Re: Changing Roles and DNS
- From: Reitinger Stephan <steve@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Apr 2007 11:04:01 -0700
Thank you VERY much for your insight.
If I could ask a few more questions -
no prob.
Currently all locations are sitting inside of "default-first-site-name" with
only one subnet - however we have 8 sites all connected via VPN... Would it
be a smart idea to segment the sites properly and include all of the
subnets?
that depends on your requirements - if you want to configure replication
specifically between the locations (=sites in AD), like schedules, periods
etc. or want to match it to WAN specifics, a site structure makes sense. if
you do not have such constraints, having all in the default-first-site should
be fine. personally, I would reflect the locations in AD because of
replication constraints.
however, if you want to build the site structure you need to make sure that
you reconfigure your replication as well - as it will switch from *intra*- to
*inter*site replication - means you need subnets, sitelinks, schedules, kcc
settings etc. - just creating the sites and assigning subnets would cause
more problems that you want to have - so, in short: i would recommend it, but
you need to have a plan ;)
In regards to DNS, if I understand what you've mentioned correctly, it is
not a requirement for all PC's in the domain to point to one singular
server.
correct, unless you are running BIND like DNS with one primary and many
secondary zones - only primaries can be written to and as you must not have
more than one primary, all PCs would need to point to the DNS server hosting
the primary zone.
Each site can have a domain controller, with Active-Directory
integrated DNS, and the replication process will include the DNS updates.
correct. let AD do the work for you ;) but make zone copies first if you
want to switch - it will take some time till the AD based zone is built up
and replicated. also make sure your DHCP gives the clients the right DNS
servers.
Each server points to itself for DNS, perhaps a role-holder for secondary,
and each workstation points to that local server for it's DNS. Does that
sound correct?
absolutely. however, I would let the DCs point to a DC/DNS server in the hub
as primary - if they point to themselves, you could run into an W2k
replication issue known as "island problem" - and this for sure is nothing
you want to have. ;). in short, DNS updates (VERY relevant for replication)
would be made to the local DNS, but would never replicate out because the
others do not know it - with W2k3 this is very rare but still possible.
recommendation: hub DNS as primary and itself as a secondary to be safe when
WAN breaks. once replication is in progress this should work anyway.
clients: local DC/DNS as primary, hub DC/GNS as a secondary.
--
cheerz,
Steve
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Bill" wrote:
Steve,.
Thank you VERY much for your insight.
If I could ask a few more questions -
Currently all locations are sitting inside of "default-first-site-name" with
only one subnet - however we have 8 sites all connected via VPN... Would it
be a smart idea to segment the sites properly and include all of the
subnets?
In regards to DNS, if I understand what you've mentioned correctly, it is
not a requirement for all PC's in the domain to point to one singular
server. Each site can have a domain controller, with Active-Directory
integrated DNS, and the replication process will include the DNS updates.
Each server points to itself for DNS, perhaps a role-holder for secondary,
and each workstation points to that local server for it's DNS. Does that
sound correct?
Thanks again,
--Bill
"Reitinger Stephan" <steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3DDD2576-C310-471D-A25F-B046D6229CC4@xxxxxxxxxxxxxxxx
Hi Bill,
comments inline (my suggestions ;)):
controllers. Are there any pre-requisites or best practice suggestions?My questions are...
Roles:
(1) I would like to transfer the PDC role to one of the new domain
In fact MS recommends to host as many FSMOs as possible on DCs with the
highest OS version. So the plan to move it is highly recommended - I have
done it several times without problems.
No real prerequisites, but I would highly recommend that replication
throughout your 8 locations is working fine so that the change is
replicated
immediately.
One thing you need to take care about is if you have WINS related or
downlevel trusts that are reliant of the PDC emu FSMO - if you have static
entries (WINS static, lmhosts etc.), and you move the FSMO to another
server,
the IP would change and the records would not update --> the trusts would
fail.
(2) I would further like to transfer the RID and Infrastructure roles to
another new domain controller. Again - any pre-requisites or best
practice
suggestions?
see above, same tips (except WINS, as the roles are not known by NT4).
There is one prereq to take care about re: infrastructure master FSMO: if
you have a *DC* in your domain, it should/must remain on the DC, *not* the
*GC* (you will find eventlog entries else). If you have GCs only, it does
not
matter.
another?Would this be the best way to handle roles - PDC on one and RID/Ifra on
either or. personally, I prefer to separate them, but it is also no
problem
on the same box - but see the DC requirement above.
DNS
(1) Is it advisable to make the PDC the primary DNS server for the
domain?
Or will any domain controller serve similar?
basically, each DC would serve the same way - but as long as you are not
running AD integrated DDNS, you need a primary zone somewhere and
secondaries
on the others. AD based DDNS would make all DNS servers primary but handle
conflicts through AD replication. My recommendation would be to go with AD
integrated DDNS, so that all clients on all locations can update (would
not
work with secondary zones) and would reduce WAN traffic.
workstations to one singular DNS point, or point the servers at each of(2) What would be a best practice scenario for DNS? Point all servers
and
the
8 locations to main DNS and point the workstations to the location server?
I would go with AD based DDNS, and let AD make the replication for you. As
you then have one DC with DNS running on each location, I would let all
machines per location point to their local DC/DNS as a primary and to the
hub
remote site as a secondary. this gives you best failover with less network
traffic and most DNS consistency over your domain.
hope that helps
--
cheerz,
Steve
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Bill" wrote:
Greetings.
We are in the process of phasing out some older Windows 2000 servers with
2003...
We've added the new servers to the existing domain, and all seems well.
Our
topology is basically 8 locations, each with it's own domain controller /
profile server.
My questions are...
Roles:
(1) I would like to transfer the PDC role to one of the new domain
controllers. Are there any pre-requisites or best practice suggestions?
(2) I would further like to transfer the RID and Infrastructure roles to
another new domain controller. Again - any pre-requisites or best
practice
suggestions?
Would this be the best way to handle roles - PDC on one and RID/Ifra on
another?
DNS
(1) Is it advisable to make the PDC the primary DNS server for the
domain?
Or will any domain controller serve similar?
(2) What would be a best practice scenario for DNS? Point all servers and
workstations to one singular DNS point, or point the servers at each of
the
8 locations to main DNS and point the workstations to the location
server?
Any help/information would be sincerely appreciated.
--Bill
- References:
- Changing Roles and DNS
- From: Bill
- RE: Changing Roles and DNS
- From: Reitinger Stephan
- Re: Changing Roles and DNS
- From: Bill
- Changing Roles and DNS
- Prev by Date: Forward DNS
- Next by Date: Re: Importing a List of Group names
- Previous by thread: Re: Changing Roles and DNS
- Next by thread: Re: User is automatically locked out of AD
- Index(es):
Relevant Pages
|
