Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


September 2003

Solving DNS Problems

Resolve conflicts between split-brain DNS and AD-integrated zones
From the September 2003 Edition
of Windows IT Pro
Mark Minasi
Inside Out
InstantDoc #39771
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Island DNS
AD-integrated zones and a split-brain DNS design can create a conflict known as island DNS. In an island DNS situation, two or more DCs act as DNS servers for a domain, hosting an AD-integrated zone as usual. However, each DC is aware only of itself. Each DC registers its DC-identification information in its copy of the DNS zone but never replicates that information to the other DC/DNS servers (i.e., servers that do double duty as DCs and DNS servers). Therefore, each DC/DNS server thinks that it's the only one on the planet.

Island DNS happens only on a root domain in a forest, only if you're using AD-integrated zones, only if you're using split-brain DNS (with each DNS server configured to refer only to itself when making DNS queries), and only when you have more than one DC/DNS server for the root domain. As far as I know, island DNS can afflict either Windows 2003— or Win2K-based DNS servers.

You can reconfigure your DC/DNS servers to avoid island DNS. First, choose one DC/DNS system to become a "master" DNS server for the zone. (This server won't truly be a master. DNS registrations remain multimaster, but I use the term as a simple way of expressing the concept.) The master DNS server should still point to itself—meaning that in the system's TCP/IP Properties window, the Preferred DNS server field should contain only that system's IP address. The Alternate DNS server field should be blank. Next, set up the other DNS servers so that they use the master's IP address as their preferred DNS server and some other DNS server as their alternate. Except in the case of the master server, never configure a system to point to itself as either preferred or alternate.

Suppose I have three DCs named DC1, DC2, and DC3. All three DCs are also DNS servers, reside in some forest's root domain, and store that domain's DNS zone information in an AD-integrated zone. After arbitrarily choosing DC1 to be the master, I configure DC1 so that its Preferred DNS server field contains DC1's IP address and leave the Alternate DNS server field empty. I fill in DC2's Preferred DNS server field with DC1's IP address, and in DC2's Alternate DNS server field, I use DC3's IP address. I fill in DC3's Preferred DNS server field with DC1's IP address, and in DC3's Alternate DNS server field, I use DC2's IP address.

Consider a two-DC example—same arrangement, but I have only two DCs: MYDC1 and MYDC2. If I arbitrarily pick MYDC1 as the master, I fill in its Preferred DNS server field with MYDC1's IP address and leave its Alternate DNS server field empty. On MYDC2, I would set the Preferred DNS server field to MYDC1's IP address. But what about MYDC2's Alternate DNS server field? The answer is that you should leave it empty.

Adding More Domains
Now, suppose bigfirm.biz wants to have two AD domains—the original bigfirm
.biz domain and a domain named bigfirm.com. Assuming Bigfirm wants to use split-brain DNS, how does the company accomplish such a configuration? Bigfirm needs only to create a primary zone called bigfirm.com on one of its internal DNS servers. The company would set up every other internal DNS server as a secondary DNS server for the bigfirm.com zone. Bigfirm would then have all the DNS infrastructure it needs for a two-domain AD forest.

If Bigfirm is running AD-integrated zones, the next steps would obviously be to make both bigfirm.biz and bigfirm.com AD-integrated zones, set up some DCs running DNS, and presto—each domain's DNS servers would see the others' zones. However, that procedure wouldn't work because of a quirk in AD-integrated zones. AD-integrated zone data goes only to DCs in that zone's domain—bigfirm.biz DC/DNS servers would see only bigfirm.biz data, and bigfirm.com DC/DNS servers would see only bigfirm.com data. Windows 2003 lets you get past this limitation, as I'll discuss in a future column, but for Win2K-based multidomain forests, you'll need to rearrange things a bit to make AD-integrated DNS work. You'll need to configure all of bigfirm.biz's DNS servers to be secondary DNS servers for bigfirm.com and configure all of bigfirm.com's DNS servers to be secondary DNS servers for bigfirm.biz. Each domain can still use AD-integrated zones inside itself, but each domain must contain the name-resolution information necessary for bigfirm.biz systems to locate bigfirm.com DCs and vice versa.

