Tricky Active Directory Integrated DNS issues.

[BaDaBooM]

Here is the setup. I previously had DNS working with Standard Primary and Secondaries, but wish to get it work with Active Directory-Integrated. I have 3 domain controllers with DNS. One is the forest root server. We'll call the domain forestroot.com (not the real name). The other two are on a child tree that is in a different namespace. We'll call this domain differentname.com (again, not the real name ). All the server each have a copy of every zone; forestroot.com, differentname.com, and reverse lookup zones. Now when I change the zones on the two servers in differentname.com to AD-integrated they are working correctly. DNS replications with active directory, no problem. For some reason though when I change the zones on the forestroot.com server to AD-integrated it cannot replicate DNS with the other two. Active Directory is replicating perfectly for everything else. Just DNS information on that forestroot.com server is not working. Where am I going wrong?

 

[BaDaBooM]

bumpski

 

[Abzstrak]

I'm not an expert at all with AD integrated DNS, however I usually solve problems with it by changing the allow dynamic updates to yes, rather than secure only

 

[BaDaBooM]

That's a good thought, but I already tried it. It didn't work either way. Not sure what the deal is.

 

[Saltin]

Bring up the properties of the zones in question. On the nameservers tab, do you see all the DNS servers listed?

Also, ensure that on the Zone Transfers tab, you have selected Allow Transfers, Only to servers listed on the Nameservers tab.

 

[BaDaBooM]

Yea, I had checked that all before. However when I double check it just now, some of the zones had removed the zone transfers even though I know I had set them. I think it might have something to do with the fact that it is loading zone data from active directory and registry. Like maybe I rebooted it and it hadn't got saved there. My update Server Data option is always greyed out; I thought that was supposed to make it so you could manually force the zone to save. Also the problem is that some of the zones were still set right but they didn't sync up either. Well, everything is set right now so I'll wait a day and see if it syncs up but I don't think it will.

 

[Saltin]

One other thing, you mention the second domain is a "child domain" of the first. Based on the info you provided in your first post, Im wondering if that is the case?

You said the parent domain was forestroot.com and the child differentname.com ?

If the second domain is a true child of the parent, it should share a contiguos namespace (i.e. it should be named differentname.forestroot.com)

Did you set-up the topology? Make sure it is really a child, because it sounds like it isnt. If it isnt a child, then it doesnt share the same AD schema as forestroot.com. It also wouldnt have any trust relationships established by default.

It would also explain why the zone information isnt replicating. AD integrated zones should only replicate within the AD forest (i.e the domains must have a common schema, Global Catalog).

 

[BaDaBooM]

Well that may have not been the right term. Perhaps Child Tree would be better. However that is not correct. You can have a tree in a forest that does not share the same namespace. It still sets up the trusts like it would if it was using the same namespace. It also shares the same schema, global catalog, etc. Otherwise none of my active directory would be working. I wouldn't be able to see accounts from one domain to another. I did set up the structure so I can provide any more info that is needed.

 

[Saltin]

Domains in a Tree have to share a contiguos namespace.
Forests composed of tree's do not.

When you called the domain "differentname.com" a child domain, it confused the explanation, if it was a true child of forestroot.com it would be named differentname.forestroot.com.

So it's a different tree in the same forest, that clears things up a bit.

As long as they are in the same forest, there shouldnt be replication issues, sure. I was working under the assumption that they werent in the same forest.

Is there a firewall between the two domains?

 

[BaDaBooM]

Yea, sorry about using the wrong term. No, there is no firewall.

 

[BaDaBooM]

Nope, it appears it is still not replicating.

 

[Guga]

I'm not sure about that, but isn't AD integrated zonas stored in the Domain Partition of active directory??
If that is the case it won't replicate with the other tree domain that information...

 

[Guga]

found that.. maybe help.

here

 

[BaDaBooM]

Hmm... well, that issue you linked to isn't the problem as I don't have an _ at the beginning and also it has Service Pack 3 on it. However I wonder if that is true that it is stored in the domain partition. That seems strange though, I mean wouldn't you want all your DNS servers to replicate?

