Al, This sure helped, we are by the way indeed talking about W2K DC's.
Victor ----- Oorspronkelijk bericht ----- Van: Al Mulnick <[EMAIL PROTECTED]> Datum: donderdag, juli 13, 2006 3:58 am Onderwerp: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? > You don't work at the post office do you? ;) > > > There are many many many ways to properly configure DNS. One > thing that > helps is to think of the terms client and server vs. preferred and > alternateonly. You are configuring a preferred server and an > alternate server that > you want this DC to be a client of. > > DNS is a standard. Windows 2003 DNS follows those standards (comments > really, but let's not pick right?) Microsoft has done some > enhancementsabove and beyond that make DNS play very well in the > Microsoft sphere[1]. > You can however have DNS that is a third party DNS system, such as > BIND.Active Directory plays very well with such third party DNS > systems. You > could have your domain controllers not have any DNS hosted on them > at all. > You could have it hosted, but as a secondary zone. You could also > have it > AD integrated meaning that you have a listener for DNS but the > data(base) is > stored in the active directory. > > Something to clarify: what you're talking about is making the DC a > *client*to another DNS server that hosts the zones. You're also > talking about > making dc1 a client of dc2 and vice versa. That's silly, but I'll > get to > that. > > If you have your dns hosted on a third party system such as BIND, > you'llhave one server as the primary (not best practice, but you > get the idea; in > practice you'd have multiple for failure tolerance wan traffic > optimization)and your DC would be a client of that system. > > If you have a traditional DNS hierarchy that has primary and secondary > transfers, you would be mimicking BIND topology and again could > configureyour DC's to be clients of the BIND or Microsoft DNS servers. > > If you have the the DNS AD-Integrated, then after initial > replication you > should have the client configured to use itself as the DNS server. > That'd be > the best practice. Before 2003 you could have an "island effect" > wherebecause you didn't have a full picture of the directory, you > might not have > all the records needed to fully *see* the entire DNS names list > effectivelycreating an island of a DC. In 2003 some additional > code was put in to make > sure that doesn't happen. You need to be a client of a working > DNS to join > the domain and to find the other DC's when you get promoted. After > replication completes, you have a full list and there's no need to > continueas a client of a server that has the same information you do. > > So, what's silly about having your server configured to be a > client of a dns > server that has the same information? I find it amusing that if > the server > wants to find something he'll ask his neighbor if he has the > informationwhen he could just ask himself. It's brain dead in my > opinion and very > difficult to troubleshoot. In addition, and more importantly it > breaks the > idea of a fabric design because now dc1 and dc2 are reliant on > each other to > be operational. If either is down, both are down and that's ridiculous > considering how easy it is to prevent that situation. But wait! > you say? He > should try the partner first and if that fails use himself right? > Yes but. > :) He'll try the neigbor first, because that's the preferred. > He'll also > register there etc. The worst part is that if he tries the > partner and the > partner is not completely dead, he'll not try himself even if he > has the > right information. > > Now, will it work? Yes. Is it a good idea? Absolutely not and > shows a lack > of understanding on the part of the folks that deployed it. From > the sounds > of it, an unwillingness to fix the underlying issues that led them > there as > well. On the other hand, they're spot on if it's W2K vs. K3 :) > > Does that help? > > > [1] unless you like a granular audit logging. But that's neither > here nor > there. > > > On 7/12/06, Victor W. <[EMAIL PROTECTED]> wrote: > > > > Today a conversation at my job came up about setting the > preferred DNS > > server on the NIC of a DC with DNS installed. > > For as far as I know it's best to point the DC (with DNS > installed) to > > itself for DNS by specifying the internal IP address of the DC > as the > > preferred DNS > > server on the NIC. > > > > Then I was told that this is not always necessary and this > puzzled me a > > bit. > > > > Not everybody was convinced of the above and this got me > thinking. Some > > people are claiming that it doesnt really matter if you set that > DC to > > be the *preferred* or the *alternate* DNS server. > > > > I was then showed an environment where all DC's in a child > domain (all had > > DNS installed), had the same DNS server set as preferred DNS server. > > > > Perhaps an example will make it more clear: > > > > a forest root domain with 4 child domains. > > > > child domain A, B, C, and D. > > > > Names of the Domain Controllers: > > root domain: DC-A & DC-B & DC-C & DC-D > > for child domain A: DC-A1 & DC-A2 > > for child domain B: DC-B1 & DC-B2 > > for child domain C: DC-C1 & DC-C2 > > for child domain D: DC-D1 & DC-D2 > > > > > > DC-A1 has specified DC-A2 as preferred DNS server and has > specified DC-A1 > > (itself) as alternate DNS server. > > DC-A2 has specified DC-A2 (itself) as preferred DNS server and has > > specified DC-A1 as alternate DNS server > > > > DC-B1 has specified DC-B2 as preferred DNS server and has > specified DC-B1 > > (itself) as alternate DNS server > > DC-B2 has specified DC-B2 (itself) as preferred DNS server and has > > specified DC-B1 as alternate DNS server > > > > And so on for the other child domains. > > > > I was told that this was done because this AD environment was not > > optimal and that by pointing all the dc's in a child domain to > the same DNS > > server, other issues were prevented from occuring. > > This didnt sound all that good to me to be honoust :-) > > > > I am now wondering if there are scenario's thinkable when it > would be > > better not to point a DC with DNS installed as the preferred > server on it's > > NIC. > > > > Does the term Island DNS also play a role in this? > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
