DNS redundancy

[Anthony Stewart]

Hi everyone!

(Apologies if someone's answered this before.)

We have 4 DCs running corp.mydomain.com (root domain). Each DC is a DNS
server (AD-integrated). We also have several child domains, with DNS
servers for those domains.

I configured each child domain DNS server to forward to a list of corp DNS
servers. The corp DNS servers are configured to forward to our ISPs
internet DNS servers.

I thought this would give me some redundancy in the event of a DNS server
failure. However, today the corp domain server (at the top of the child
servers' lists) failed. But the child DNS servers did NOT try the other DNS
servers in their forwarder lists - which were all still working fine. This
results in our mail server sending only external mail that happens to be in
the cache of the child DNS servers, and some website browsing failures.

What have I done wrong? How do I make the child DNS servers failover to a
different forwarder when the DNS at the top of the list is not available?

Many thanks in advance

Anthony Stewart MCSE

 

[Kevin D. Goodknecht Sr. [MVP]]

In Anthony Stewart <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

Hi everyone!

(Apologies if someone's answered this before.)

We have 4 DCs running corp.mydomain.com (root domain). Each DC is a
DNS server (AD-integrated). We also have several child domains, with
DNS servers for those domains.

I configured each child domain DNS server to forward to a list of
corp DNS servers. The corp DNS servers are configured to forward to
our ISPs internet DNS servers.

I thought this would give me some redundancy in the event of a DNS
server failure. However, today the corp domain server (at the top of
the child servers' lists) failed. But the child DNS servers did NOT
try the other DNS servers in their forwarder lists - which were all
still working fine. This results in our mail server sending only
external mail that happens to be in the cache of the child DNS
servers, and some website browsing failures.

What have I done wrong? How do I make the child DNS servers failover
to a different forwarder when the DNS at the top of the list is not
available?

Many thanks in advance

Anthony Stewart MCSE

On the Forwarders Tab of the Child DNS server check the "Do not use
recursion" box. That will prevent it from using Root Hints. That is the only
thing I see missing from the KB that describes this setup.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248&FR=1

 

[Kevin D. Goodknecht Sr. [MVP]]

In Anthony Stewart <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

Thanks for the reply - but I still don't see how this will help...

Surely the DNS server should go through the list of forwarders
completely before

1. giving up if the "use forwarders exclusively" option is checked

Yes but what is the forwarders time out

2. trying to resolve via its own root hints if the option is not
selected

You really don't want the child DNS to use root hints at all if it cannot
find the DC by using the root hints.

?????

Or am I missing the point? <- very possible!

Thanks

On the information you gave this was about the best guess I could come up
with to make a better diagnosis I will need to see an ipconfig /all from all
the servers or at least one from the parent and child DC's if they are set
up the same.
For best replication all DC's in the parent domain should point to the
Infratructure Master


In order for replication to work properly the DC's in both domain must
always be able to find the DC's if it goes through the list and uses root
hints it won't find the parent DC. This could happen pretty fast depending
on what the forwarders time out is, say if it set to 0 seconds.

That being said, how many global catalog servers are there?

If you run DCDIAG /e /v what does the output look like?