Re: AD Replication: What Does "Fully Routed" Mean?

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/19/05

• Next message: Teligen: "Removing orphan domain controllers listed under Users and computer"
• Previous message: jjb: "Disable File and Print Sharing on Workstation question."
• In reply to: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Next in thread: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Reply: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Reply: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 19 Jan 2005 13:37:52 -0600

> >> None my servers point to this alternate, non-AD-integrated DNS server-
> >> just a couple of my workstations....
> >
> > Neither should any of your clients.
>
> This is a great learning experience. I'm trying to imagine how having my
> workstation
> pointing to two DNS servers could cause problems for Active Directory.

It won't (don't smoke your brain <grin>). It will cause
problems for THAT client authenticating and for things
like your own resource and admin access.

Pointing it correctly will maintain all of the above
(authentication and privileges) while STILL allowing
you to resolve (and use) the Internet.

> Or, does it only cause problems for the user (me) ? It sure solves them:
> when I
> have the server down for maintenance, as it stands now, I can't resolve
> Internet
> names without having the second DNS server in my NIC's config, UNLESS I
> make the change back and forth every time I have to take the server down.

You should have two servers and really should never bring
them both down together.

During such a time (if they must be down) you should consciously
change your workstation and then change it back.

There is no guaratee the other way and it should not
be depended up.

> >>> And then you can use Forwarding to resolve Internet names.
> >>
> >> Yes, the AD-integrated DNS server at each site uses forwarding to
resolve
> >> Internet names...
> >
> > The point being not to mix internal and external DNS servers
> > in such settings.
>
> Internal and external?

Point your clients at ONLY servers which can fully
resolve the internal names.

By external, I mean any DNS server than cannot resolve
those internal names.

> The only references that exist to any external DNS
> servers
> are in the forwarders fields in the Win2k & Win2k3 DNS Server config...

And they should not reference internal (in almost all cases)
so that is NOT a mix.

> I probably said something to lead you to think I had my workstation's NIC
> pointing
> to one internal DNS server and one outside the office. No, I have a NAS
> running
> Windows Powered, the applicance version of Windows Server, and it's
running
> the
> MS DNS Service, as a secondary, "caching-only" server...

It is it doing (only) external name resolution then it
is NOT a member of the internal set of DNS servers (despite
it's physical location.)

It's purpose sounds like EXTERNAL (i.e., Internet) resolution.
It should only be referenced in the DNS forwarders entries.

> > Internal only in the client settings, external only in the Forwarding
> > settings (if you resolve the Internet and are not using the more
> > flexible Win2003 conditional forwarding.)
>
> To confirm, yes indeed, in each and every NIC configuration, I am pointing
> ONLY to internal DNS servers. On a few workstations, such as mine, I'm
> pointing to 2 internal servers, but most workstations point only to one.

It's unreliable. It will not always autocorrect and
reconfigure when the internal DNS goes off line
and returns.

> >>> You cannot reliably use two distinct DNS server sets.
> >>> Don't try. (It may work just enough to convince you otherwise
> >>> since it will give intermittent results.)
> >>
> >> Since you used the term 'set' twice, and I don't recall encountering
> >> the use of the term "DNS Server sets" in the resource kit books,
> >> could you briefly explain?
> >
> > It's not commonly used because most of the books don't go
> > into this level of practical advice or troubleshooting.
> >
> > It is not a technical term but purposely chosen to mean
> > all those DNS servers that can fully resolve INTERNAL
> > name (when we say "internal DNS server set") no matter
> > which zones they hold, or even if they hold no zones.
> >
> > For many people this server set holds only the SINGLE
> > internal domain/zone name but those people who have
> > multiple zones will have different definitions of what is
> > and is not in the "internal DNS server set."
> >
> > The point being, an internal client must use strictly (internal)
> > DNS server(s) which can resolve ALL internal names.
> >
> > I refer to that set of servers as the internal "DNS server set".
> >> And I'm still unclear as to what needs to be fixed...
> >
> > I don't see the DCDiag but you need to resolve all the WARN,
> > ERROR, and FAIL messages.
>
> I posted the output from four invocations of DCDiag in my web storage
> area; each DCDIAG.TXT file was the result of running
>
> DCDIAG /E /C /FIX /V

Generally, DCDiag is fine (as long as you run it on each server.)

Fix is nice, but it won't fix everything so I run it once, then
run it again to see what errors remain.

> on each of my 4 domain controllers, and the links the to four log files
> can be found on this page:
>
> http://members.iglou.com/dougq/MyActiveDirectoryProblems.html
>
> I am posting these DCDiags precisely because I require assistance in
> resolving the various warnings and errors... and I really appreciate all
> the help I can get!

Try RepAdmin and ReplMon for checking your replication.

How do DNS servers from each domain resolve the DNS of
the "other domain" ?

Does each hold cross secondaries for the other or what?
> Regards,
> -doug q
>

-- 
Herb Martin
"Douglas H. Quebbeman" <dhquebbeman@theestopinalgroup.com> wrote in message
news:u8fkvel$EHA.208@TK2MSFTNGP12.phx.gbl...
> In news:%23fSM6Ml$EHA.2196@TK2MSFTNGP14.phx.gbl,
> Herb Martin <news@LearnQuick.com> screib:
> >>> Fix this:
> >>>
> >>> All DNS clients pointed to strictly the internal DNS server
> >>> set -- which must resolve ALL of your internal domains.
> >>>
> >>> Remember that DCs, even DNS servers themselves are ALSO
> >>> DNS clients.
> >>
>

• Next message: Teligen: "Removing orphan domain controllers listed under Users and computer"
• Previous message: jjb: "Disable File and Print Sharing on Workstation question."
• In reply to: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Next in thread: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Reply: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Reply: Douglas H. Quebbeman: "Re: AD Replication: What Does "Fully Routed" Mean?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint