The most > > > > noticeable thing to me is that Office A and B communicate of a > > > > 256kbps shared line. I'm not an expert with AD, in fact, > > It's new > > > > to me but from what I understand anything done in Office > > B has to go > > > > to the Head Server in Office A. These is where I believe my > > > > problems lie. > > > > > > > > What I would like to do is break these two sites apart and have > > > > officeA.company.com and officeB.company.com - I think > this is the > > > > correct approach but I'm not sure. My main concern is our > > Exchange > > > > 2000 Server and out ISA server because they're both > > linked heavily > > > > into the AD so totally redoing the design is a bit tough. > > > > Alternatively, I have started entertaining the idea of > moving the > > > > server in Office A to the Office B location making Office > > B the root > > > > domain and any new sites child domains. > > > > > > > > I apologize for the length and if I've confused anyone - I'm > > > > confused myself. I just want to know if I'm blaming the > > symptoms on > > > > the right thing and how I should proceed. > > > > > > > > Thanks, > > > > Casey > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
