DNS - Am I setup backwards?

  • Thread starter Thread starter Mark Lamoreaux
  • Start date Start date
M

Mark Lamoreaux

Hi,

I'm in the process of migrating my NT4/Exchange 5.5 network to
Windows/Exchange 2003. I really didn't understand the pros and cons
of choosing domain names when moving to 2003, and now I'm wondering if
how I did it was wrong and needs to be redone?

I have 2 registered domain names: triaxialdata.com and
triaxialdata.net

triaxialdata.com is managed by my ISP.

I plan to have my DNS server be authoritative for triaxialdata.net and
setup a SOA record accordingly (although it isn't authoritative for
this name in the real world - how do I do this?).

My Windows NT domain was TRIAXIAL. When I upgraded to 2003, I made
the new Active Directory domain name triaxialdata.com. I'm afraid
that this might have been a mistake, although most of what I've read
so far says that this is possible (i.e. to have internal AD name the
same as external DNS name).

My 2003 DC is the same computer as my DNS server (named TRIAXIAL01).
I setup a forward zone for triaxialdata.net and statically assigned my
computers to this zone. Everything has been working fine for weeks
and I can ping all names just as I expect to be able to. However, now
that I'm preparing to migrate Exchange, I'm running through the
recommended tests and I'm receiving some errors referring to my DNS
setup.

If I run netdiag, everything passes except for the following test:
DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly
on DNS se
rver '64.162.46.28'. Please wait for 30 minutes for DNS server
replication.
[FATAL] No DNS servers have the DNS records for this DC
registered.

When I run dcdiag, I get the following errors:
Testing server: Default-First-Site-Name\TRIAXIAL01
Starting test: Connectivity
The host d0ecc1a9-8155-4d3c-bd91-1e71b3baa66e._msdcs.triaxialdata.com
c
ould not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(d0ecc1a9-8155-4d3c-bd91-1e71b3baa66e._msdcs.triaxialdata.com)
couldn't be resolved, the server name
(triaxial01.triaxialdata.net)
resolved to the IP address (64.162.46.28) and was pingable.
Check
that the IP address is registered correctly with the DNS
server.
......................... TRIAXIAL01 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\TRIAXIAL01
Skipping all tests, because server TRIAXIAL01 is
not responding to directory service requests


Should I still be looking for something that is misconfigured (because
it seems like it's almost there), or did I make a mistake by creating
an internal AD name that is the same as my externally managed DNS
name?

Here's my ipconfig /all:

Windows IP Configuration

Host Name . . . . . . . . . . . . : triaxial01
Primary Dns Suffix . . . . . . . : triaxialdata.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : triaxialdata.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 Server Adapter
Physical Address. . . . . . . . . : 00-0D-61-04-CC-8F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 64.162.46.28
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 64.162.46.1
DNS Servers . . . . . . . . . . . : 64.162.46.28
Primary WINS Server . . . . . . . : 64.162.46.21
Secondary WINS Server . . . . . . : 64.162.46.20

Thanks,
Mark
 
Yes, dynamic updates are enabled. I even set it to nonsecure updates
temporarily to make sure I don't have a security issue, but I still
don't see automatic updates made.

Apparently, my DNS server needs to have entries for triaxialdata.com
(my internal Active Directory domain), but it only has authority to
update triaxialdata.net because my ISP controls DNS for my external
triaxialdata.com (the same name is used for external Internet domain
and internal Active Directory domain).

Basically, the only place I'm really seeing any erros is when I run
Netdiag. If I run Netdiag /fix, I get several entries like the
following:

[FATAL] Failed tofix: DC DNS entry triaxialdata.com. re-registeration
on DNS server '64.162.46.28' failed.

and

[DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry
ForestDnsZone.triaxialdata.com. re-registeration on DNS server
'64.162.46.28' failed.

To me, it looks like it's trying to register special Active Directory
names under triaxialdata.com (my AD domain name) but I only have a
zone for triaxialdata.net (when I tried setting up an internal zone
for triaxialdata.com, it interferred with my ISP's DNS and people
couldn't get to my web pages and email server at triaxialdata.com).

I think I'm just missing something basic here. Any more hints?

Thanks,
Mark
 
In
Mark Lamoreaux said:
Yes, dynamic updates are enabled. I even set it to nonsecure updates
temporarily to make sure I don't have a security issue, but I still
don't see automatic updates made.

