Discussion:
Should a DC use itself for DNS?
(too old to reply)
ajfried
2005-03-21 20:21:02 UTC
Permalink
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?

TIA --> A.J. Fried
ptwilliams
2005-03-21 20:33:00 UTC
Permalink
It honestly varies. I recommend either:

-- All point at self then one other; or
-- All at one (per site), then self for the other.


Please note though, that this is per site. Localise traffic; don't point at
a server across the WAN.
--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
ajfried
2005-03-21 20:37:02 UTC
Permalink
Our typical (small) site has but one DC / DNS server. So in this case, you
would say it should point to itself first?
Post by ptwilliams
-- All point at self then one other; or
-- All at one (per site), then self for the other.
Please note though, that this is per site. Localise traffic; don't point at
a server across the WAN.
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Todd J Heron
2005-03-21 20:53:14 UTC
Permalink
"Our typical (small) site has but one DC / DNS server. So in this case,
you would say it should point to itself first"
Yes.
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.
ptwilliams
2005-03-21 20:57:39 UTC
Permalink
Yes, but it must have a backup. Although, in this instance the likelihood
of it ever needing the backup is very low (when will the DC be up and the
DNS not?) it is always a good practice, and something you should get into
the habit of doing -multiple DNS server configured for *ALL* DNS clients.
--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
Todd J Heron
2005-03-21 20:35:18 UTC
Permalink
Either way. However, if this is the first DC in the environment, and there
is no other DNS server available to host the AD zone, then the original
server must of course start out by pointing to itself.

Quoted from:
Best practices for DNS client settings in Windows 2000 Server and in Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

"If the server is the first domain controller that you installed in the
domain, and the server runs DNS, configure the DNS client settings to point
to that first server's IP address".
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.
Mike Brannigan [MSFT]
2005-03-21 21:20:54 UTC
Permalink
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
see
http://support.microsoft.com/?id=291382
--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
TIA --> A.J. Fried
Don Wilwol
2005-03-21 21:51:54 UTC
Permalink
some additional info
http://spaces.msn.com/members/wilwol/Blog/cns!1pJhYIW7R6HVEEKz9wQ2vdnQ!163.entry
--
Hope it helps...........

dw

Don Wilwol
Blog - http://spaces.msn.com/members/wilwol/
Web - http://capital.net/~wilwol/dw.htm
Post by Mike Brannigan [MSFT]
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
see
http://support.microsoft.com/?id=291382
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
TIA --> A.J. Fried
jc
2005-03-24 16:41:04 UTC
Permalink
If I need to post a new question please let me know. But the issue deals with
dns settings on domain controller.
I have a set up where I have 3 dc's , and I have active directory integrated
dns on dc1, and I have a dns on dc2, dc1 forwards to dc2 dns. On dc2 in
tcp/ip proeperties dns is setup as ip address of dc1 and then to itself.
Everytime I restart dc2 machine I receive event id 3096(Source Netlogon The
Windows NT domain controller for this domain could not be located.) and
event id 5781 (Source Netlogon : Dynamic registration or deregistration of
one or more DNS records failed because no DNS servers are available).
I can perform nslookup just fine, then what seems to be the problem.
Thx
JC.
Post by Don Wilwol
some additional info
http://spaces.msn.com/members/wilwol/Blog/cns!1pJhYIW7R6HVEEKz9wQ2vdnQ!163.entry
--
Hope it helps...........
dw
Don Wilwol
Blog - http://spaces.msn.com/members/wilwol/
Web - http://capital.net/~wilwol/dw.htm
Post by Mike Brannigan [MSFT]
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
see
http://support.microsoft.com/?id=291382
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
Post by ajfried
With multiple DCs (and AD integrated DNS) should a DC point to itslef for DNS
or should it point to some other DC / DNS server? What is the best practice
here?
TIA --> A.J. Fried
ptwilliams
2005-03-24 19:23:54 UTC
Permalink
Post by jc
I have a set up where I have 3 dc's , and I have active directory
integrated dns on dc1, and I have a dns on dc2, dc1 forwards to dc2 dns.
Have no idea why you've got it setup like that, but there you go...
Post by jc
On dc2 in tcp/ip proeperties dns is setup as ip address of dc1 and then to
itself. Everytime I restart dc2 machine I receive event id 3096(Source
Netlogon The Windows NT domain controller for this domain could not be
located.) and event id 5781 (Source Netlogon : Dynamic registration or
deregistration of one or more DNS records failed because no DNS servers
are available). I can perform nslookup just fine, then what seems to be
the problem.
I was going to say this is normal in some circumstances, but I reread and
realised you're pointing to the other DC not self so that theory goes out
the window.

