Multiple DNS Servers

  • Thread starter Thread starter Steven Rulison
  • Start date Start date
S

Steven Rulison

I work for a small state agency that only has thirty users
that can possibly be logged on at any given time. We
currently have three domain controllers running on our
network and all of them have their own copy of DNS
installed. It was my belief at the time I set this
network up that this approach would add redundancy to our
network and allow for a failure of one of the servers w/o
bringing down the entire network. In addition, I also
felt that this would provide some load balancing and help
keep the network running faster and smoother. I have
recently been having some second thoughts on that
strategy. It seems that some of the DNS servers are not
synchronizing with the other servers on the network. Can
somebody tell me if I was correct in using this approach
or would it have been better off to only have one server
running DNS since our agency is so small?
 
In
Steven Rulison said:
I work for a small state agency that only has thirty users
that can possibly be logged on at any given time. We
currently have three domain controllers running on our
network and all of them have their own copy of DNS
installed. It was my belief at the time I set this
network up that this approach would add redundancy to our
network and allow for a failure of one of the servers w/o
bringing down the entire network. In addition, I also
felt that this would provide some load balancing and help
keep the network running faster and smoother. I have
recently been having some second thoughts on that
strategy. It seems that some of the DNS servers are not
synchronizing with the other servers on the network. Can
somebody tell me if I was correct in using this approach
or would it have been better off to only have one server
running DNS since our agency is so small?
Click to expand...


It's the correct approach. I'm going to assume the zones on each DC/DNS
server are all AD Integrated. If not, make that so. AD Integration means the
zone is stored in the actual physical AD database (logically in the Domain
NC containter). This gets replicated to other domain controllers with AD's
replication process. If you believe that replication is not occuring
properly, then to further tech support this, we'll need more information to
help out.

1. What observations are you basing this on?
2. Are there any errors on any of the DCs' Event logs? - Looking for NTFRS,
Netlogon, Kerberos and LDAP errors.
3. Please post from each DC an unedited ipconfig /all
4. Please provide the actual AD DNS domain name so we can match up the
configuration with the ipconfig /all.

Thanks


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Per your request, I have attached the information
regarding our DNS servers.

Thank you for your assistance.

Note:
The two domain controllers currently running DNS are
identified as FS-DC-1 and DB2SERVER. There are also two
additional domain controllers that were running on our
network identified as SP1 and SP2 but they are not
currently running at this time. They are however still
listed in the Active Directory DNS listing with identical
zones.

1. WHAT OBSERVATIONS ARE YOU BASING THIS ON?

Error messages appearing on a daily basis in the DNS Event
log

2. ARE THERE ANY ERRORS ON ANY OF THE DCS' EVENT LOGS -
LOOKING FOR NTFRS, NETLOGON, KERBEROS, AND LDAP ERRORS?

Yes we have in the past but I did not find any error
messages in our log at the time of this writing that
referred to any of the entities mentioned above. I have
listed below the error message that is continually written
to the DNS event log.

Error Message on FS-DC-1:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.210.

Error Message on DB2SERVER:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.18.

3. PLEASE POST FROM EACH DC AN UNEDITED IPCONFIG/ALL




IPCONFIG For DB2SERVER

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

H:\>IPCONFIG /ALL

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : db2server
Primary DNS Suffix . . . . . . . : ilptab.il.us
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ilptab.il.us
il.us

Ethernet adapter Springfield Primary 10.44.1.18:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100+ Server Adapter (PI
LA8470B)
Physical Address. . . . . . . . . : 00-E0-18-29-B8-
E1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.44.1.18
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.44.1.1
DNS Servers . . . . . . . . . . . : 10.44.1.18
10.44.1.210

IPCONFIG For FS-DC-1
 
You can only view event logs from a machine with the DNS server installed.

The text of those events is pasted below. You should follow the steps to
search for mis-configurations.

The DNS server encountered a packet addressed to itself -- IP address %1.
%n
%nThe DNS server should never be sending a packet to itself. This situation
usually
indicates a configuration error.
%n
%nCheck the following areas for possible self-send configuration errors:
%n 1) Forwarders list. (DNS servers should not forward to themselves).
%n 2) Master lists of secondary zones.
%n 3) Notify lists of primary zones.
%n 4) Delegations of subzones. Must not contain NS record for this DNS
server
unless subzone is also on this server.
%n
%nExample of self-delegation:
%n -> This DNS server dns1.foo.com is the primary for the zone foo.com.
%n -> The foo.com zone contains a delegation of bar.foo.com to
dns1.foo.com,
%n (bar.foo.com NS dns1.foo.com)
%n -> BUT the bar.foo.com zone is NOT on this server.
%n
%nNote, you should make this delegation check (with nslookup or DNS manager)
both
on this DNS server and on the server(s) you delegated the subzone to.
It is possible that the delegation was done correctly, but that the primary
DNS for the subzone, has any incorrect NS record pointing back at this
server.
If this incorrect NS record is cached at this server, then the self-send
could result. If found, the subzone DNS server admin should remove the
offending NS record.

