Re: DNS-AD integration

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



"Ace Fekay [Microsoft Certified Trainer]" wrote:

In news:A5EC39ED-779D-4767-A9C7-80324093F398@xxxxxxxxxxxxx,
Yeo <Yeo@xxxxxxxxxxxxxxxxxxxxxxxxx> requesting assistance, typed the
following:
Thanks Weber,
See inline.


"Meinolf Weber" wrote:

Hello Yeo,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


I have set up two servers (abc and xyz) and promote them to become
domain
controllers with domain name say tamkprod-add.test.com
I have also set up AD-integrated DNS in both of these servers.
Question 1:
When I shut down one of the domain controllers, sometimes I get
request
timout when I do a ping to the domain name tamkprod-add.test.com. At
this
point of time, when I join a client machine to the domain, I am able
to
successfully join to the domain even when the domain name shows
request
timeout. Why is this so?
Any website for further reading in this area?

If you ping a domainname you can get a reply or not. This does not
belong
to a special server. If you have more subnets you can get also an
answer
from a server from a different subnet. Pinging the domainname is not
really
a reliable option to check connectivity, choose the domain
controller name's or ip address.
Pinging to the domain name when one of domain controller is down:
sometime I can get reply and sometime I get request timeout. My guess
is when the domain name TTL is expired, the domain name will use the
first domain controller ip address. When the next TTL is expired, the
domain name will use the second domain controller ip address even if
the second domain controller is shutdown.

To add to Meinolf's excellent response, when pinging an Active Directory
domain name, it will be resolving the "(same as parent)" host name. This is
also called the LdapIpAddress. Every DC in a domain will register this name.
It is used by numerous services, including when a client machine runs the
GetGpoList function at boot and/or logon to query for GPOs that it must
apply. If any DC is down, or if Sites are enabled, and a DC is down in it;s
respect site, and it happens to resolve to that IP, then that specific
function in my example will not run and generate Eventlog errors (103 & 1058
in this case), It will use DNS Round Robin to resolve it. When you pinged
it, you just happend to get the IP of the powered down DC, unless of course
the DC never registered properly. Check DNS to make sure they are
registered.

Also, the GC service is running on one of the DCs, which is a required
service. If you've powered down this DC, it will cause other issues.

All DCs in an AD domain MUST always be running. There is really no other
option.

Also, make absolutely sure that both DCs and all clients are ONLY using the
internal DNS (assuming both DCs are DNS servers?) in your AD infrastructure.
Configure a Forwarder in DNS properties (Forwarders Tab) on each DC/DNS to
point to an ISP to increase efficiency for internet name resolution.

btw - WINS is not used by Active Directory. NT4 did in the past, but AD
doesn't work that way.

Joining a machine can be done by specifying the domain name in one or two
ways. One as the NetBIOS name, such as "DOMAIN" and the other as the FQDN,
such as 'domain.com.' If you chose the NetBIOS method, and a DC is local on
the subnet, it will grab the first available DC that responds. If using
FQDN, it will resolve that in DNS and if you get the one powered down, the
join process will fail.



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

Thanks Acer and Weber for the reply.
I have query pertaining to the Acer last statement:
"If using FQDN, it will resolve that in DNS and if you get the one powered
down, the join process will fail."
Does this means that there is no way to prevent it from happening, except to
make sure that you have to recover the powered down DC asap? How do you know
which domain controller the client machine is using currently, by pinging to
domain name to see which DC it is using ??

.

Relevant Pages

  • Re: DNS-AD integration
    ... I have also set up AD-integrated DNS in both of these servers. ... first domain controller ip address. ... Also, the GC service is running on one of the DCs, which is a required service. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS-AD integration
    ... On the client open a command prompt and type "set". ... I have also set up AD-integrated DNS in both of these servers. ... use the first domain controller ip address. ... It will use DNS Round Robin to resolve it. ...
    (microsoft.public.windows.server.dns)
  • RE: Windows Server 2003 and slow login
    ... >Yes, the Domain Controller should point to itself only, ... >forwarders to resolve externally. ... >connection in dns is checked in the TCP/IP advanced ... >net start netlogon ...
    (microsoft.public.windows.server.networking)
  • Re: 1 domain, 2 domain controllers with integrated DNS, secondary
    ... integerated DNS and second domain controller server 2008 with DNS server ... If the primary domain controller shutdown then secondary ... When using nslookup, and specifying the other DNS, does it resolve? ...
    (microsoft.public.windows.server.dns)
  • Re: 1 domain, 2 domain controllers with integrated DNS, secondary dns
    ... integerated DNS and second domain controller server 2008 with DNS server ... If the primary domain controller shutdown then secondary domain ... When using nslookup, and specifying the other DNS, does it resolve? ...
    (microsoft.public.windows.server.dns)