Apparently, my DNS server needs to have entries for triaxialdata.com
(my internal Active Directory domain), but it only has authority to
update triaxialdata.net because my ISP controls DNS for my external
triaxialdata.com (the same name is used for external Internet domain
and internal Active Directory domain).

Basically, the only place I'm really seeing any erros is when I run
Netdiag. If I run Netdiag /fix, I get several entries like the
following:

[FATAL] Failed tofix: DC DNS entry triaxialdata.com. re-registeration
on DNS server '64.162.46.28' failed.

and

[DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry
ForestDnsZone.triaxialdata.com. re-registeration on DNS server
'64.162.46.28' failed.

To me, it looks like it's trying to register special Active Directory
names under triaxialdata.com (my AD domain name) but I only have a
zone for triaxialdata.net (when I tried setting up an internal zone
for triaxialdata.com, it interferred with my ISP's DNS and people
couldn't get to my web pages and email server at triaxialdata.com).

I think I'm just missing something basic here. Any more hints?

Thanks,
Mark
Click to expand...

Choosing the same internal/external name is called Split-Horizon. We
normally don't recommend this due to additional administrative overhead.

Apparently you haven't created the required zone called triaxialdata.com, on
your own DNS server, which AD *absolutely requires*.
291382 - Frequently Asked Questions About Windows 2000 DNS and Windows
Server 2003 DNS:
http://support.microsoft.com/?id=291382


See, AD stores all it's resource and service locations in DNS. When
something requires to look up or "find" the domain, it queries DNS. THis is
why you're getting a multitude of errors. There is no zone for AD and
therefore everything is failing vecause it cannot find itself. NT4 and AD
are two different animals and don't work the same at all.

Cardinal Rules with AD:
1. Use your own DNS
2. Create the zone on your own DNS that exactly matches the AD DNS domain
name
3. Only use your own DNS server for all member machines (DCs and clients)
4. Enable updates on the zone
5. For efficient Internet resolution, use a forwarder. If the option is
grayed out, delete the Root zone, refresh the console, and try again. If not
sure how to do that, see this article:
http://support.microsoft.com/?id=300202

Here are some other links on AD and DNS (which applies to both Win2k and
Win2k3):

DNS requirements for installing Active Directory:
http://www.microsoft.com/technet/tr...tacenter/sag_dns_und_dcpromo_requirements.asp

Windows 2000 Step-by-Step Guides -Inlcudes many how-to's, Installing AD and
Pro as a Client, etc:
http://www.microsoft.com/windows2000/techinfo/planning/walkthroughs/default.asp

DNS Requirements for Deploying Active Directory:
http://www.microsoft.com/windows200...echinfo/reskit/en-us/deploy/dgbd_ads_kuha.asp

Appendix B - AD Procedures Reference (NIce reference here):
http://www.microsoft.com/technet/tr...dows2000/maintain/opsguide/Part2/ADOGdApB.asp


As for your same name design, the addition administrative overhead may also
include registry entries as well. The main thing is that your users won't be
able to get to your externally hosted website, since your zone in your own
internal DNS doesn;t have that info. You would need to manually create a www
records giving it the external IP of the actual website. Also may need to
create other records as well, including ftp or anything else. Mail isn't
required here since your clients will be MAPI clients.

Keep in mind that the users will always need to use www.triaxialdata.com to
get to it, but NOT by http://triaxialdata.com. This is because of the
LdapIpAddress that DCs create as required for AD functionality. DFS and GPO
acquisition use this record. However this record can be altered (thru the
reg) to give your users that special need to connect by
http://triaxialdata.com, but this will alter domain functionality and is not
recommended.

Also, after reading all this, you probably agree that a different internal
name (like a .corp or something like that) may have been a better choice.
But if you are going to ask about Exchange's email domain name and how it
affects mail, it doesn't. That's because you can set whatever domain name
the machine will receive mail for in the Recipient Policy and as long as the
external MX record (hosted on the external DNS) are pointed to the Ex box,
then it will receive mail on that domain. You can set mutliples, but they
don't have anthing to do with the AD name. I host 25 domain names for my
clients, none of which have anything to do with my AD name...

Hope that clears things up.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Mark Lamoreaux said:
Thanks everyone! I think I got it now - the links help a lot!

Mark
Click to expand...


Good to hear!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top