Replication Problems

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I am having trouble with one of my site domain controllers replicating with
other DCs. I have the two sites connected via High Speed DSL line with a
VPN tunnel through my firewall. This setup has worked in the past but has
just recently stopped replicating. The only change I can think of that we
have made lately is we replaced a T1 with a DSL at one of the endpoints. I
am sort of thinking that it may be a DNS problem but I am not really sure.
I will list some problems below that may or may not be related. Please
help.

**1. It will not let me create a Active Directory Integrated Reverse-Looked
up zone for one of my domains. It told me that the zone type was invalid.
It would let me create ADI Reverse Lookup Zones for other domains. Also, it
just let me change the lookup zone from a primary to AD integrated. ? ? ?

**2. I am having several problems to show up in my event viewer. Here is
one.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 3/30/2005
Time: 6:01:58 AM
User: N/A
Computer: BC1
Description:
Registration of the DNS record
'dd62078e-2991-4c4b-a2bd-cb62d30d5235._msdcs.bouldincorp.com. 600 IN CNAME
bc1.bouldincorp.com.' failed with the following error:
DNS RR set that ought to exist, does not exist.
Data:
0000: 30 23 00 00 0#..


**3. Here is another error in event viewer. This is happening every 15
minutes when the AD tries to replicate.
Event Type: Error
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1311
Date: 3/30/2005
Time: 8:25:41 AM
User: N/A
Computer: BC1
Description:
The Directory Service consistency checker has determined that either (a)
there is not enough physical connectivity published via the Active Directory
Sites and Services Manager to create a spanning tree connecting all the
sites containing the Partition CN=Configuration,DC=bouldincorp,DC=com, or
(b) replication cannot be performed with one or more critical servers in
order for changes to propagate across all sites (most often due to the
servers being unreachable).

For (a), please use the Active Directory Sites and Services Manager to do
one of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site. This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the
Partition CN=Configuration,DC=bouldincorp,DC=com in this site from a Domain
Controller that contains the same Partition in another site.

For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.

**4. A warning message always appears with the previous message. Here it
is.
Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1566
Date: 3/30/2005
Time: 8:25:41 AM
User: N/A
Computer: BC1
Description:
All servers in site CN=RedRd,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com
that can replicate partition CN=Configuration,DC=bouldincorp,DC=com over
transport CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com are currently
unavailable.

**5. And finally when I try to manually replicate through Sites and
Services it pops up with an error box. This error is intermittent and
sometimes it says that the AD will be replicated whenever it can. I will
type it in below.
REPLICATE NOW
The following error occurred during the attempt to contact the comain
controllers:
The RPC server is unavailable.

This condition may be caused by a DNS lookup problem.


Sorry for the long description but please help if anyone knows what is going
on.

Thanks,
Scotty

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Preacher Man" <SLawson@-no-spam-bouldincorp.com> wrote in message
news:OME9HbTNFHA.3760@TK2MSFTNGP12.phx.gbl...
> I am having trouble with one of my site domain controllers replicating
with
> other DCs. I have the two sites connected via High Speed DSL line with a
> VPN tunnel through my firewall. This setup has worked in the past but has
> just recently stopped replicating. The only change I can think of that we
> have made lately is we replaced a T1 with a DSL at one of the endpoints.
I
> am sort of thinking that it may be a DNS problem but I am not really sure.

DNS is the most common reason for failure to replicate.
*See below (way down at the bottom).

But with WANS it is more possible that other problems
interfere, firewall filters, routing etc.