Steve Rulison said:
Per your request, I have attached the information
regarding our DNS servers.

Thank you for your assistance.

Note:
The two domain controllers currently running DNS are
identified as FS-DC-1 and DB2SERVER. There are also two
additional domain controllers that were running on our
network identified as SP1 and SP2 but they are not
currently running at this time. They are however still
listed in the Active Directory DNS listing with identical
zones.

1. WHAT OBSERVATIONS ARE YOU BASING THIS ON?

Error messages appearing on a daily basis in the DNS Event
log

2. ARE THERE ANY ERRORS ON ANY OF THE DCS' EVENT LOGS -
LOOKING FOR NTFRS, NETLOGON, KERBEROS, AND LDAP ERRORS?

Yes we have in the past but I did not find any error
messages in our log at the time of this writing that
referred to any of the entities mentioned above. I have
listed below the error message that is continually written
to the DNS event log.

Error Message on FS-DC-1:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.210.

Error Message on DB2SERVER:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.18.

3. PLEASE POST FROM EACH DC AN UNEDITED IPCONFIG/ALL




IPCONFIG For DB2SERVER

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

H:\>IPCONFIG /ALL

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : db2server
Primary DNS Suffix . . . . . . . : ilptab.il.us
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ilptab.il.us
il.us

Ethernet adapter Springfield Primary 10.44.1.18:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100+ Server Adapter (PI
LA8470B)
Physical Address. . . . . . . . . : 00-E0-18-29-B8-
E1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.44.1.18
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.44.1.1
DNS Servers . . . . . . . . . . . : 10.44.1.18
10.44.1.210

IPCONFIG For FS-DC-1




-----Original Message-----
I work for a small state agency that only has thirty users
that can possibly be logged on at any given time. We
currently have three domain controllers running on our
network and all of them have their own copy of DNS
installed. It was my belief at the time I set this
network up that this approach would add redundancy to our
network and allow for a failure of one of the servers w/o
bringing down the entire network. In addition, I also
felt that this would provide some load balancing and help
keep the network running faster and smoother. I have
recently been having some second thoughts on that
strategy. It seems that some of the DNS servers are not
synchronizing with the other servers on the network. Can
somebody tell me if I was correct in using this approach
or would it have been better off to only have one server
running DNS since our agency is so small?
.
Click to expand...
Click to expand...
 
In
Steve Rulison in said:
Per your request, I have attached the information
regarding our DNS servers.

Thank you for your assistance.

Note:
The two domain controllers currently running DNS are
identified as FS-DC-1 and DB2SERVER. There are also two
additional domain controllers that were running on our
network identified as SP1 and SP2 but they are not
currently running at this time. They are however still
listed in the Active Directory DNS listing with identical
zones.

1. WHAT OBSERVATIONS ARE YOU BASING THIS ON?

Error messages appearing on a daily basis in the DNS Event
log

2. ARE THERE ANY ERRORS ON ANY OF THE DCS' EVENT LOGS -
LOOKING FOR NTFRS, NETLOGON, KERBEROS, AND LDAP ERRORS?

Yes we have in the past but I did not find any error
messages in our log at the time of this writing that
referred to any of the entities mentioned above. I have
listed below the error message that is continually written
to the DNS event log.

Error Message on FS-DC-1:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.210.

Error Message on DB2SERVER:
The description for Event ID ( 7062 ) in Source ( DNS )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following
information is part of the event: 10.44.1.18.

3. PLEASE POST FROM EACH DC AN UNEDITED IPCONFIG/ALL




IPCONFIG For DB2SERVER

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

H:\>IPCONFIG /ALL

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : db2server
Primary DNS Suffix . . . . . . . : ilptab.il.us
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ilptab.il.us
il.us

Ethernet adapter Springfield Primary 10.44.1.18:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100+ Server Adapter (PI
LA8470B)
Physical Address. . . . . . . . . : 00-E0-18-29-B8-
E1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.44.1.18
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.44.1.1
DNS Servers . . . . . . . . . . . : 10.44.1.18
10.44.1.210

IPCONFIG For FS-DC-1
Click to expand...

Thanks for posting that information. However, you accidentally left out the
other ipconfig.
Based on what Jeff posted, which is the Event ID # 7062 error message, it
pretty much states a configuration error.

Are forwarders configured? If yes, to what are they forwarding to?
Are any of the DC/DNS servers mutlihomed?
Is there a delegation?

As for your one comment about two other DCs but you unplugged them, you
can't do that with AD. You can't just unplug them like you can in NT4. Need
to properly demote them. But not knowing how long they've been unplugged,
(there's a 60 day limit based on AD's tombstone lifetime), I would suggest
to keep them unplugged at this time and perform a Metadata cleanup. I
believe this is essential at this point. Here's how:

HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion Q216498:
http://support.microsoft.com/?id=216498




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Back
Top