RE: Limit DNS queries for DFS to specific AD DNS servers

---

• From: v-dashen@xxxxxxxxxxxxxxxxxxxx (David Shen [MSFT])
• Date: Wed, 18 Feb 2009 06:16:54 GMT

---

Hello Michael,

Thank you for posting here.

According to the description, it seems that the issue is:

You are at site A and perform a DNS query for the DFS root in Site A, you
can get the DNS server in site B, and this will timeout.

You wonder if it is possible to keep all queries for site A to the DNS
servers in site A and all queries for site B to the DNS servers in site B.

Analysis and Suggestion:
======================

Based on the research, domain controllers use site information to inform
Active Directory clients about domain controllers present within the
closest site as the client. The domain controller also informs the client
whether the chosen domain controller is the closest one to it. By finding a
domain controller in the same site, the client avoids communications over
WAN links. If no domain controllers are located at the client site, a
domain controller that has the lowest cost connections relative to other
connected sites advertises itself in the site that does not have a domain
controller. The domain controllers that are published in DNS are those from
the closest site as defined by the site topology. This process ensures that
every site has a preferred domain controller for authentication.

As you said, each site has 2 domain controllers which are running DNS
server. It is possible to make the users always query to their DNS and
authenticate to their local domain controllers in their local site, you
may need to create a subnet object and a site object for each site by using
Active Directory Sites and Services. And then ensure that the local DNS
server IP address is associated with the subnet in their local site.

In this case, to fulfill the demand, you may need to create site object for
each site in which you have place domain controllers and then create subnet
objects for every IP subnet and subnet mask associated with each location.
Subnet objects are used to represent all the IP addresses within the site.

For more detailed information, please refer to:

Designing the Site Topology
http://technet.microsoft.com/en-us/library/cc787284.aspx

My understanding of the reason why clients in Site A always referring to
the DFS server in Site B is that it may be related to Site configuration or
DFS client cache.

According to the statement in the part of Least Expensive Target Selection
in the document "How DFS works"
http://technet.microsoft.com/en-us/library/cc782417.aspx

As the general steps that occur when a client accesses a domain-based or
stand-alone namespace are described below.

These processes assume the following:

a. The client's domain cache contains the necessary domain name referrals
and domain controller referrals.

b. The client's referral cache does not contain existing referrals for the
targets that the client is attempting to access.

c. The first root target and link target in each referral are available.

If the DFS client has once been referred to the wrong DFS target member
server before, next time when you try to access the DFS share, it will
always refers to the wrong DFS target if it is available because of the DFS
client cache.

My suggestion:

1. Create 2 each site objects which is associated with their local domain
controller and the DFS member server in the Active Directory Sites and
Services

2. Make sure the IP address of the DFS client is in the same site of the
DFS target member server

3. Flush DFS cache on the problematic client

a. install Windows Server 2003 Service Pack 1 Support Tools on a client and
run the following command to flush DFS cache:

Download: Windows Server 2003 Service Pack 1 Support Tools
http://support.microsoft.com/kb/892777

b. Dfsutil /pktflush

Hope it can be helpful

David Shen
Microsoft Online Technical Support

.

---

• References:
  • Limit DNS queries for DFS to specific AD DNS servers
    • From: Michael Russell

• Prev by Date: Re: is a vista dns server secure
• Next by Date: Re: Windows 2008: Cannot access by computer_name
• Previous by thread: Limit DNS queries for DFS to specific AD DNS servers
• Next by thread: RE: Limit DNS queries for DFS to specific AD DNS servers
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problems with GPO processing, event ID 1030 ... Regarding the DFS you concerned, I would like to explain that all domain controllers must run the Distributed File System service because the Sysvol share is a DFS ... the DFS client must be enabled in the registry on all computers. ... (microsoft.public.windows.server.sbs) Re: Windows 2003 Subordinate Certification Authority ... network because I can't reproduce the problem now. ... the replication between the domain controllers is OK. ... logon to the domain via a wired client. ... and all the client machines are configured to use both of them for DNS ... (microsoft.public.windows.server.networking) Re: Logon to a Site vs Subnet ... "The client sends a DNS Lookup query to DNS to find domain ... of each domain controllers on the site, ... subnet, each subnet have a domain controller. ... (microsoft.public.windows.server.active_directory) Re: "No domain server available" when trying to change password... ... Pro or other downlevel client check that on your domain controllers via Local ... dns, dclist, and domian membership. ... (microsoft.public.win2000.networking) Re: User Authentication Slow ... The DNS is point to both domain controllers on all clients. ... ISA has a segment that connects straight to the domain controllers. ... client request and these ISA Server DNS requests. ... If the client machine has the firewall client installed, ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.dns  > 2009-02