> I will list some problems below that may or may not be related. Please
> help.
>
> **1. It will not let me create a Active Directory Integrated
Reverse-Looked
> up zone for one of my domains. It told me that the zone type was invalid.
> It would let me create ADI Reverse Lookup Zones for other domains. Also,
it
> just let me change the lookup zone from a primary to AD integrated. ? ? ?
>
> **2. I am having several problems to show up in my event viewer. Here is
> one.
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5774
> Date: 3/30/2005
> Time: 6:01:58 AM
> User: N/A
> Computer: BC1
> Description:
> Registration of the DNS record
> 'dd62078e-2991-4c4b-a2bd-cb62d30d5235._msdcs.bouldincorp.com. 600 IN CNAME
> bc1.bouldincorp.com.' failed with the following error:
> DNS RR set that ought to exist, does not exist.
> Data:
> 0000: 30 23 00 00 0#..
>
>
> **3. Here is another error in event viewer. This is happening every 15
> minutes when the AD tries to replicate.
> Event Type: Error
> Event Source: NTDS KCC
> Event Category: (1)
> Event ID: 1311
> Date: 3/30/2005
> Time: 8:25:41 AM
> User: N/A
> Computer: BC1
> Description:
> The Directory Service consistency checker has determined that either (a)
> there is not enough physical connectivity published via the Active
Directory
> Sites and Services Manager to create a spanning tree connecting all the
> sites containing the Partition CN=Configuration,DC=bouldincorp,DC=com, or
> (b) replication cannot be performed with one or more critical servers in
> order for changes to propagate across all sites (most often due to the
> servers being unreachable).
>
> For (a), please use the Active Directory Sites and Services Manager to do
> one of the following:
> 1. Publish sufficient site connectivity information such that the system
can
> infer a route by which this Partition can reach this site. This option is
> preferred.
> 2. Add an ntdsConnection object to a Domain Controller that contains the
> Partition CN=Configuration,DC=bouldincorp,DC=com in this site from a
Domain
> Controller that contains the same Partition in another site.
>
> For (b), please see previous events logged by the NTDS KCC source that
> identify the servers that could not be contacted.
>
> **4. A warning message always appears with the previous message. Here it
> is.
> Event Type: Warning
> Event Source: NTDS KCC
> Event Category: (1)
> Event ID: 1566
> Date: 3/30/2005
> Time: 8:25:41 AM
> User: N/A
> Computer: BC1
> Description:
> All servers in site
CN=RedRd,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com
> that can replicate partition CN=Configuration,DC=bouldincorp,DC=com over
> transport CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com are currently
> unavailable.
>
> **5. And finally when I try to manually replicate through Sites and
> Services it pops up with an error box. This error is intermittent and
> sometimes it says that the AD will be replicated whenever it can. I will
> type it in below.
> REPLICATE NOW

Sites and Services is notoriously UNABLE to actually
force a replication -- despite what it says, it is more
of "posting a request" for Intersite replications.

> The following error occurred during the attempt to contact the comain
> controllers:
> The RPC server is unavailable.
>
> This condition may be caused by a DNS lookup problem.
>
>
> Sorry for the long description but please help if anyone knows what is
going
> on.


--
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.


DNSLint Tool: Microsoft utility to diagnose DNS diagnose
common DNS name resolution issues:
http://support.microsoft.com/?kbid=321045

How To Use DNSLint to Troubleshoot Active Directory Replication Issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I will try those diagnosing steps. In the mean time I wanted to update this
post with some info.

I can successfully ping the FQDN of all servers from any subnet. I also
pulled up the Active Directory Replication Monitor and it shows me the x
beside the link that cannot replicate and it says for DNS resolution
problems, but it doesn't give any specifics. What else beside the FQDN of
server does it need to resolute?


"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23KFARCWNFHA.1392@TK2MSFTNGP10.phx.gbl...
> "Preacher Man" <SLawson@-no-spam-bouldincorp.com> wrote in message
> news:OME9HbTNFHA.3760@TK2MSFTNGP12.phx.gbl...
>> I am having trouble with one of my site domain controllers replicating
> with
>> other DCs. I have the two sites connected via High Speed DSL line with a
>> VPN tunnel through my firewall. This setup has worked in the past but
>> has
>> just recently stopped replicating. The only change I can think of that
>> we
>> have made lately is we replaced a T1 with a DSL at one of the endpoints.
> I
>> am sort of thinking that it may be a DNS problem but I am not really
>> sure.
>
> DNS is the most common reason for failure to replicate.
> *See below (way down at the bottom).
>
> But with WANS it is more possible that other problems
> interfere, firewall filters, routing etc.
>
>
>> I will list some problems below that may or may not be related. Please
>> help.
>>
>> **1. It will not let me create a Active Directory Integrated
> Reverse-Looked
>> up zone for one of my domains. It told me that the zone type was
>> invalid.
>> It would let me create ADI Reverse Lookup Zones for other domains. Also,
> it
>> just let me change the lookup zone from a primary to AD integrated. ? ? ?
>>
>> **2. I am having several problems to show up in my event viewer. Here
>> is
>> one.
>> Event Type: Error
>> Event Source: NETLOGON
>> Event Category: None
>> Event ID: 5774
>> Date: 3/30/2005
>> Time: 6:01:58 AM
>> User: N/A
>> Computer: BC1
>> Description:
>> Registration of the DNS record
>> 'dd62078e-2991-4c4b-a2bd-cb62d30d5235._msdcs.bouldincorp.com. 600 IN
>> CNAME
>> bc1.bouldincorp.com.' failed with the following error:
>> DNS RR set that ought to exist, does not exist.
>> Data:
>> 0000: 30 23 00 00 0#..
>>
>>
>> **3. Here is another error in event viewer. This is happening every 15
>> minutes when the AD tries to replicate.
>> Event Type: Error
>> Event Source: NTDS KCC
>> Event Category: (1)
>> Event ID: 1311
>> Date: 3/30/2005
>> Time: 8:25:41 AM
>> User: N/A
>> Computer: BC1
>> Description:
>> The Directory Service consistency checker has determined that either (a)
>> there is not enough physical connectivity published via the Active
> Directory
>> Sites and Services Manager to create a spanning tree connecting all the
>> sites containing the Partition CN=Configuration,DC=bouldincorp,DC=com, or
>> (b) replication cannot be performed with one or more critical servers in
>> order for changes to propagate across all sites (most often due to the
>> servers being unreachable).
>>
>> For (a), please use the Active Directory Sites and Services Manager to do
>> one of the following:
>> 1. Publish sufficient site connectivity information such that the system
> can
>> infer a route by which this Partition can reach this site. This option
>> is
>> preferred.
>> 2. Add an ntdsConnection object to a Domain Controller that contains the
>> Partition CN=Configuration,DC=bouldincorp,DC=com in this site from a
> Domain
>> Controller that contains the same Partition in another site.
>>
>> For (b), please see previous events logged by the NTDS KCC source that
>> identify the servers that could not be contacted.
>>
>> **4. A warning message always appears with the previous message. Here
>> it
>> is.
>> Event Type: Warning
>> Event Source: NTDS KCC
>> Event Category: (1)
>> Event ID: 1566
>> Date: 3/30/2005
>> Time: 8:25:41 AM
>> User: N/A
>> Computer: BC1
>> Description:
>> All servers in site
> CN=RedRd,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com
>> that can replicate partition CN=Configuration,DC=bouldincorp,DC=com over
>> transport CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=bouldincorp,DC=com are currently
>> unavailable.
>>
>> **5. And finally when I try to manually replicate through Sites and
>> Services it pops up with an error box. This error is intermittent and
>> sometimes it says that the AD will be replicated whenever it can. I will
>> type it in below.
>> REPLICATE NOW
>
> Sites and Services is notoriously UNABLE to actually
> force a replication -- despite what it says, it is more
> of "posting a request" for Intersite replications.
>
>> The following error occurred during the attempt to contact the comain
>> controllers:
>> The RPC server is unavailable.
>>
>> This condition may be caused by a DNS lookup problem.
>>
>>
>> Sorry for the long description but please help if anyone knows what is
> going
>> on.
>
>
> --
> DNS for AD
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or indirectly)
>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /serverC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
>
> DNSLint Tool: Microsoft utility to diagnose DNS diagnose
> common DNS name resolution issues:
> http://support.microsoft.com/?kbid=321045
>
> How To Use DNSLint to Troubleshoot Active Directory Replication Issues
> http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Preacher Man" <nospam> wrote in message
news:udOupYWNFHA.1308@TK2MSFTNGP15.phx.gbl...
> I will try those diagnosing steps. In the mean time I wanted to update
this
> post with some info.
>
> I can successfully ping the FQDN of all servers from any subnet. I also
> pulled up the Active Directory Replication Monitor and it shows me the x
> beside the link that cannot replicate and it says for DNS resolution
> problems, but it doesn't give any specifics. What else beside the FQDN of
> server does it need to resolute?

There are a host (DNS joke intended <grin> ) of other DNS records
required for DCs to locate each other and be found (for authentication)
by client computers.

Especially important are the SRV records that must be
properly located in various sub-domains, such as _Sites
and _MSDCS. (Also some CNAME records.)

Some of those tools and procedures I gave you will check
for these records and report automatically.

Some of those checks I gave you will just find or fix the
likely problems directly (as opposed to diagnosing them.)

Here's a repeat:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

DNSLint Tool: Microsoft utility to diagnose DNS diagnose
common DNS name resolution issues:
http://support.microsoft.com/?kbid=321045

How To Use DNSLint to Troubleshoot Active Directory Replication Issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I think I have fixed my problem. I looked at the DNS server entries in the
Network Properties of the problem server. I had three internal server
listed first and then I had three external servers listed last. I removed
the external servers and the problem has seemed to vanish.

What would make the server use DNS server #'s 4,5, and 6?

My thinking is that I don't even need the external DNS servers listed anyway
as long as I have my root hints pointing to root DNS servers. Am I right?


"Herb Martin" <news@LearnQuick.com> wrote in message
news:ezBCg$WNFHA.1308@TK2MSFTNGP15.phx.gbl...
> "Preacher Man" <nospam> wrote in message
> news:udOupYWNFHA.1308@TK2MSFTNGP15.phx.gbl...
>> I will try those diagnosing steps. In the mean time I wanted to update
> this
>> post with some info.
>>
>> I can successfully ping the FQDN of all servers from any subnet. I also
>> pulled up the Active Directory Replication Monitor and it shows me the x
>> beside the link that cannot replicate and it says for DNS resolution
>> problems, but it doesn't give any specifics. What else beside the FQDN
>> of
>> server does it need to resolute?
>
> There are a host (DNS joke intended <grin> ) of other DNS records
> required for DCs to locate each other and be found (for authentication)
> by client computers.
>
> Especially important are the SRV records that must be
> properly located in various sub-domains, such as _Sites
> and _MSDCS. (Also some CNAME records.)
>
> Some of those tools and procedures I gave you will check
> for these records and report automatically.
>
> Some of those checks I gave you will just find or fix the
> likely problems directly (as opposed to diagnosing them.)
>
> Here's a repeat:
>
> DNS for AD
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or indirectly)
>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /serverC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
> Single Label domain zone names are a problem Google:
> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
>
> DNSLint Tool: Microsoft utility to diagnose DNS diagnose
> common DNS name resolution issues:
> http://support.microsoft.com/?kbid=321045
>
> How To Use DNSLint to Troubleshoot Active Directory Replication Issues
> http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Preacher Man" <nospam> wrote in message
news:uy21xFXNFHA.3668@TK2MSFTNGP14.phx.gbl...
> I think I have fixed my problem. I looked at the DNS server entries in
the
> Network Properties of the problem server. I had three internal server
> listed first and then I had three external servers listed last. I removed
> the external servers and the problem has seemed to vanish.

That would do it.

> What would make the server use DNS server #'s 4,5, and 6?

Chance. Normally the first one(s) in the list is queried first, but
if the others respond faster or the first one(s) are offline (even
briefly) then the client (DCs are DNS clients too) can "latch on"
to an incorrect DNS server, and you get unpredictable results.

> My thinking is that I don't even need the external DNS servers listed
anyway
> as long as I have my root hints pointing to root DNS servers. Am I right?

Not only do you NOT NEED them, it is also WRONG to have
them in there.

From a client perspective, ever DNS server is presumed to return
the SAME and CORRECT answers.

So, on clients they must use a consistent set of DNS servers (that
all return the same answers) and if names from another or larger
name space must be found, then the DNS servers used by the clients
must handle that (additional) resolution.

Usually this is done by either (physcial) recursion or by forwarding.

The normal case for "private" servers (like MS domains) is to
forward to either the ISP DNS or to a Firewall/DMZ DNS server
that handles those external (e.g., THE Internet) names.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Should I be using forwarding on my intenal DNS server?


"Herb Martin" <news@LearnQuick.com> wrote in message
news:O4DSTQXNFHA.2580@TK2MSFTNGP09.phx.gbl...
> "Preacher Man" <nospam> wrote in message
> news:uy21xFXNFHA.3668@TK2MSFTNGP14.phx.gbl...
>> I think I have fixed my problem. I looked at the DNS server entries in
> the
>> Network Properties of the problem server. I had three internal server
>> listed first and then I had three external servers listed last. I
>> removed
>> the external servers and the problem has seemed to vanish.
>
> That would do it.
>
>> What would make the server use DNS server #'s 4,5, and 6?
>
> Chance. Normally the first one(s) in the list is queried first, but
> if the others respond faster or the first one(s) are offline (even
> briefly) then the client (DCs are DNS clients too) can "latch on"
> to an incorrect DNS server, and you get unpredictable results.
>
>> My thinking is that I don't even need the external DNS servers listed
> anyway
>> as long as I have my root hints pointing to root DNS servers. Am I
>> right?
>
> Not only do you NOT NEED them, it is also WRONG to have
> them in there.
>
> From a client perspective, ever DNS server is presumed to return
> the SAME and CORRECT answers.
>
> So, on clients they must use a consistent set of DNS servers (that
> all return the same answers) and if names from another or larger
> name space must be found, then the DNS servers used by the clients
> must handle that (additional) resolution.
>
> Usually this is done by either (physcial) recursion or by forwarding.
>
> The normal case for "private" servers (like MS domains) is to
> forward to either the ISP DNS or to a Firewall/DMZ DNS server
> that handles those external (e.g., THE Internet) names.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

One more kind of unrelated question. Should I have atleast one server at
each site to host the global catalog. Or is a central server hosting the
catalog sufficient?

Thanks.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:O4DSTQXNFHA.2580@TK2MSFTNGP09.phx.gbl...
> "Preacher Man" <nospam> wrote in message
> news:uy21xFXNFHA.3668@TK2MSFTNGP14.phx.gbl...
>> I think I have fixed my problem. I looked at the DNS server entries in
> the
>> Network Properties of the problem server. I had three internal server
>> listed first and then I had three external servers listed last. I
>> removed
>> the external servers and the problem has seemed to vanish.
>
> That would do it.
>
>> What would make the server use DNS server #'s 4,5, and 6?
>
> Chance. Normally the first one(s) in the list is queried first, but
> if the others respond faster or the first one(s) are offline (even
> briefly) then the client (DCs are DNS clients too) can "latch on"
> to an incorrect DNS server, and you get unpredictable results.
>
>> My thinking is that I don't even need the external DNS servers listed
> anyway
>> as long as I have my root hints pointing to root DNS servers. Am I
>> right?
>
> Not only do you NOT NEED them, it is also WRONG to have
> them in there.
>
> From a client perspective, ever DNS server is presumed to return
> the SAME and CORRECT answers.
>
> So, on clients they must use a consistent set of DNS servers (that
> all return the same answers) and if names from another or larger
> name space must be found, then the DNS servers used by the clients
> must handle that (additional) resolution.
>
> Usually this is done by either (physcial) recursion or by forwarding.
>
> The normal case for "private" servers (like MS domains) is to
> forward to either the ISP DNS or to a Firewall/DMZ DNS server
> that handles those external (e.g., THE Internet) names.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Preacher Man" <nospam> wrote in message
news:OHdbySXNFHA.1476@TK2MSFTNGP09.phx.gbl...
> Should I be using forwarding on my intenal DNS server?

I would and the answer is usually "yes you should".

This is not an absolute however -- and even if less than
optimal it will work other ways (physically recursing the
Internet root.)

The real problem is that your internal DNS servers -- especially
if they are DCs -- have no business visiting (potentially) the
entire Internet to seek those resolutions.

Hide them behind your firewall and don't let them do that.

I really prefer that the firewall or another DMZ machine
be the forwarder, or if necessary that the ISP do it.

> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:O4DSTQXNFHA.2580@TK2MSFTNGP09.phx.gbl...
> > "Preacher Man" <nospam> wrote in message
> > news:uy21xFXNFHA.3668@TK2MSFTNGP14.phx.gbl...
> >> I think I have fixed my problem. I looked at the DNS server entries in
> > the
> >> Network Properties of the problem server. I had three internal server
> >> listed first and then I had three external servers listed last. I
> >> removed
> >> the external servers and the problem has seemed to vanish.
> >
> > That would do it.
> >
> >> What would make the server use DNS server #'s 4,5, and 6?
> >
> > Chance. Normally the first one(s) in the list is queried first, but
> > if the others respond faster or the first one(s) are offline (even
> > briefly) then the client (DCs are DNS clients too) can "latch on"
> > to an incorrect DNS server, and you get unpredictable results.
> >
> >> My thinking is that I don't even need the external DNS servers listed
> > anyway
> >> as long as I have my root hints pointing to root DNS servers. Am I
> >> right?
> >
> > Not only do you NOT NEED them, it is also WRONG to have
> > them in there.
> >
> > From a client perspective, ever DNS server is presumed to return
> > the SAME and CORRECT answers.
> >
> > So, on clients they must use a consistent set of DNS servers (that
> > all return the same answers) and if names from another or larger
> > name space must be found, then the DNS servers used by the clients
> > must handle that (additional) resolution.
> >
> > Usually this is done by either (physcial) recursion or by forwarding.
> >
> > The normal case for "private" servers (like MS domains) is to
> > forward to either the ISP DNS or to a Firewall/DMZ DNS server
> > that handles those external (e.g., THE Internet) names.
> >
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Preacher Man" <nospam> wrote in message
news:eyUfRUXNFHA.3704@TK2MSFTNGP12.phx.gbl...
> One more kind of unrelated question. Should I have atleast one server at
> each site to host the global catalog. Or is a central server hosting the
> catalog sufficient?

You almost always must have a DC per Site (there
are odd exceptions) and it almost always should be
a GC.

(The exceptions are probably too few to even
consider unless you have 1,000,000 users in one
of several domains of the forest.)

General rule: One or more DCs per site, at least
one GC per site.

For single Domain forests: Every DC a GC.
(True also for fairly small multi-domain forests.)