Active Directory Issues

[soia]

This question out there is for Active Directory Admins. Im setting up Active Directory on a little test network. I got a little confused with DNS though???? I read that the DNS server, which is on the AD machine, should point to itself for its DNS IP address. It then sates that to resolve names on the Internet, it should have a forwarder configured????? Im not sure what this means and im not sure how or where to set this up.
Your help is truley appreciated

Thanx

SOIA

[DarkGuardian]

Basically, it's just saying that you should have two DNS server addresses in there. One for your internal network (which should be the AD machine) and one on the outside that resolves all the internet addresses (most likely through your ISP).

Although I could be wrong. It's been a while since I"ve really gotten in to the AD configs, but I'm pretty sure I'm right.

[soia]

Thanx for the help DarkGuardian.

[shkuey]

The first domain controller you configure for active directory will automatically configure itself as a DNS server if you do not specify another one on your network.

Here is what it is telling you to do. For inter-domain resolution you will need to use this server, so in the TCP/IP network properties you should point it to itself for DNS resolution.

Any other computers on your network should also point to this server. A non-active directory DNS server will not allow computers to function properly on the domain (a linux machine, for example, doesn't know how to respond to the request "who are the ms domain controllers?").

The second DNS address is not configured in your network properties, but rather in your DNS configuration. What it is saying is that when your DNS server gets a request for resolution of an address that it does not host, it needs to know where to look. A default configuration would send the request straight to the root DNS servers, however if your ISP has a DNS server you can send requests to that instead and it would speed up your name resolution process. So the second DNS name is provided by your ISP and is configured as the default forwarder in your DNS configuration mmc snap-in.

[soia]

Got it Shkuey. I found the DNS forwarder properties on my DNS configuration. Thanx

[DeadCr0w]

The first domain controller you configure for active directory will automatically configure itself as a DNS server if you do not specify another one on your network.

Here is what it is telling you to do. For inter-domain resolution you will need to use this server, so in the TCP/IP network properties you should point it to itself for DNS resolution.

Any other computers on your network should also point to this server. A non-active directory DNS server will not allow computers to function properly on the domain (a linux machine, for example, doesn't know how to respond to the request "who are the ms domain controllers?").

The second DNS address is not configured in your network properties, but rather in your DNS configuration. What it is saying is that when your DNS server gets a request for resolution of an address that it does not host, it needs to know where to look. A default configuration would send the request straight to the root DNS servers, however if your ISP has a DNS server you can send requests to that instead and it would speed up your name resolution process. So the second DNS name is provided by your ISP and is configured as the default forwarder in your DNS configuration mmc snap-in.

Excellent reply shkuey sorry i have not enough greenies because you would get one!

[mohaughn]

shkuey-- You can use a non windows DNS server to serve up DNS requests for a Win2k domain using AD. We use QIP dns made by lucent at my work. It works perfectly. You just need a bind version that supports srv records.

Here is a quote from a microsoft article..

"Active Directory uses DNS as the domain controller location mechanism, enabling computers to find the IP addresses of the domain controllers. In order to find a domain controller in a particular domain or forest, a client queries DNS for the appropriate service location (SRV) and address (A) resource records. These DNS resource records provide the names and IP addresses of the domain controllers.

Therefore, the DNS server used to support Active Directory deployment must support SRV records. In addition, Microsoft highly recommends that such DNS servers also support dynamic updates. The domain controllers dynamically register DNS records necessary for the successful functionality of the domain controller location mechanism. "

link- http://www.microsoft.com/technet/tre...ecs/dnsreq.asp

I believe any DNS server that supports bind 8.3 will give you both dynamic update capability and srv records.

[shkuey]

Thanks Mohaughn.

I know it works, but the reason I said it would not work properly is because of the client side behavior in windows 2000. It'll send it's first dns domain query to the dns server in the form of something like

domain.com;_msdcs;dc;GUID(of the DC that registered the computer);_sites;_sitename;_tcp(or udp);servicename

Only a microsoft DNS machine knows how to handle that request, unless you can duplicate this tree on a non-ms machine, but the problem is the dynamic GUID in the request if you have multiple domain controllers.

If this fails, then it'll send a request:

domain.com;_pdc;_tcp;servicename

Which is what the non windows DNS machines can handle.

So it works, but it is slower and more prone to error, as I understand it.

[soia]

Should i use Non microsoft DNS instead???? Should i go with BIND??

[mohaughn]

BIND is a standard, like HTML or SMTP. It stands for Berkeley Internet Naming Daemon. Any piece of software that says it is a "DNS" server should be BIND compliant.

For simplicity you should probably use the MS DNS. However, if you are managing multiple large zones, I would use something different as the MS DNS service is not as scalable as other systems.

of course, this is really just a matter of preference. I'm sure you could find someone who is an expert with MS DNS who could make it work flawlessly in a large environment.