I've a couple of questions then...are these DCs all members of the same
domain, or are they DCs for *different* domains?
Is the zone set to accept dynamic updates? And if so, is it configured to
only accept secure updates? Is the DNS on DC2 AD-Integrated or is it a
secondary zone?

Why are you forwarding to the other?
--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
jc
2005-03-24 19:59:03 UTC
Permalink
Sorry should have been more clear.
They both are active directory integrated, and no dns1 server is not
forwarding to to dns2 on dc2.
All dcs belong to the same domain, and yes the zones are set to allow
dynamic updates.

DNS1 on DC1 does a zone transfer to Dns2 on DC2. I set it up only for backup
purposes just in case dns1 went down.
DNS1 and DNS2 use DNS3 as forwarder to our ISP.
dns3 is only our secondary server ( set up exclusively for forwarding).

I am sure you would be saying yikes!! by now .
Thx
JC
Post by ptwilliams
Post by jc
I have a set up where I have 3 dc's , and I have active directory
integrated dns on dc1, and I have a dns on dc2, dc1 forwards to dc2 dns.
Have no idea why you've got it setup like that, but there you go...
Post by jc
On dc2 in tcp/ip proeperties dns is setup as ip address of dc1 and then to
itself. Everytime I restart dc2 machine I receive event id 3096(Source
Netlogon The Windows NT domain controller for this domain could not be
located.) and event id 5781 (Source Netlogon : Dynamic registration or
deregistration of one or more DNS records failed because no DNS servers
are available). I can perform nslookup just fine, then what seems to be
the problem.
I was going to say this is normal in some circumstances, but I reread and
realised you're pointing to the other DC not self so that theory goes out
the window.
I've a couple of questions then...are these DCs all members of the same
domain, or are they DCs for *different* domains?
Is the zone set to accept dynamic updates? And if so, is it configured to
only accept secure updates? Is the DNS on DC2 AD-Integrated or is it a
secondary zone?
Why are you forwarding to the other?
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
ptwilliams
2005-03-24 20:21:20 UTC
Permalink
Post by jc
They both are active directory integrated, and no dns1 server is not
forwarding to to dns2 on dc2. All dcs belong to the same domain, and yes
the zones are set to allow dynamic updates.
Good. Much better.
Post by jc
DNS1 on DC1 does a zone transfer to Dns2 on DC2. I set it up only for
backup purposes just in case dns1 went down. DNS1 and DNS2 use DNS3 as
forwarder to our ISP.
When using AD-Integrated zones there is no need to configure zone transfers.
In fact, it is recommended that you never do this. The zone replicates as
part of the AD replication.
Post by jc
dns3 is only our secondary server ( set up exclusively for forwarding).
Interesting. I don't really see the need personally, but I suppose it will
cache all web queries locally so could be of some benefit.
Post by jc
I am sure you would be saying yikes!! by now .
I did already!!!! ;-)


OK. So they both point to DC1 and then DC2?

Flush the logs and ensure that the zone is configured to accept dynamic
updates and that the DHCP client service is running on both DCs. Restart
netlogon. Check the logs. Do you have these errors again?