Bigfirm has more options if adopts Windows 2003—based DNS servers. I'll explore those options another time.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I don't quite understand the 'problem' with an Island DNS. I understand how it could come up, but why is it an issue?

Eric February 25, 2004

I'm still confused on how 'island DNS' can occur. You state:
Each DC registers its DC-identification information in its copy of the DNS zone but never replicates that information to the other DC/DNS servers

Because these are AD integrated zones, wouldn't the DNS info replicate during normal AD replication? I recently setup two DC/DNS servers in a root domain with each servers primary DNS pointing to the opposite machine while setting the secondary dns on each server as its own. Everything seems fine??

Shawn February 25, 2004

I attended the conference yesturday (2/26/04) in Dallas, you're presentation was quite good!! Wish I had it on video for my collegues, better yet, wish they could have been there.

The young lady from Network Essentials was well prepared also.

As for the others, their wheels were falling off, but a nice effort nonetheless (I could tell that perhaps they were enduring fatigue and the rigors of making a presentation using "someoneelsesppt" stufff). Please inform the <other> Mark, "whack" is "\ ".
(as in back-slash or backslash-backslash 'whack-whack' \\)
One must know their whacks and slashes!!

A great effort by all!!!
Good stuff! (good breakfast and lunch too!)

Regards,


Jeff Armstrong February 27, 2004

Just once I wish Mark would write an article on smallfirm.biz which only uses 1 server and runs AD, DNS, and everything else under the sun on it.

Gym Nasium March 04, 2004

Hi Mark, (this maybe the wrong place to ask this so please pass it on if it is) i have read this doc and several others on the site and i believe i have exactly what you have described but have a situation that i cant work out.
We have 2 zones mycomp.co.uk (legacy machines and NT4 domain) and mycomp.com (windows 2003 AD domain and machines). We started off with 1 master server for both forward lookup zones and several secondary to this. We have 6 remote sites with different subnets so created the primary reverse lookups for these on the local DNS servers (i should point out that any DNS server is windows 2003 and an AD DC). This worked upto the point when you wanted remote sites to allow Dynamic updates, as we did not have permission to update forward zones.
We took a little guess and make the whole lot AD intergrated... all seems great apart from one thing (and its fairly major) if i move a client from one subnet (DHCP with updates turned on and allowed) to another subnet (Same settinsg differnt servers) the old DNS records are removed but it seems random whether my new IP address gets replicated to all other sites (the local site works fine).
I used to work with UNIX Bind and text files that all worked on sequence numbers... all our servers seem to have different sequence numbers.. is this correct? How can i force all servers to have the same records? lots of questions.. sorry but thanks.. i have some things to try from your article!!

Matt Harris May 05, 2004

As Mark I also think DNS is vital in AD but I am not agree with him about the importance of the prior planning. The "click first, think later" approach is a viable alternative here. DNS is vital yet it is very very easy to configure it and to solve the problems related to it. You should take the following guidelines:
1) There must be DNS server for every AD domain
2) There must be a zone corresponding to that AD domain at that DNS server
3) You must enable Dynamic update on that zone
4) All the computers including the DCs must be configured to use that DNS server

That's all! You can easily change the DNS server if you have a problem with the current one if you follow the above points. Or you can easily delete or create zones on the DNS servers

Murat May 18, 2004

Great article! What about a single domain with multiple sites? If I put a DC at each site and all sites are connected via a WAN (say a T1), would it be best to do an AD Integrated DNS and have DNS hosted at each site?

computahguy January 16, 2005

I too would like an article for those of us with a local intranet, no ISP hosted anything and a transition to Win2003SRv and DNS - step by step, noting the 'single best way' and so forth.
But like the article. Gives me a good search basis.

Bonedoc February 01, 2005 (Article Rating: )

In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different domain controller in the same domain as their alternative DNS server, preferably another domain controller in the same site. This process also works around the DNS "Island" problem in Windows 2000. You must always configure the DNS client settings on each domain controller's network interface to use the alternative DNS server addresses in addition to the primary DNS server address.

This problem does not exist in Windows 2003 DNS or Windows 2000 DNS post SP2.


Jerodp August 23, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Windows 7 Sets Sales Record

Microsoft CEO Steve Ballmer described Windows 7's first ten days of sales as "fantastic" while in Japan yesterday. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement