Maintaining AD-Integrated Reverse Zone With No DHCP Server on Domain Controller
Will
that we saw the DNS AD-integrated reverse lookup zone automatically
maintained. Apparently the DHCP and DNS applications cooperate with each
other? As soon as we implemented a dedicated DHCP server and stopped
running DHCP on the domain controller, the AD integrated reverse lookup
zones are no longer automatically being maintained. In fact even the
domain controller IPs are not appearing in the reverse zone (I had to
manually insert them). What is the secret to getting the AD integrated
reverse zones to auto populate when the DHCP server is on a separate
computer from the domain controller?
I am really confused on other related issues. I created two AD
integrated reverse zones on two separate domain controllers for the same
domain. They don't appear to be replicating the same information to each
other. Is the reverse zone not automatically replicated by Active
Directory? What is the point of making the zone Active Directory
integrated if AD isn't going to replicate the information automatically?
I'm also confused by the option in the DNS forward lookup Properties for
each DNS object to "Automatically update reverse zone record" (or words to
that effect). This checkbox can be selected but the next time you re-enter
the Properties dialog for the same DNS object it is no longer selected.
Why? Morever, selecting the checkbox does *not* have the suggested effect
of populating the DNS reverse PTR record for the AD integrated reverse zone
in which the DNS object should be appearing. How do we get the AD
integrated reverse zone information to appear?
--
Will
Will
- I can get a single AD integrated reverse zone to update if I add the DHCP
server to the DNSUpdateProxy group.
- I was NOT able to get a second domain controller to integrate the same
reverse zone as AD integrated. Instead I had to define a secondary. The
DC with the AD integrated reverse zone runs Windows 2003 and the DC with the
secondary reverse zone runs Windows 2000.
- Apparently the reverse IP information will only migrate over from the DHCP
server to the reverse zone when each host renews its lease? That tends to
argue for a short lease period I guess.
- When will the hosts with reservations update the reverse zone information?
The DHCP administrative application does not show *any* expiration date for
hosts with reservations, implying indirectly that no renewal process will
happen with that host.
--
Will
"Will" <weste...@noemail.nospam> wrote in message
news:RLednXU_ipH...@giganews.com...
Ace Fekay [MVP]
Will <weste...@noemail.nospam> stated, which I commented on below:
> Just a quick follow up on the original post:
>
> - I can get a single AD integrated reverse zone to update if I add
> the DHCP server to the DNSUpdateProxy group.
>
> - I was NOT able to get a second domain controller to integrate the
> same reverse zone as AD integrated. Instead I had to define a
> secondary. The DC with the AD integrated reverse zone runs Windows
> 2003 and the DC with the secondary reverse zone runs Windows 2000.
>
> - Apparently the reverse IP information will only migrate over from
> the DHCP server to the reverse zone when each host renews its lease?
> That tends to argue for a short lease period I guess.
>
> - When will the hosts with reservations update the reverse zone
> information? The DHCP administrative application does not show *any*
> expiration date for hosts with reservations, implying indirectly that
> no renewal process will happen with that host.
>
As long as the machines are pointing to the DNS server that hosts the
reverse or forward zones, the zone allows updates, and if set to Secure
updates, the machines that are joined to the domain will update them. (Do
not use your ISP's DNS server anywhere other than a Forwarder). And yes,
Microsoft DHCP supports DHCP Option 081, which works hand in hand with DNS
Updates. If using a non-Microsoft DHCP that supports Option 081, you can
tell it to allow the clients to update, but if you are using a non-Microsoft
DHCP server that doesn't support Option 081, then it may be problematic.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]
Will
- The domain is at the root of the forest and has two domain controllers
running Windows 2000 and Windows 2003. I cannot make the reverse zones on
both domain controllers AD-integrated when the DHCP server runs on a member
server. Is that the right result? I'm making the reverse zone on Windows
2003 AD integrated but the W2K DC I'm having to use a secondary zone grabbed
from the Windows 2003 DC.
- At what point will reverse zone information be populated by the DHCP
server or domain computer into DNS? Will this only happen when the lease
is initially taken?
- When will hosts with reservations on the DHCP server update the reverse
zone information on DNS?
--
Will
"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
news:#x$bAE#gGHA...@TK2MSFTNGP02.phx.gbl...
Will
probably don't time out for a long time. Since the Microsoft Option to
release the IP from DHCP wasn't in effect when those hosts obtained their
IPs, do we need to reboot those machines to get them under control of the
DHCP server with the right DHCP options in place?
The DHCP timeout when the IPs for most machines were obtained was two weeks.
Will those machines continue to think they have a two week lease even if the
DHCP server is updated now to use a one day timeout?
