That's exactly my point - this issue, as was pointed out in the Q article David Fugleberg posted, happens specifically in that case.
-------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Friese, Casey [mailto:[EMAIL PROTECTED] > Sent: Monday, March 03, 2003 8:18 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD Design Guidance > > > I'm learning a lot about ad integrated DNS with this part of > the thread but let's not forget that while the two sites are > destinctly separate, they still both fall under the same root > domain from a DNS standpoint. All of the servers in the > forest follow the standard clientname.domain.com routine. > > Just not sure if we lost that train of thought or not. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, March 03, 2003 6:58 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD Design Guidance > > > That's not an entirely true statement. The island issue can > happen any time there is a discontiguous (non-contiguous?) > namespace - which has been the case with both major > deployments in which I've been involved. > > It would also seem that the DNS configuration of the > subdomains would have similar issues, depending how the > subdomains are handled from a purely DNS standpoint. It would > seem that a delegated subdomain could end up in the same boat. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 03, 2003 5:46 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > The issue described by both Roger and Linton is called the > > 'island problem', and is described in KB article 275278. > > Basically, it involves specific DNS records registered by the > > domain controllers in the _Msdcs.ForestDnsName DNS domain. > > These CNAME records are required for replication. Let's say > > we have several DCs in a domain, each of which is also a DNS > > server with AD-integrated DNS. Each points to itself for > > DNS. When the DC registers that CNAME, it'll do it in the > > DNS server it points to (itself). Since the other DCs need > > to resolve that name to replicate, and since they're only > > looking at their own copy of DNS (which doesn't yet contain > > that record - it's AD-integrated and hasn't been replicated > > yet), you're in a catch-22. > > > > In the scenarios of the Branch Office Deployment Guide, the > > DNS servers in teh forest root are authoritative for > > _Msdcs.ForestDnsName, so that's the only place this can > > become an issue. The DCs in the other domains have to find a > > authoritative DNS server for that zone to register their > > CNAME, and it can't possibly be themselves, so there's no problem. > > > > Dave > > > > -----Original Message----- > > From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 03, 2003 4:19 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > Hi Roger, > > > > What you describe is discussed in the Branch Office Planning > > Guide. However, it pertains to DCs in the root domain only. > > I've read further docs/KBs stating that for DCs belonging to > > all other domains in the forest, they should point to > > themselves as the primary DNS server, and use another for secondary. > > > > Linton > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 03, 2003 4:56 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > I'm trying to remember the specifics, but in a nutshell DC's > > that point to themselves can end up getting orphaned. IIRC, > > it is caused because DNS replication stops, since they only > > know about themselves. > > > > I'll try to dig out the documentation I had on it, but I > > can't promise I'll find it. We first saw this over a year ago. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 03, 2003 2:54 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > Hi Roger, > > > > > > How do the DC records get scavenged? NETLOGON refreshes them > > > periodically, so I would think they would never be subject to > > > scavenging (unless of course you turned the refresh > interval down). > > > > > > -gil > > > > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 03, 2003 12:31 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > I'd bet you have replication issues. > > > > > > The problem when they point only to themselves, and you have > > > scavenging enabled, is that it is possible for the DC records to > > > fall out of DNS. Its not pretty (I saw it happen once here). The > > > only fix is to do what I'd call next closest neighbor DNS - have > > > every DC/DNS combination pointing to its next closest DNS choice. > > > > > > For instance, I have 4 offices with DC's, connected in a mesh WAN > > > envrionment. I have 2 DC's here, and one each in the other 3 > > > offices. The two here point to each other as primary, and > one of the > > > remote offices as secondary. All remote offices point to the two > > > here. That way, the servers are always registering to a different > > > DNS server than the one > > they manage. > > > > > > The only time this wasn't the case was when I built the > first DC - > > > then it pointed to itself. Once