Disjointed Namespace with Root Zone required

  • Thread starter Thread starter adam
  • Start date Start date
A

adam

As my hair grays and falls out I can't get rid of this
problem...
I am setting up a new private forest with no Internet
connection allowed.
On "ROOT1", I fill in TCP/IP settings: 1.1.1.11 /
255.255.255.0 /1.1.1.11 with Primary DNS Server 1.1.1.11.
I reboot and add the DNS Service.
I created my Forward Lookup Zones ". " (so this is the
Root Server for the private Forest) and mil and my 1.1.1.X
Reverse Lookup Zone.
Then I set "Allow Dynamic Updates to YES" on all zones.
I reboot and verify the DNS settings are good.
I DCPromo "ROOT1", creating the new forest "mil" and
rebooted.
Then I set "Active Directory-Integrated" on all zones.
Testing DNS, nslookup on mil gets no response but mil.
does?

ROOT1's name under My Computer, Properties (root1.mil)
versus in DNS (root1.mil.) are different? Note that
the "." at the end on mil is the difference on the DNS
entry.

This forest will never have Internet access and the root
hints entries are not needed. I thought you must have
the "." zone to designate this as the root server.

Eventually there will be 3 root servers in the forest so
the "DNS Island Affect" can't happen.

Please tell me what I am doing wrong!?!
 
adam said:
Ace,
Here is a more thorough description of my problem. Please
note that I have replaced "mil" with "ihm". Thanks.

We are setting up a new private forest with no Internet
connection allowed.
On "root1" DC, TCP/IP settings are
1.1.1.11/255.255.255.0/1.1.1.11, P DNS 1.1.1.11
We add DNS Service, create Forward Lookup Zones "."
and "ihm" and Reverse Lookup Zone 1.1.1.x
Then set all zones to "Allow Dynamic Updates to YES".
Reboot and verify DNS settings are OK.
DCPROMO root1, creating the new forest "ihm" and reboot.
Then set all zones to "AD-Integrated".
Testing DNS, ihm gets no response but ihm. does.

On "root2" DC, TCP/IP settings are
1.1.1.12/255.255.255.0/1.1.1.12, P DNS 1.1.1.11/ A DNS
1.1.1.12
We add DNS Service, create Forward Lookup Zones "."
and "ihm" and Reverse Lookup Zone 1.1.1.x
Then set all zones to "Allow Dynamic Updates to YES".
Reboot and verify DNS settings are OK.
DCPROMO root2, join the "ihm" domain and reboot.
Then set all zones to "AD-Integrated".
Testing DNS, ihm gets no response but ihm. does.

When netdiag /debug is performed, AD errors all say:
The record on your DC is:
DNS NAME = ihm.
DNS DATA =
A 7.47.181.11

The record on DNS server 7.47.181.12 is:
DNS NAME = ihm
DNS DATA =
A 7.47.181.11
A 7.47.181.12

********** * ********** * ********** * ********** *
********** *
* CHECK NAME _ldap._tcp.ihm. on DNS server 7.47.181.12
********** * ********** * ********** * ********** *
********** *

The Record is different on DNS server '7.47.181.12'.
DNS server has more than one entries for this name,
usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '7.47.181.12',
no need to re-register.

The record on your DC is:
DNS NAME = _ldap._tcp.ihm.
DNS DATA =
SRV 0 100 389 root1.ihm.

The record on DNS server 7.47.181.12 is:
DNS NAME = _ldap._tcp.ihm
DNS DATA =
SRV 0 100 389 root2.ihm
SRV 0 100 389 root1.ihm

The errors continue but all say the same thing ihm and
ihm. are different!

Is the "." zone needed to designate this a Root Server?
We tried the same proceeds above without creating the "."
zone and ended up with the same errors.
Click to expand...

Hi Adam,

What errors? You mean this message?
The Record is different on DNS server '7.47.181.12'.
DNS server has more than one entries for this name,
usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '7.47.181.12',
no need to re-register.
Click to expand...

I've seen that message often when you have mutliple DNS servers with AD
Integrated zones. So I wouldn't worry about it. The second part of the
message says it usually means there are multiple DCs for this domain and no
need to re-register, so don't worry about it.

Also, don't worry about the period. It's just the way the results are
displayed.

As for your single label DNS name, as I mentioned, can cause problems with
resolution in DNS. I would address that as soon as possible.

Hope I was able to understand your question and concerns.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top