--
Will
"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
news:#x$bAE#gGHA...@TK2MSFTNGP02.phx.gbl...
Ace Fekay [MVP]
Will <weste...@noemail.nospam> stated, which I commented on below:
I apologize.
>
> - The domain is at the root of the forest and has two domain
> controllers running Windows 2000 and Windows 2003. I cannot make
> the reverse zones on both domain controllers AD-integrated when the
> DHCP server runs on a member server. Is that the right result?
No. AD Integrated zones are only available on DCs that are DNS servers. DHCP
has nothing to do with zone types.
> I'm making the reverse zone on Windows 2003 AD integrated but the W2K
> DC I'm having to use a secondary zone grabbed from the Windows 2003
> DC.
That will sure cause conflicts because teh DC/DNS servers will "see" the
zone in the AD database (that's what AD Integrated means - stored in the
database) and will auto-delete the secondary. If both DCs are in the same
domain and if on a 2003 server you create a zone an make it AD Integrated,
make sure (in a mixed 2000/2003) scenario that you choose the bottom button
for the replication scope or other issues will occur. Once you've done that,
be patient and the zone will auto appear on the 2000 machine.
>
> - At what point will reverse zone information be populated by the DHCP
> server or domain computer into DNS? Will this only happen when the
> lease is initially taken?
Yes or if there are any changes.
>
> - When will hosts with reservations on the DHCP server update the
> reverse zone information on DNS?
When something changes. If nothing changes, the record remains as it is.
Here's the process (which reserved clients use too) and more info:
Integrating DNS with DHCP- Dynamic Host Configuration Protocol (DHCP);
Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3d0d1c76-05af-4fa0-aa09-c75a2fec9120.mspx
306780 - DHCP Does Not Delete DDNS PTR Record for Expired Leases:
http://support.microsoft.com/?id=306780
Follow up discussion on the DNSUpdateProxy-Group (if DHCP is on a DC):
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
255134 - Installing Dynamic Host Configuration Protocol (DHCP) and Domain
Name System (DNS) on a Domain Controller:
http://support.microsoft.com/?id=255134
314822 - DHCP Dynamic DNS Registration for Windows 2000 Clients Does Not
Work [Option 015]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314822
Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (264539):
http://support.microsoft.com/support/kb/articles/264/5/39.ASP
Dynamic Host Configuration Protocol- Frequently Asked Questions:
http://www.microsoft.com/technet/itsolutions/network/dhcp/dhcpfaq.mspx
Configuring and Deploying DHCP with Windows Server 2003 (June 02, 2005 ...:
http://www.microsoft.com/technet/community/chats/trans/windowsnet/05_0602_tn_dhcp.mspx
Dynamic update:
http://technet2.microsoft.com/WindowsServer/en/Library/e760737e-9e55-458d-b5ed-a1ae9e04819e1033.mspx
I hope that addresses your questions.
Ace
Will
> If both DCs are in the same
> domain and if on a 2003 server you create a zone an make it AD Integrated,
> make sure (in a mixed 2000/2003) scenario that you choose the bottom
button
> for the replication scope or other issues will occur. Once you've done
that,
> be patient and the zone will auto appear on the 2000 machine.
If I have two DCs, one Windows 2000 and one running Windows 2003, what
replication scope should I be specifying?
--
Will
Ace Fekay [MVP]
Will <weste...@noemail.nospam> stated, which I commented on below:
In Win2000 DNS console, just specify "AD INtegrated" (The only option). In
Win2003 COnsole, select the bottom radio button under the replication scope
button (where it says compatible with 2000). This puts the zone in the
DomainNC AD partition and NOT in either of the new 2003 Application
Partitions (DomainDnsZones and ForestDnsZones), which the other two top
buttons are for and that which 2000 does not understand or aware of.
It's crucial to understand the differences. To safe yourself, you're better
off administering it from the 2000 DNS console as to not get you in trouble
or simply eliminate the 2000 DNS server to reap the benefits of 2003.
Ace
Will
now.
For a zone that is maintained manually (no automatic updates), is there any
reason to prefer making the zone AD integrated over just making one of the
servers act as primary and the rest just grab that content as secondary?
--
Will
"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
news:#dlPWCXh...@TK2MSFTNGP03.phx.gbl...
Ace Fekay [MVP]
Will <weste...@noemail.nospam> stated, which I commented on below:
> through AD now.
>
> For a zone that is maintained manually (no automatic updates), is
> there any reason to prefer making the zone AD integrated over just
> making one of the servers act as primary and the rest just grab that
> content as secondary?
Reduced administration (will automatically exist on all DCs in that domain
or replication scope) and security (the zone is no longer a text file),
along with secure updates (Keberos authenticated requests only). :-)
Ace