they were all built, I > changed that > > > one to fit the scheme. > > > > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, March 03, 2003 12:56 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > Roger, > > > > > > > > They are pointing to themselves as primary and their oposite as > > > > secondary. Should this be reversed? The same for Wins? > > > > > > > > -----Original Message----- > > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, March 03, 2003 12:26 PM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > Hmm... > > > > > > > > Open up a command prompt on one of them and type "ipconfig /all" > > > > > > > > Make sure they are still pointing at the other one as > > > primary. Network > > > > issues will force changes there, and then they start losing > > > track of > > > > each other. > > > > > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MCSE > > > > Sr. Systems Administrator > > > > Inovis Inc. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, March 03, 2003 11:58 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > Hi Roger, > > > > > > > > > > Each DC is also the DNS server for the domain. So, > > each points to > > > > > the other and themself as well. > > > > > > > > > > -----Original Message----- > > > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, March 03, 2003 10:42 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > What DNS servers are the domain controllers pointing to? > > > > > > > > > > -------------------------------------------------------------- > > > > > Roger D. Seielstad - MCSE > > > > > Sr. Systems Administrator > > > > > Inovis Inc. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > > > Sent: Friday, February 28, 2003 3:31 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > > > > Marc, > > > > > > > > > > > > 1. Yes, both locations are setup as separate sites > > > > > > > > > > > > 2. The DNS Event log on the DC in Office B reports > 5509 events > > > > > > often, received an invalid DNS update from 10.64.3.2 > > (Master in > > > > > > Office A) - packet rejected > > > > > > > > > > > > 3. No Directory Service Errors but there are numerous > > > FRS errors > > > > > > showing issues with replicating from Office A to Office B > > > > > > > > > > > > The File Replication Service is having trouble enabling > > > > replication > > > > > > from PA-FILE-01 (Office A) to PA-FILE-02 (Office > > > > > > B) for c:\winnt\sysvol\domain using the DNS name > > > > > > PA-FILE-01.penncolor.com. FRS will keep retrying. > > > Following are > > > > > > some of the reasons you would see this warning. > > > > > > > > > > > > [1] FRS can not correctly resolve the DNS name > > > > > > PA-FILE-01.penncolor.com from this computer. [2] FRS is > > > > not running > > > > > > on PA-FILE-01.penncolor.com. [3] The topology > > > information in the > > > > > > Active Directory for this replica has not yet replicated > > > > to all the > > > > > > Domain Controllers. > > > > > > > > > > > > This warning as well: > > > > > > The File Replication Service has enabled replication from > > > > PA-FILE-01 > > > > > > to PA-FILE-02 for c:\winnt\sysvol\domain after > > repeated retries. > > > > > > > > > > > > 4. The DC's don't "act" bogged down while > physically at them. > > > > > > They're noticably bogged down from the client end with > > > regards to > > > > > > accessing resources. > > > > > > > > > > > > -----Original Message----- > > > > > > From: Marc Zukerman [mailto:[EMAIL PROTECTED] > > > > > > Sent: Friday, February 28, 2003 3:20 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: Re: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > > > > Another few questions Casey: > > > > > > > > > > > > 1. Are the different locations set up as separate > > sites? 2. How > > > > > > healthy is DNS? WINS? Are there any errors? What's the > > > topology? > > > > > > 3. Are there any errors in the Directory > > > > Services logs on > > > > > > the domain controller? 4. Are the DCs bogged down? > > > > > > > > > > > > Marc Zukerman > > > > > > Senior Network Engineer > > > > > > Greenwich Technology Partners > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Friese, Casey" <[EMAIL PROTECTED]> > > > > > > To: <[EMAIL PROTECTED]> > > > > > > Sent: Friday, February 28, 2003 2:34 PM > > > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > > > > Gil, thanks for the questions, here are the answers: > > > > > > > > > > > > Number of clients in Office A is ~25 > > > > > > Number of clients in Office B is ~250 > > > > > > > > > > > > There are a mix of 9x, 2000 and XP client, most are > 2000. The > > > > > > symptoms show across all clients > > > > > > > > > > > > I'm not sure about the bandwidth > > > > > > > > > > > > It's a native Win2k domain. > > > > > > > > > > > > Hope this fills thing out. > > > > > > > > > > > > -----Original Message----- > > > > > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > > > > > Sent: Friday, February 28, 2003 2:24 PM > > > > > > To: '[EMAIL PROTECTED]' > > > > > > Subject: RE: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > > > > A couple of questions to fill out the picture: > > > > > > > > > > > > How many clients at each site? > > > > > > What kinds of clients (ME/98, NT4, W2K, XP, etc) > > > > > > Do you have any idea of how much _available_ bandwidth > > > > there is on > > > > > > the link? Where is the PDC emulator? I'm guessing it is > > > > in office A > > > > > > where the first DC lives. > > > > > > > > > > > > -gil > > > > > > > > > > > > -----Original Message----- > > > > > > From: Friese, Casey [mailto:[EMAIL PROTECTED] > > > > > > Sent: Friday, February 28, 2003 12:00 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: [ActiveDir] AD Design Guidance > > > > > > > > > > > > > > > > > > I have uncovered what I believe is a problem with > our Active > > > > > > Directory design. I'm looking for assurance that it is > > > indeed a > > > > > > problem judging from the symptoms that I am seeing > > and I'm also > > > > > > looking for recommendations on how to correct it. > > > > > > > > > > > > I've walked into the company just weeks after a > > > > consultant started > > > > > > implementing the AD design. Now, 8 months later and > > 10 servers > > > > > > later I believe that the design is flawed. Here are my > > > symptoms: > > > > > > > > > > > > Any administration activity done on the servers such > > as setting > > > > > > permissions/re-writing permissions, opening property > > > > sheets within > > > > > > Exchange System Manager, Viewing properties sheets of OU > > > > > > objects/group policies, etc. All of these tasks take a > > > > long period > > > > > > of time to complete or display. > > > > > > > > > > > > >From the client end we see hanging connections - one moment > > > > > > a share is > > > > > > >available, the next permission is denied or the > > > > connection can't be > > > > > > >made. Opening files from the network sluggish and at > > > times dhcp > > > > > > >settings are lost. > > > > > > > > > > > > We have 2 offices: > > > > > > Our HQ is in office A > > > > > > Our Datacenter is in office B > > > > > > > > > > > > Office A has 1 Windows 2000 Server and was the first > > > > server built in > > > > > > the Forest. This server is doing File/Print, DHCP, > > > WINS, DNS for > > > > > > it's location among doing it's specialized tasks for > > the domain. > > > > > > > > > > > > Office B has 9 Windows 2000 Servers - among those 9 is a > > > > DC, 1 is an > > > > > > E2K server and 1 is an ISA server. The DC provides > > file/print, > > > > > > DHCP, WINS, DNS for it's location. The E2K server is > > the mail > > > > > > server for both locations and the ISA server is the > > > Firewall for > > > > > > both locations. > > > > > > > > > > > > Office A is connected to Office B via 256kbps Split T1 > > > > used for both > > > > > > voice and data. Office B is connected to the internet > > > > via full T1 > > > > > > which is responsible for handling all internet requests. > > > > > > > > > > > > Both sites, office A and B, belong to the same parent domain > > > > > > - company.com with each client's dns set as > > > clientname.company.com > > > > > > > > > > > > First questions: Are there any flaws with the above > > > > design? The most > > > > > > noticeable thing to me is that Office A and B > communicate of a > > > > > > 256kbps shared line. I'm not an expert with AD, in fact, > > > > It's new > > > > > > to me but from what I understand anything done in Office > > > > B has to go > > > > > > to the Head Server in Office A. These is where I > believe my > > > > > > problems lie. > > > > > > > > > > > > What I would like to do is break these two sites > > apart and have > > > > > > officeA.company.com and officeB.company.com - I think > > > this is the > > > > > > correct approach but I'm not sure. My main concern is our > > > > Exchange > > > > > > 2000 Server and out ISA server because they're both > > > > linked heavily > > > > > > into the AD so totally redoing the design is a bit tough. > > > > > > Alternatively, I have started entertaining the idea of > > > moving the > > > > > > server in Office A to the Office B location making Office > > > > B the root > > > > > > domain and any new sites child domains. > > > > > > > > > > > > I apologize for the length and if I've confused > anyone - I'm > > > > > > confused myself. I just want to know if I'm blaming the > > > > symptoms on > > > > > > the right thing and how I should proceed. > > > > > > > > > > > > Thanks, > > > > > > Casey > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > > List info : > > > > > > http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > > List info : > > > > > > http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > > List info : > > > > > > http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > > List info : > > > > > > http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > List info : > > > > > http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
