~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IMHO, primary should be itself. Secondary? Not sure it really needs one (check itself and if that fails check someone else that has the same information?), but you *could* put the remote DNS host there. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bad idea. You run the risk of "Islanding", as pointed out in another post. And updates end up relying more on replication than they should, in my experience. Whichever DNS server you deem as your "primary" should point to itself first, and another box second. Every other DNS server at that level (same domain) should point to the first box first, and itself second. Much happiness will ensue at this point. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Thu, 14 Oct 2004 13:15:09 -0400, Mulnick, Al <[EMAIL PROTECTED]> wrote: > > Didn't we have this conversation once before? :) > > Think about that. If the remote DC has a replica of the DNS entries it > needs, why is it going across a WAN link? It doesn't make sense since it > already knows how to find everything it needs. > > IMHO, primary should be itself. Secondary? Not sure it really needs one > (check itself and if that fails check someone else that has the same > information?), but you *could* put the remote DNS host there. > > It would be good for you to test this scenario in your lab before relying on > it in the future as well. > > Al > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Thursday, October 14, 2004 11:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Still troubleshooting, still no resolution > > > > > > Could it be because the domain controller at all our remote sites has their > network adapter properties set to the primary and secondary dns servers at > the headquarters site? How should the dns settings be on a DC that is > running DNS in a remote site? Primary across the wan, secondary to itself? > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, October 14, 2004 10:36 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Still troubleshooting, still no resolution > > > > Russ, is server ldap/ccc.ourdomain.com your local DC in that site? > And is this the site name CN=CAM-DHQ of that site? > > > > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Thursday, October 14, 2004 11:20 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Still troubleshooting, still no resolution > > > > I still have not found a resolution to my issue - our remote site's WAN link > went down for many hours. All the XP and 2000 desktops at that site could > not connect to their mapped drives (to the local file server), and if they > rebooted, they were totally toast. > > There is a Windows 2000 domain controller at the site, but we are in a > Win2003 AD domain. Any ideas??? > > Errors generated in the system event log on the desktop: > > 10/4/2004 10:27:58 AM Kerberos Error None 7 N/A CESVPL50835 The kerberos > subsystem encountered a PAC verification failure. This indicates that the > PAC from the client CESVPL50835$ in realm CCC.OURDOMAIN.COM had a PAC which > failed to verify or was modified. Contact your system administrator. > 10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40961 N/A > CESVPL50835 The Security System could not establish a secured connection > with the server ldap/ccc.ourdomain.com. No authentication protocol was > available. > 10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40960 N/A > CESVPL50835 "The Security System detected an attempted downgrade attack for > server ldap/ccc.ourdomain.com. The failure code from authentication > protocol Kerberos was ""There are currently no logon servers available to > service the logon request. > (0xc000005e)""." > > Errors generated in the desktop event log on the server: > > > The Directory Service consistency checker has noticed that 12 successive > replication attempts with CN=NTDS > Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > have failed over a period of 132 minutes. The connection object for this > server will be kept in place, and new temporary connections will established > to ensure that replication continues. The Directory Service will continue to > retry replication with CN=NTDS > Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com; > once successful the temporary connection will be removed. > > All servers in site CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > that can replicate partition DC=ccc,DC=coopcam,DC=com over transport > CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > are currently unavailable. > > The Directory Service consistency checker has determined that either (a) > there is not enough physical connectivity published via the Active Directory > Sites and Services Manager to create a spanning tree connecting all the > sites containing the Partition DC=ourdomain,DC=com, or (b) replication > cannot be performed with one or more critical servers in order for changes > to propagate across all sites (most often due to the servers being > unreachable). > > For (a), please use the Active Directory Sites and Services Manager to do > one of the following: > > 1. Publish sufficient site connectivity information such that the system can > infer a route by which this Partition can reach this site. This option is > preferred. > > 2. Add an ntdsConnection object to a Domain Controller that contains the > Partition DC=ourdomain,DC=com in this site from a Domain Controller that > contains the same Partition in another site. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
