Clarify DNS Zones

[Dave]

Hi,

I have been reading Microsoft documentation and still can't figure out what
kind of DNS server I'm going to need and how I'm going to set up zones.

Here's what we have now.
1 physical location
AD server
DNS server with 1 forward looking zone
DHCP server
domain name = domainName.local

We're going to open an office in another physical location and we want to
connect these offices via VPN. Each office will be on a different subnet.

The plan is to set up another domain controller with the name
subDomain.domainName.local so that the domains communicate and trust each
other over the VPN connection. Also I plan to set up a DNS server and a
DHCP server at this location.

How should I set up my DNS server at the second site? Should it be AD
integrated, primary or a secondary server?
How do I set up my zones? I'm unclear on how zones work. I want to be able
to see all computers by name from any of the subnets.

Thanks!!!

 

[Ulf B. Simon-Weidner]

Hi,

I have been reading Microsoft documentation and still can't figure out what
kind of DNS server I'm going to need and how I'm going to set up zones.

Here's what we have now.
1 physical location
AD server
DNS server with 1 forward looking zone
DHCP server
domain name = domainName.local

We're going to open an office in another physical location and we want to
connect these offices via VPN. Each office will be on a different subnet.

The plan is to set up another domain controller with the name
subDomain.domainName.local so that the domains communicate and trust each
other over the VPN connection. Also I plan to set up a DNS server and a
DHCP server at this location.

How should I set up my DNS server at the second site? Should it be AD
integrated, primary or a secondary server?
How do I set up my zones? I'm unclear on how zones work. I want to be able
to see all computers by name from any of the subnets.

Thanks!!!

Hello Dave,

usually a second domain will not be needed - if it's just for replication
issues be aware that the site concept of Windows 2000+ will take care of that.

If you are able to go with one domain for the whole company than I'd recommend
AD-integrating the zone, and make both servers AD-Integrated. Therefore you'll
have a multi-master DNS-Model which enables clients from the remote office to
resolve the IP's of all Servers in the company without bothering the WAN-Line.

If you have to go with two domains (be aware that it's more work in
administration) you'd be able to have a secondary zone on the other domain, or
if you are using Windows Server 2003 you can set the replication scope to "All
dns-servers in the active directory forest" which will also provide you with
all servers in both domains.
What you really need to make sure is that you have Global Catalog servers in
both location (usually - there are scenarios where you can use other solutions
but that's only the case if the branch office is much smaller than the central
office and you are running WS2k3) and you'll need the zone _msdcs.%
forestrootdomain% available in both locations as well since GCs are resolved
using this zone.

Hope this helps.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[Dave]

Hi Simon,

In my case I think it'll be better if I set up 2 AD servers, since I'll be
connecting the 2 sites with a VPN tunnel and might have problems if my ISP
goes down. Do you think this is a good reason?

I just want to make sure I understood what you wrote in your post. If I go
with 1 AD server, you're saying that I'll need a DNS server at each site set
up as AD-integrated? If I go with 2 AD servers then I should set up the DNS
server at the second site as Secondary? BTW my current DNS server is set up
as AD-integrated.

How should I set up my zones if I use the 2 AD model?
How should I set up my zones if I use the 1 AD model?
How do I get the zone _msdcs.%forestrootdomain% to show up in both domains?
DNS replication?

Thanks!!!
Dave

 

[Ace Fekay [MVP]]

If I may jump in to answer.... (below inline)

In

Hi Simon,

In my case I think it'll be better if I set up 2 AD servers, since
I'll be connecting the 2 sites with a VPN tunnel and might have
problems if my ISP goes down. Do you think this is a good reason?

You can still set this up in this fashion without any problems. If the line
goes down once in a great while, then no problem with AD functionality
(logons, authentication, etc) in both sites as long as there's a DC in both
sites. Of course, replication will err, but once the line's up again, it
will fix itself. Now of course, if you anticipate the line going down often,
I would suggest looking for a different ISP.

I just want to make sure I understood what you wrote in your post.
If I go with 1 AD server, you're saying that I'll need a DNS server
at each site set up as AD-integrated?

That's pretty much the standard recommendation in such a scenario. AD
INtegration has advantageous over standard Prim/Sec zone transfers. It's
secure since the zones are part of AD and gets replicated along with the AD
replication process. So whatever you change on one DNS server's zone, it's
automatically replicated thru AD's replication process.

Now of course, if you do setup Sites, there is a default latency in
replication, default of 3 hours. That's adjustable in your Site link
properties. If changes are made frequently, this can be a factor, but in
most cases (99% of the time), it's a moot point. As long as the link is fast
enough, you may be able to get away with having both locations in the same
"Site" (the Default-First-Site-Name), which is how many admins do it. Matter
of fact, I have a client setup with 6 sites. Two of the locations are in the
same "Site" and all works fine, with their T1 connecting the two locations.

If I go with 2 AD servers then
I should set up the DNS server at the second site as Secondary? BTW
my current DNS server is set up as AD-integrated.

No, not secondary, AD Integrated, as mentioned above. Just point to your
current DNS on the other machine in the other location, install W2k, promote
it to a DC, then install DNS, create the zone, make it AD Integrated, and
Bham! the zone pops up.

How should I set up my zones if I use the 2 AD model?

AD Integrated as mentioned above.

How should I set up my zones if I use the 1 AD model?

You mean one domain controller? If so, advised to have two domain
controllers.
Or do you mean one Active Directory domain? If so, same thing, AD
Integrated. It's the preferred and recommended method.

Two domains, as Ulf mentioned, is adminstrative overhead if there is no
significant need for it, such as separate adminstration, separate domain
policies (such as different password requirements and restricitons in each
location, etc). From what you mentioned, doesn's seem necessary to have a
different domain.

How do I get the zone _msdcs.%forestrootdomain% to show up in both
domains? DNS replication?

Yes! AD Integration works great!

Thanks!!!
Dave

Hope that helps. Hope Ulf didn't mind...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Dave]

Thanks Ace,

I'm not sure if I understood everything that you wrote.

If I understood you correctly I should set up Active Directory domains at
both locations, but authenticate all users(connect all computers) with the
original domain.

To do this I point the TCP/IP DNS setting on the new location server to the
DNS server at my first location. Promote the computer at the new location
to an AD domain controller(subdomain? subDomain.domainName.local?), install
DNS server as AD-integrated, and the zones set themselves up automatically.
I don't have to manually set up zones. Is that right?

If what I wrote above is correct, then where do I point the DNS settings of
the new location computers(the new DNS server?)? If it's not correct, then
please advise.

Do I have to set up anything else on the DNS servers, like forwarders or is
that not necessary for AD-integrated zones?

Thanks!!!
Dave

 

[Ace Fekay [MVP]]

In

Thanks Ace,

I'm not sure if I understood everything that you wrote.

If I understood you correctly I should set up Active Directory
domains at both locations, but authenticate all users(connect all
computers) with the original domain.

Not setup domains, but a domain controller at each location part of the same
domain. As for what I read, all you need is one domain, so you want to setup
a domain controller, not a new domain.

To do this I point the TCP/IP DNS setting on the new location server
to the DNS server at my first location.

Yes, correct.

Promote the computer at the
new location to an AD domain controller(subdomain?
subDomain.domainName.local?),

No, not a subdomain, but rather the SAME domain, as per discussed in the
previous posts.

install DNS server as AD-integrated,
and the zones set themselves up automatically. I don't have to
manually set up zones. Is that right?

Yes, that's correct, as long as it's part of the SAME domain (Windows 2000).

If what I wrote above is correct, then where do I point the DNS
settings of the new location computers(the new DNS server?)?

Once you create the zone, then point it to itself. Use the original DNS as
the second entry.

If it's
not correct, then please advise.

Do I have to set up anything else on the DNS servers, like forwarders
or is that not necessary for AD-integrated zones?

Yes, that's advisable. COnfigure a forwarder to your ISP.

Thanks!!!
Dave

Cheers!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Dave]

Thanks Ace,

I think I'm pretty clear on everything now. I'm just not sure on how to set
up just a domain controller and not a domain at the new site. I'm gonna do
a test setup on my home computers today. I'll post my results.

Thanks again!!!
Dave

 

[Ulf B. Simon-Weidner]

If I may jump in to answer.... (below inline)
....

Hope that helps. Hope Ulf didn't mind...

