In that case, then you won't want to make the host a client of itself. Then you would/could run into the island effect.
When you get to R2, you'll want to weigh Neil's comments and see how that plays in your environment.
Al
On 7/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Al,
This sure helped, we are by the way indeed talking about W2K DC's.
Victor
----- Oorspronkelijk bericht -----
Van: Al Mulnick <[EMAIL PROTECTED]>
Datum: donderdag, juli 13, 2006 3:58 am
Onderwerp: Re: [ActiveDir] Always point a DC with DNS installed to
itself as the preferred DNS server...always?
> You don't work at the post office do you? ;)
>
>
> There are many many many ways to properly configure DNS. One
> thing that
> helps is to think of the terms client and server vs. preferred and
> alternateonly. You are configuring a preferred server and an
> alternate server that
> you want this DC to be a client of.
>
> DNS is a standard. Windows 2003 DNS follows those standards (comments
> really, but let's not pick right?) Microsoft has done some
> enhancementsabove and beyond that make DNS play very well in the
> Microsoft sphere[1].
> You can however have DNS that is a third party DNS system, such as
> BIND.Active Directory plays very well with such third party DNS
> systems. You
> could have your domain controllers not have any DNS hosted on them
> at all.
> You could have it hosted, but as a secondary zone. You could also
> have it
> AD integrated meaning that you have a listener for DNS but the
> data(base) is
> stored in the active directory.
>
> Something to clarify: what you're talking about is making the DC a
> *client*to another DNS server that hosts the zones. You're also
> talking about
> making dc1 a client of dc2 and vice versa. That's silly, but I'll
> get to
> that.
>
> If you have your dns hosted on a third party system such as BIND,
> you'llhave one server as the primary (not best practice, but you
> get the idea; in
> practice you'd have multiple for failure tolerance wan traffic
> optimization)and your DC would be a client of that system.
>
> If you have a traditional DNS hierarchy that has primary and secondary
> transfers, you would be mimicking BIND topology and again could
> configureyour DC's to be clients of the BIND or Microsoft DNS servers.
>
> If you have the the DNS AD-Integrated, then after initial
> replication you
> should have the client configured to use itself as the DNS server.
> That'd be
> the best practice. Before 2003 you could have an "island effect"
> wherebecause you didn't have a full picture of the directory, you
> might not have
> all the records needed to fully *see* the entire DNS names list
> effectivelycreating an island of a DC. In 2003 some additional
> code was put in to make
> sure that doesn't happen. You need to be a client of a working
> DNS to join
> the domain and to find the other DC's when you get promoted. After
> replication completes, you have a full list and there's no need to
> continueas a client of a server that has the same information you do.
>
> So, what's silly about having your server configured to be a
> client of a dns
> server that has the same information? I find it amusing that if
> the server
> wants to find something he'll ask his neighbor if he has the
> informationwhen he could just ask himself. It's brain dead in my
> opinion and very
> difficult to troubleshoot. In addition, and more importantly it
> breaks the
> idea of a fabric design because now dc1 and dc2 are reliant on
> each other to
> be operational. If either is down, both are down and that's ridiculous
> considering how easy it is to prevent that situation. But wait!
> you say? He
> should try the partner first and if that fails use himself right?
> Yes but.
> :) He'll try the neigbor first, because that's the preferred.
> He'll also
> register there etc. The worst part is that if he tries the
> partner and the
> partner is not completely dead, he'll not try himself even if he
> has the
> right information.
>
> Now, will it work? Yes. Is it a good idea? Absolutely not and
> shows a lack
> of understanding on the part of the folks that deployed it. From
> the sounds
> of it, an unwillingness to fix the underlying issues that led them
> there as
> well. On the other hand, they're spot on if it's W2K vs. K3 :)
>
> Does that help?
>
>
> [1] unless you like a granular audit logging. But that's neither
> here nor
> there.
>
>
> On 7/12/06, Victor W. < [EMAIL PROTECTED]> wrote:
> >
> > Today a conversation at my job came up about setting the
> preferred DNS
> > server on the NIC of a DC with DNS installed.
> > For as far as I know it's best to point the DC (with DNS
> installed) to
> > itself for DNS by specifying the internal IP address of the DC
> as the
> > preferred DNS
> > server on the NIC.
> >
> > Then I was told that this is not always necessary and this
> puzzled me a
> > bit.
> >
> > Not everybody was convinced of the above and this got me
> thinking. Some
> > people are claiming that it doesnt really matter if you set that
> DC to
> > be the *preferred* or the *alternate* DNS server.
> >
> > I was then showed an environment where all DC's in a child
> domain (all had
> > DNS installed), had the same DNS server set as preferred DNS server.
> >
> > Perhaps an example will make it more clear:
> >
> > a forest root domain with 4 child domains.
> >
> > child domain A, B, C, and D.
> >
> > Names of the Domain Controllers:
> > root domain: DC-A & DC-B & DC-C & DC-D
> > for child domain A: DC-A1 & DC-A2
> > for child domain B: DC-B1 & DC-B2
> > for child domain C: DC-C1 & DC-C2
> > for child domain D: DC-D1 & DC-D2
> >
> >
> > DC-A1 has specified DC-A2 as preferred DNS server and has
> specified DC-A1
> > (itself) as alternate DNS server.
> > DC-A2 has specified DC-A2 (itself) as preferred DNS server and has
> > specified DC-A1 as alternate DNS server
> >
> > DC-B1 has specified DC-B2 as preferred DNS server and has
> specified DC-B1
> > (itself) as alternate DNS server
> > DC-B2 has specified DC-B2 (itself) as preferred DNS server and has
> > specified DC-B1 as alternate DNS server
> >
> > And so on for the other child domains.
> >
> > I was told that this was done because this AD environment was not
> > optimal and that by pointing all the dc's in a child domain to
> the same DNS
> > server, other issues were prevented from occuring.
> > This didnt sound all that good to me to be honoust :-)
> >
> > I am now wondering if there are scenario's thinkable when it
> would be
> > better not to point a DC with DNS installed as the preferred
> server on it's
> > NIC.
> >
> > Does the term Island DNS also play a role in this?
> >
> >
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