Have you run these errors through www.eventid.net yet?
--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
jc
2005-03-24 20:45:05 UTC
Permalink
Well the dhcp client service is running on dc1 and dc2, I removed the zone
transfer from dc1 to dc2. DNS is set for dynamic updates.
I flushed the logs on dc2 and restarted the netlogon service, and I see no
error in the logs.
What just happened here ???
Will definitely let you know if something happens

Thx
JC
Post by ptwilliams
Post by jc
They both are active directory integrated, and no dns1 server is not
forwarding to to dns2 on dc2. All dcs belong to the same domain, and yes
the zones are set to allow dynamic updates.
Good. Much better.
Post by jc
DNS1 on DC1 does a zone transfer to Dns2 on DC2. I set it up only for
backup purposes just in case dns1 went down. DNS1 and DNS2 use DNS3 as
forwarder to our ISP.
When using AD-Integrated zones there is no need to configure zone transfers.
In fact, it is recommended that you never do this. The zone replicates as
part of the AD replication.
Post by jc
dns3 is only our secondary server ( set up exclusively for forwarding).
Interesting. I don't really see the need personally, but I suppose it will
cache all web queries locally so could be of some benefit.
Post by jc
I am sure you would be saying yikes!! by now .
I did already!!!! ;-)
OK. So they both point to DC1 and then DC2?
Flush the logs and ensure that the zone is configured to accept dynamic
updates and that the DHCP client service is running on both DCs. Restart
netlogon. Check the logs. Do you have these errors again?
Have you run these errors through www.eventid.net yet?
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
jc
2005-03-24 20:49:03 UTC
Permalink
Forgot to add, at the same time I received the netlogon errors, on DC2 I had
also received a w32time error( no ntp server was setup),Hence I went ahead
and set a ntp server resynced the time on all dc's ,restarted w32 time
service and then restarted netlogon.
So did w32 time have anything to do with this ?

JC
Post by jc
Well the dhcp client service is running on dc1 and dc2, I removed the zone
transfer from dc1 to dc2. DNS is set for dynamic updates.
I flushed the logs on dc2 and restarted the netlogon service, and I see no
error in the logs.
What just happened here ???
Will definitely let you know if something happens
Thx
JC
Post by ptwilliams
Post by jc
They both are active directory integrated, and no dns1 server is not
forwarding to to dns2 on dc2. All dcs belong to the same domain, and yes
the zones are set to allow dynamic updates.
Good. Much better.
Post by jc
DNS1 on DC1 does a zone transfer to Dns2 on DC2. I set it up only for
backup purposes just in case dns1 went down. DNS1 and DNS2 use DNS3 as
forwarder to our ISP.
When using AD-Integrated zones there is no need to configure zone transfers.
In fact, it is recommended that you never do this. The zone replicates as
part of the AD replication.
Post by jc
dns3 is only our secondary server ( set up exclusively for forwarding).
Interesting. I don't really see the need personally, but I suppose it will
cache all web queries locally so could be of some benefit.
Post by jc
I am sure you would be saying yikes!! by now .
I did already!!!! ;-)
OK. So they both point to DC1 and then DC2?
Flush the logs and ensure that the zone is configured to accept dynamic
updates and that the DHCP client service is running on both DCs. Restart
netlogon. Check the logs. Do you have these errors again?
Have you run these errors through www.eventid.net yet?
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
ptwilliams
2005-03-30 10:33:07 UTC
Permalink
Only the PDCe should be configured with an NTP server. All other servers
and clients should be left alone.

With regards to the netlogon error, this can happen when pointing to self
and the machine is rebooted (or started). This is because the AD needs DNS
and DNS hasn't started. You can fudge this be forcing netlogon to wait
until another service, such as Windows Time (which starts last) has
started -thus, ensuring that DNS is up and running.

You might want to run the event errors through www.eventid.net -and see if
that can clarify things...
--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
Continue reading on narkive:
Loading...