 

[Saltin]

AD integrated DNS is most certainly stored in the Domain partition of AD. In as much, it isnt replicated across Domains.

I think what you may require is a different technical solution to your issue.

Obviously you would like DNS to be able to resolve requests regardless of which of the two domains the request involves.

Example, DNS server in Domain 1 can return answers for requests regarding Domain 2, and vice versa

Right now, you are attempting to solve this problem by replicating the entire zone.

Why not try leaving the zones where they are and setting each DNS server to forward to the other in the Forwarder's tab under server properties.

It will allow you to do what you like, and skip over the issue of AD integrated zones replicating across domains.

 

[BaDaBooM]

Thanks Saltin! That must be the info I was missing. I've played around with forwarding before but I kept getting weird error messages. I've set it up that way as you said, however I am getting those weird error messages again.

Event ID 7063

The DNS server is configured to forward to a non-recursive DNS server at 192.5.6.30.

DNS servers in forwarders list MUST be configured to process recursive queries.
Either
1) fix the forwarder (192.5.6.30) to allow recursion
- connect to it with DNS Manager
- bring up server properties
- open "Advanced" tab
- uncheck "Disable Recursion"
- click OK
OR
2) remove this forwarder from this servers forwarders list
- DNS Manager
- bring up server properties
- open "Forwarders" tab
- remove (192.5.6.30) from list of forwarders
- click OK

Now the IP I get is not in the forwarders list and nowhere on my network. The only thing I can think of is it is one of the root DNS servers. It sometimes has different IPs there but same type of deal. Now I could disable recursion but according to this:

Using forwarders exclusively (no recursion)
When a DNS server is configured to use forwarders, they are used before any other means of resolving a name is tried. If the list of forwarders fails to provide a positive answer, a DNS server can attempt to resolve the query itself using iterative queries and standard recursion.

A server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries itself to resolve the name. Instead, it fails the query if it does not get a successful query response from any of the forwarders.

This forces a DNS server to use its configured forwarders exclusively to perform final resolution when resolving a name query. In this mode of operation, a server configured to use forwarders can still check in its configured zones first to attempt to resolve a queried name. If it finds a match in its authoritative data there, it can answer the query based on that information.

To use this option, select the Do not use recursion option on the Forwarders tab when a server is configured to use forwarders.

Note

When using forwarders, queries are sent to each forwarder in the list, which is given a time-out value, in seconds, within which it must respond before the next forwarder is tried.

This implies that it won't ever check it's own zones for a DNS client and that will mess things up on my network. Also in case I didn't mention it, my DNS servers provides both internal and external DNS. Why is this error filling up my logs now and what can I do about it?

*Edit* Uh-oh, I have to turn forwarders back off. I am also getting incorrect DNS lookups for some reason. I put in some address like www.lycos.com and it brings up microsoft's web site :Q

 

[Saltin]

If you disable recursion a DNS server will only use it's forwarders (i.e not look in it's own zone).

Remember that DNS servers should act recusively (if you want them to be able to resolve outside thier zone). If you disable recursion, the DNS server will fail to resolve if the request lies outside the server's local zones.

When you use forwarders, you should still leave recursion enabled. You would have had to have disabled recursion specifically (either on the forwarders tab, and/or on the Advanced tab). Make sure those check boxes are cleared.

The article you quoted defines a very particular set up that (as far as I know) would only be useful to a caching-only DNS server (i.e a server which holds no local zones and only forwards requests on and caches the answers it recieves). Otherwise, there is no reason to disable recursion.

Long story short, you are getting the error becuase you are forwarding to a DNS server that has recursion disabled. There is no logic in that really, as any server you specify as a forwarder should be recursive.

 

[BaDaBooM]

ok, I just don't get why I'm getting that error though... I only have 2 servers in the forwarders list. Also like I put in my edit... I started getting wrong lookups and some names wouldn't resolve at all.