AD Integrated DNS and member servers

[MartyEgan]

I've searched for similar questions and haven't found this one. Thanks
for any help.

Question:
If my Windows domain's zone is set for "Active Directory-Integrated" on
my DC, and I have 2 other DNS servers (member servers only) with copies
of that zone, will my clients be able to dynamically register records,
if they are contacting one of the member server DNS servers first?

Details:
We have 3 DCs.

Only one of DCs is running DNS. On it's properties sheet for the zone
for our Windows domain says "Type: Active Directory-Integrated" on the
General tab. On the same tab, under "Dynamic Updates:", it says,
"Secure only".

We also have two member servers running DNS. On the properties sheet
for the zone for our Windows domain, they both says, "Type: Secondary".
On the general tab for these zones, under "IP address:", the IP
address of my DC with DNS is listed. (Help text says this should be the
master for the zone and the IP listed is the IP of the DC/DNS server,
so I think that's right.)

For DHCP, we are using a non-MS DHCP server.

In the DHCP server, do I have to be giving out the DC/DNS server's IP
address at all as a DHCP option to get dynamic updates of names from my
clients?

If a client boots up and reaches a member server DNS server first, will
the client's attempt to dynamic update be successful?

What happens in that event? Does the member server/DNS pass the update
along to the DC with DNS on it?



Thanks again for any insight.

 

[Dean Wells [MVP]]

When submitting dyn. updates, clients first request the SOA record of
the zone which designates a name-server with the (or in AD's case, one
of many) writable copies of the zone. The updates will be submitted
there and (latency in mind) will replicate back to the secondaries.

 

[Doug Sherman [MVP]]

Standard Secondary zones do not support dynamic updates. The DHCP scope
should give the DC/DNS server IP for primary DNS - In MS DHCP server the
preference order is configured in the scope option. So, the only time a DNS
client would query a secondary DNS server would be when the DC/DNS server is
unreachable. If this occurs at machine startup, the client would not be
able to register in DNS.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Dean Wells [MVP]]

Inline ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Standard Secondary zones do not support dynamic updates. The DHCP
scope should give the DC/DNS server IP for primary DNS

I'm afraid this isn't correct ... nor would it be remotely scalable if
all queries were directed toward the primary.

- In MS DHCP
server the preference order is configured in the scope option. So,
the only time a DNS client would query a secondary DNS server would
be when the DC/DNS server is unreachable. If this occurs at machine
startup, the client would not be able to register in DNS.

Again, not correct I'm afraid.

 

[MartyEgan]

First, thank you both for offering help. I truly appreciate your
responses.

Well, we seem to have a controversy! (Just kidding)

Dean,

Could you be more specific in what you are saying is not correct?
Also, if you can point me to some documentation I'd be eternally
grateful.

(Actually, if I could have found this documentation to begin with, I
wouldn't have posted to Usenet!)

 

[Dean Wells [MVP]]

There are many, many hits, here's one specific to Microsoft's
implementationderived form google -

http://www.microsoft.com/technet/pr...Ref/19a63021-cc53-4ded-a7a3-abaf82e7fb7c.mspx

The page is lengthy, so search for the following text without the quotes
and read on -

"DHCP Client service performs the"

 

[Laura E. Hunter \(MVP\)]

Marty,

Here's a pretty in-depth explanation of the dynamic update process (watch
for wrapping on the URL, it's long):

http://www.microsoft.com/technet/pr...Ref/19a63021-cc53-4ded-a7a3-abaf82e7fb7c.mspx

--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)

All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.

 

[Todd J Heron]

First, thank you both for offering help. I truly appreciate your
responses.

Well, we seem to have a controversy! (Just kidding)

Dean,

Could you be more specific in what you are saying is not correct?
Also, if you can point me to some documentation I'd be eternally
grateful.

(Actually, if I could have found this documentation to begin with, I
wouldn't have posted to Usenet!)

What Dean meant by incorrect is this: If a client or server is pointing to
a Secondary zone (MS or BIND) of a Primary zone that in which dynamic
updates are allowed, the client will grab the MNAME (the Master's or the
Primary zone's IP) out of the secondary zone's records (specifically that
record which is listed as the SOA) and send the dynamic update request to
the Primary.

 

[Doug Sherman [MVP]]

The controversy, if any, is merely whether or when you should configure a
client to point to a secondary DNS zone server for primary DNS. It is
absolutely 100% true that standard secondary zones do not support dynamic
updates. It is also true per Dean, Laura, and Todd that the records in a
standard secondary zone can point you to a primary or AD integrated zone
which does support dynamic updates.

It is also absolutely 100% true that MS DHCP scope options determine the
DNS server preference order (assuming you configure them). I mentioned this
only because you said you are using non-MS DHCP, and I have no way of
knowing the capabilities of this non-MS DHCP server.

Within the context of your question, I believe it was fair to assume that
the only circumstances under which you would query a secondary DNS server
would be when you were unable to reach the one and only AD integrated
server:

"If this occurs at machine startup, the client would not be able to register
in DNS." That's what I said, and within the assumed context it is also 100%
true.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Dean Wells [MVP]]

The original question is cleary stated; to reiterate -

"... will my clients be able to dynamically register records, if they
are contacting one of the member server DNS servers first?"

.... to which you replied -

"So, the only time a DNS client would query a secondary DNS server would
be when the DC/DNS server is unreachable. If this occurs at machine
startup, the client would not be able to register in DNS."

.... I'm afraid it remains inaccurate.

 

[Dean Wells [MVP]]

Hmmm ... I'm by no means certain but I believe I may understand your
point; are you trying to say that due to the fact that, in this
instance, where only a single writable zone exists, were that
unreachable even the referral from the secondary would fail? If so,
your conclusions are accurate and my apologies for not gleaning that
originally. With all due respect, more detail in the original response
would help avoid confusion.

 

[Doug Sherman [MVP]]

We focused on different questions:

"If a client boots up and reaches a member server DNS server first, will the
client's attempt to dynamic update be successful?"

I took this to mean - if my client is configured to use the AD/DNS server
for primary DNS and I can't reach it, what happens if it drops to the
secondary server?

Upon re-reading the question, you are correct - Marty asked the question you
focused on - and your answer is correct.

However, he also asked the question I focused on; and my concern was that he
might be under the impression that DNS servers are picked at random or
enagage in kind of a race to respond. My point was that if the only server
that supports dynamic updates is unavailable, then ......... well, you can't
register.

Peace, Love, etc.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

The original question is cleary stated; to reiterate -

"... will my clients be able to dynamically register records, if they
are contacting one of the member server DNS servers first?"

... to which you replied -

"So, the only time a DNS client would query a secondary DNS server would
be when the DC/DNS server is unreachable. If this occurs at machine
startup, the client would not be able to register in DNS."

... I'm afraid it remains inaccurate.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

The controversy, if any, is merely whether or when you should
configure a client to point to a secondary DNS zone server for
primary DNS. It is absolutely 100% true that standard secondary
zones do not support dynamic updates. It is also true per Dean,
Laura, and Todd that the records in a standard secondary zone can
point you to a primary or AD integrated zone which does support
dynamic updates.

It is also absolutely 100% true that MS DHCP scope options determine
the DNS server preference order (assuming you configure them). I
mentioned this only because you said you are using non-MS DHCP, and I
have no way of knowing the capabilities of this non-MS DHCP server.

Within the context of your question, I believe it was fair to assume
that the only circumstances under which you would query a secondary
DNS server would be when you were unable to reach the one and only AD
integrated server:

"If this occurs at machine startup, the client would not be able to
register in DNS." That's what I said, and within the assumed context
it is also 100% true.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Ace Fekay [MVP]]

In

Hmmm ... I'm by no means certain but I believe I may understand your
point; are you trying to say that due to the fact that, in this
instance, where only a single writable zone exists, were that
unreachable even the referral from the secondary would fail? If so,
your conclusions are accurate and my apologies for not gleaning that
originally. With all due respect, more detail in the original
response would help avoid confusion.

I must say this was one interesting thread and wish I saw it sooner!

Cheers!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Doug Sherman [MVP]]

This is so great!

I should not have said:

" The DHCP scope should give the DC/DNS server IP for primary DNS"

Because it is conceivable that it might be appropriate to point a client to
a secondary DNS server for primarary DNS.

As a result, Dean and I are both right; Laura and Todd are informative, but
uninteresting; and Marty is totally confused.

Doug Sherman
MCSE, MCSA, MCP+I, MVP



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

This is so great!

I should not have said:

" The DHCP scope should give the DC/DNS server IP for primary DNS"

Because it is conceivable that it might be appropriate to point a
client to a secondary DNS server for primarary DNS.

As a result, Dean and I are both right; Laura and Todd are
informative, but uninteresting; and Marty is totally confused.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

He *must* be confused. He hasn't yet responded to the lastest posts yet!

Ace

 

[MartyEgan]

Thanks to everyone for your assistance. It's a pleasure to see that
everyone remained so professional and that it didn't turn personal.

There was a confusing part, initially, but in the end, the answer is
clear.

When the only writeable copy of the zone is unavailable, then no
dynamic registration of records.

When the only writeable copy of the zone is available, then dynamic
registration of records can be expected to work, even if the client is
contacting a DNS server with non-writeable copies of the zone (such as
my member server DNS servers.)

Thanks again!