Hi Ace - you know I don't mind - thank you for jumping in. I had a very busy
week with a lot of meetings, workshops and presentations so I wasn't able to
answer quickly.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[Ulf B. Simon-Weidner]

Thanks Ace,

I think I'm pretty clear on everything now. I'm just not sure on how to set
up just a domain controller and not a domain at the new site. I'm gonna do
a test setup on my home computers today. I'll post my results.

Thanks again!!!
Dave

Hi Dave,

you are going to set up your first domain controller + dns (zones AD-Integrated
with (only secure) dynamic updates) first. Then you configure your sites,
subnets and site links. Then you setup your second DC in the same Active
Directory (use the Set up as additional domain controller for a existing domain
option), but with the IP of the subnet of the second site. Make sure via sites
and services that the DC is in the right site (move it if not) and make it also
a global catalog server. Install the dns-server service on the second DC as
well. If you've configured your dns-zones as AD-Integrated they will appear on
the second server as well, but this might take some time.

Here some links with informations (URLs may wrap):

Understanding Active Directory - Sites (particular the second section "How do
sites relate to domains?")
http://www.microsoft.com/windows2000/en/advanced/help/sag_ADsite_concept_1.htm

How To Manage Domain Controllers
http://www.microsoft.com/windows2000/en/advanced/help/sag_ADmanageDCs.htm

How To Configure Server Settings
http://www.microsoft.com/windows2000/en/advanced/help/sag_ADdssiteServerTopics.
htm

How To Configure Site Settings
http://www.microsoft.com/windows2000/en/advanced/help/dssite_site_topics.htm


Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[Ace Fekay [MVP]]

In

Hi Ace - you know I don't mind - thank you for jumping in. I had a
very busy week with a lot of meetings, workshops and presentations so
I wasn't able to answer quickly.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

No prob Ulf. I can understand being busy. I had a couple doubles this week.
Hate them. We all usually try to "team" help at times anyway, better with
more than one opinion sometimes.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Dave]

Hi Ulf and Ace,

I built a test setup with a VPN between my house and a friend's house and
everything ran smoothly. No problems with anything. Thanks alot for all
your help.

I am a little unclear on the site links that Ulf mentioned. Right now I
have both domain controller computers showing up under
Sites->Default-First-Site-Name->Servers and they're both Global Catalogs. I
have 2 subnets and they both have site pointing to Default-First-Site-Name.
Is this what the site links are or is there something else that I have to
do?

Also I have only one Forward Looking Zone on my DNS setup. The DNS
replicated with both sites and it contains computers from both sites in its
name list. Is the DNS supposed to have 1 zone or 2?

One last thing that might be off topic. How do I replicate roaming profile
folders? Is this possible? Recommended? Good or bad? Right now I'm
storing profiles on C:\profiles\%username%. My boss wants to be able to log
on at both locations and get his desktop and files.

Thanks alot again for all the help.

Dave

 

[Ulf B. Simon-Weidner]

Hi Dave,

for your convenience (hopefully) I'm answering inline:

Hi Ulf and Ace,

I built a test setup with a VPN between my house and a friend's house and
everything ran smoothly. No problems with anything. Thanks alot for all
your help.

I am a little unclear on the site links that Ulf mentioned. Right now I
have both domain controller computers showing up under
Sites->Default-First-Site-Name->Servers and they're both Global Catalogs. I
have 2 subnets and they both have site pointing to Default-First-Site-Name.
Is this what the site links are or is there something else that I have to
do?

No - do something else.
You already created your subnets. So now create two sites, e.g. Central-Office
and Branch-Office, and assign them their correct subnets. Create a new sitelink
and assign this sitelink to the both sites. Look in the links I posted previous
for the instructions how to do this. And what's very important too, move the
DCs in Active Directory Sites and Services to their Site.

Doing so will assure that the clients from each Site will prefer services from
the DC and other services (like DFS) from their own site. If you keep
everything in the default-first-site then clients will choose either or server,
so every other request might travel over the VPN.

Also I have only one Forward Looking Zone on my DNS setup. The DNS
replicated with both sites and it contains computers from both sites in its
name list. Is the DNS supposed to have 1 zone or 2?

Forward Lookup with a single domain is supposed to have at least one zone, but
you need to make sure that it contains the _msdcs, _sites, _tcp, _udp,
domainDnsZones and ForestDnsZones subdomains (so a total of 6).

I'd configure Reverse lookup zones for your subnets as well, since you'll have
some errors or problems with applications if you don't.

One last thing that might be off topic. How do I replicate roaming profile
folders? Is this possible? Recommended? Good or bad? Right now I'm
storing profiles on C:\profiles\%username%. My boss wants to be able to log
on at both locations and get his desktop and files.

You're right - that's really off topic ;-)

I would not recommend replicating roaming profiles in general - more trouble
than advantage. However, if you are willing to waiste the double space on the
harddisks, and you are able to make sure that your boss and everybody else who
will need replicated user profiles is not working from more than one machine,
you should have a look at the Distributed File System (DFS). The advantage of
DFS is that it's also site aware, so the users will receive the share in their
current site. Replication is done via File Replication Services (FRS). Both
technologies are also used to access and replicate the Sysvol-Share on Domain
Controllers.

Here are some links about those Technologies (URLs may wrap):
http://www.microsoft.com/WindowsServer2003/technologies/fileandprint/file/df
s/default.mspx

Description of the FRS Replication Protocol, Notification and Schedule for DFS
Content
http://support.microsoft.com/?id=220938

The Problem with FRS you need to be aware of:
"Last Writer Wins" Algorithm May Cause Loss of Data for FRS-Replicated Content
http://support.microsoft.com/?id=221089

Thanks alot again for all the help.

Dave

You're welcome - I hope this will help you too.


Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[Dave]

Hi Ulf,

Here's what I did. I created 2 sites and moved the appropriate domain
controllers to their sites. I assigned the correct site to each subnet.
When I created the sites I assigned the only available site link to each
site(the default one). After that I created a site link using "IP" protocol
for the two servers, but I can't find anywhere where I can reassign a site
link to the sites. I'm mentioning this, because when I created a site, I
was asked to select a site link object. Should I assign a site link or is
it automatic?

For the DNS server, I only see the first 4 subdomains that you mentioned.
I'm using windows 2000 server. Is this because I'm using 1 zone, or is
there a step that I missed while setting up my DNS server?

Thanks for the DFS suggestion and links. I'll read up and try to learn as
much as I can about that.

Thanks!!!
Dave

 

[Ulf B. Simon-Weidner]

Hi Dave,

inline again:

Hi Ulf,

Here's what I did. I created 2 sites and moved the appropriate domain
controllers to their sites. I assigned the correct site to each subnet.
When I created the sites I assigned the only available site link to each
site(the default one). After that I created a site link using "IP" protocol
for the two servers, but I can't find anywhere where I can reassign a site
link to the sites. I'm mentioning this, because when I created a site, I
was asked to select a site link object. Should I assign a site link or is
it automatic?

You would be able to use the default sitelink. However if you want to configure
replication I'd prefer to create my own sitelink. Assignment of the sites to
sitelinks is not done automatically.

Here's some information how to add a site to a site link:
http://www.microsoft.com/windows2000/en/advanced/help/dssite_connection_topics.
htm

For the DNS server, I only see the first 4 subdomains that you mentioned.
I'm using windows 2000 server. Is this because I'm using 1 zone, or is
there a step that I missed while setting up my DNS server?

The first 4 are totaly valid if you use Windows 2000 - sorry, I missed to
mention that. The other two are introduced with Windows Server 2003.

Thanks for the DFS suggestion and links. I'll read up and try to learn as
much as I can about that.

Look at it, but be carefully and keep in mind that it might not be necessary to
replicate all profiles and you can set different profile paths per user. So
you'd be able to replicate the one from your boss and other workers who traven
frequently, and not replicate the ones which are almost never traveling to the
other location.


Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[Dave]

Hi Ulf,

I guess everything is working fine then. Thanks a lot to you and Ace for
all the help.

I was thinking of just making my bosses profile available for all sites,
too. I'll have to research that a little more.

Thanks!!!
Dave

 

[Ace Fekay [MVP]]

In

Hi Ulf,

I guess everything is working fine then. Thanks a lot to you and Ace
for all the help.

I was thinking of just making my bosses profile available for all
sites, too. I'll have to research that a little more.

Thanks!!!
Dave

No problem.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory