Re: DNS-AD integration

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

In news:A5EC39ED-779D-4767-A9C7-80324093F398@xxxxxxxxxxxxx,
Yeo <Yeo@xxxxxxxxxxxxxxxxxxxxxxxxx> requesting assistance, typed the following:
Thanks Weber,
See inline.


"Meinolf Weber" wrote:

Hello Yeo,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


I have set up two servers (abc and xyz) and promote them to become
domain
controllers with domain name say tamkprod-add.test.com
I have also set up AD-integrated DNS in both of these servers.
Question 1:
When I shut down one of the domain controllers, sometimes I get
request
timout when I do a ping to the domain name tamkprod-add.test.com. At
this
point of time, when I join a client machine to the domain, I am able
to
successfully join to the domain even when the domain name shows
request
timeout. Why is this so?
Any website for further reading in this area?

If you ping a domainname you can get a reply or not. This does not
belong
to a special server. If you have more subnets you can get also an
answer
from a server from a different subnet. Pinging the domainname is not
really
a reliable option to check connectivity, choose the domain
controller name's or ip address.
Pinging to the domain name when one of domain controller is down:
sometime I can get reply and sometime I get request timeout. My guess
is when the domain name TTL is expired, the domain name will use the
first domain controller ip address. When the next TTL is expired, the
domain name will use the second domain controller ip address even if
the second domain controller is shutdown.

To add to Meinolf's excellent response, when pinging an Active Directory domain name, it will be resolving the "(same as parent)" host name. This is also called the LdapIpAddress. Every DC in a domain will register this name. It is used by numerous services, including when a client machine runs the GetGpoList function at boot and/or logon to query for GPOs that it must apply. If any DC is down, or if Sites are enabled, and a DC is down in it;s respect site, and it happens to resolve to that IP, then that specific function in my example will not run and generate Eventlog errors (103 & 1058 in this case), It will use DNS Round Robin to resolve it. When you pinged it, you just happend to get the IP of the powered down DC, unless of course the DC never registered properly. Check DNS to make sure they are registered.

Also, the GC service is running on one of the DCs, which is a required service. If you've powered down this DC, it will cause other issues.

All DCs in an AD domain MUST always be running. There is really no other option.

Also, make absolutely sure that both DCs and all clients are ONLY using the internal DNS (assuming both DCs are DNS servers?) in your AD infrastructure. Configure a Forwarder in DNS properties (Forwarders Tab) on each DC/DNS to point to an ISP to increase efficiency for internet name resolution.

btw - WINS is not used by Active Directory. NT4 did in the past, but AD doesn't work that way.

Joining a machine can be done by specifying the domain name in one or two ways. One as the NetBIOS name, such as "DOMAIN" and the other as the FQDN, such as 'domain.com.' If you chose the NetBIOS method, and a DC is local on the subnet, it will grab the first available DC that responds. If using FQDN, it will resolve that in DNS and if you get the one powered down, the join process will fail.



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

.

Relevant Pages

  • Re: DNS-AD integration
    ... I have also set up AD-integrated DNS in both of these servers. ... first domain controller ip address. ... It will use DNS Round Robin to resolve it. ...
    (microsoft.public.windows.server.dns)
  • Re: Can I Round Robin DCs?
    ... as I told you before roundrobin is enabled by default on DNS properties, ... this setting will ensure that authentication is load balanced among existing ... I'd like to have the ability to reboot one Domain controller without ... as long as all DCs are in the same domain. ...
    (microsoft.public.windows.server.dns)
  • Re: Only one DC shows under Hub transport systems settings
    ... the insite domain controller. ... integrated DNS in the environment. ... being found (How many total DCs do they have? ... use MS integrated DNS) In Exhange 2007 Hub Transport System Settings it wil ...
    (microsoft.public.exchange.admin)
  • RE: Installing Active Directory and DNS
    ... happen if dns is not properly configured). ... critical to promoting DCs. ... 298143 How to Verify an Active Directory Installation ... After getting the first domain controller up and running and verifying ...
    (microsoft.public.win2000.active_directory)
  • Re: GP cannont find Domain Controller
    ... If the netdiag was run on a member, then also run it on DCs. ... If it come out clean on the DCs, then verify what DNS server ... > The domain controller for Group Policy operations is not available. ...
    (microsoft.public.windows.group_policy)