Disaster recovery scenerios for DNS/AD
Steve Schofield
This is a question of more disaster recovery of AD and DNS and dns
resolution for member servers in case of an issue. For example, I have two
domain controllers, DC1/DC2 that also are the Primary and Alternate DNS
servers for all member servers. DC1 holds all the FSMO roles and both
machines are GC's. In the event of the DNS service has issues on both
machines and DNS is temporarily un-available for member servers. What
alternative for DNS resolution for the rest of the member servers? I can't
think of a way without having a third DC that also would be a DNS server
being listed on all member servers. Any tips/tricks would be appreciated.
Steve Schofield
st...@deviq.com
Doug Sherman [MVP]
do not want to promote another server to DC, simply configure a standard
secondary zone and enable zone transfers. Secondary zones do not support
dynamic updates, so if all the ddns servers are down, newly booted clients
will not be able to register in DNS - but they and all other DNS clients
will still have name resolution.
Doug Sherman
MCSE, MCSA, MCP+I, MVP
"Steve Schofield" <st...@deviq.com> wrote in message
news:#N$YMdGkF...@TK2MSFTNGP12.phx.gbl...
Steve Schofield
Thanks for the explanation and that makes sense. Couple questions. For my
scenario then would probably be best to bring up a 3rd server with DNS
service installed, not necessarily a DC but a member server with DNS
configured with a secondary zone and also zone transfers on the
'_msdcs.domain.com' and 'domain.com' domain on this 3rd server. On all the
member servers TCP/IP settings, add this server 3rd in the list after the
Primary and Alternate servers that already exist. For the most part this is
*just-in-case* but is needed for a disaster recovery situation.
The reason I'm asking is we had a case where the DNS service failed on both
DC's at once, from the clues it is a hotfix that is integrated into SP1.
But for a short-time this caused issues and no resolution occurred. We are
taking steps for monitoring and other items to prevent this in the future
but we want to make sure at least existing machines have DNS resolution in
the event the DC's are effected, even just for a few minutes. Does that
make sense?
Steve Schofield
st...@deviq.com
"Doug Sherman [MVP]" <dshe...@nospamtampabay.rr.com> wrote in message
news:%23pi7fRH...@TK2MSFTNGP14.phx.gbl...
Doug Sherman [MVP]
http://support.microsoft.com/default.aspx?scid=kb;en-us;816518
Doug Sherman
MCSE, MCSA, MCP+I, MVP
"Steve Schofield" <st...@deviq.com> wrote in message
news:eo0KOgIk...@TK2MSFTNGP10.phx.gbl...
Steve Schofield
help plus I already have a WMI script to push out to the member servers to
add the third entry via SMS.
Thanks again,
Steve Schofield
st...@deviq.com
Microsoft MVP - ASP.NET
http://www.deviq.com
"Doug Sherman [MVP]" <dshe...@nospamtampabay.rr.com> wrote in message
news:O5$VuRJkF...@TK2MSFTNGP14.phx.gbl...
Kevin D. Goodknecht Sr. [MVP]
Steve Schofield <st...@deviq.com> posted this:
> Thanks Doug for the answers, advice and link to the KB article. This
> will help plus I already have a WMI script to push out to the member
> servers to add the third entry via SMS.
replication scope to replicate to all DNS servers in the domain.
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Steve Schofield
I'm not sure what you mean to replicate to all w2k3 servers. My plans are
to try to use a w2k3 member server along with the two DC's that are also
W2k3 native mode.
--
Thank you,
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:%23$dN3RYkF...@TK2MSFTNGP10.phx.gbl...
Ace Fekay [MVP]
Steve Schofield <st...@deviq.com> stated, which I then commented on below:
> Hi Kevin,
>
> I'm not sure what you mean to replicate to all w2k3 servers. My
> plans are to try to use a w2k3 member server along with the two DC's
> that are also W2k3 native mode.
What Kevin is saying to choose the DNS zone's replication scope to be domain
wide on all DNS servers, meaning the DomainDnsZones app partition.
But from a DR point of view, if you recently lost both DC/DNS servers where
none of the DNS servers are able to resolve any queries, did you also lose
DC functionality as well? If the problem on both of your DCs appeared
simultaneously and were a result of an AD mis-functionality, (beacuse of an
SP issue or note), then even if you were to change DNS servers (having a
backup), AD wouldn't function correctly to respond to domain authentication
or any other sort of requests any way. In this case, a more elaborate DR
plan will be required to replace (temp or permanently) your DCs and insuring
whatever roles those DCs held were available. For a short term issue, trying
to repair them is your best bet or a system state restore may be in order.
I've been working on a DR plan for a client for some time now, and it is not
easy task at all, especially since Exchange is involved as well as a Mac
Panther server, among other issues. One needs to take the *whole* picture
into account and ask "what if?" for all possible issues. If you just replace
the DNS servers with a backup in your scenario, it still doesn't address DC
functionality if that were to go down. Does that make sense?
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
Steve Schofield
Yes that makes perfect sense, the situation was the event logs caused an RPC
error. After looking into the error it looks a special hotfix integrated
into SP1. After restarting the services it solved the issue, what I really
want to target is web servers, mail servers that are routing outbound mail
that still requires resolution. As far as my specific situation the
NETLOGON services were still running just the member services couldn't
resolve the underscore records to do stuff like authentication requests,
etc. With at least a single DNS server holding these records the member
servers could have continued to process items even though the DC's DNS
service wasn't running for a few moments There is no perfect DR plan, just
needs to fix business requirements. I've also worked in a corporate
environment with thousands of users where the DR plan was totally different.
We have already started to plan for SP1 deployment along with other items
for monitoring and recovery. If a DC is totally down because of virus,
hardware failure or something else. Good discussion topic I'm finding out.
Steve
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNa...@hotmail.com> wrote in
message news:OL9N1RZ...@TK2MSFTNGP09.phx.gbl...
Kevin D. Goodknecht Sr. [MVP]
>
> I'm not sure what you mean to replicate to all w2k3 servers. My
> plans are to try to use a w2k3 member server along with the two DC's
> that are also W2k3 native mode.
In more simple terms, if you look at the zone properties sheet in the DNS
console, General tab, there is a button for changing the replication scope.
Default replication is to replicate to a DCs in the domain, this partition
also exists on Win2k DCs so the zone will replicate to the Win2k DCs, too.
You also have two more choices, All DNS servers in the AD Domain and All DNS
servers in the AD forest. These two partitions replicate to Win2k3 member
servers in the scope. But, these two partitions do not exist on Win2k so
Win2k servers won't get the zone.
Steve Schofield
only targeted for DC's and will probably alter that setting so the member
server gets this partition.
Steve
"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:uFLWxvZk...@TK2MSFTNGP10.phx.gbl...
Ace Fekay [MVP]
> zone was only targeted for DC's and will probably alter that setting
> so the member server gets this partition.
>
> Steve
Just to make a point about AD partitions, is that they are NOT available on
a non-DC (AD Integrated zones are only available on a DC). In this case, you
would need to have a secondary zone on the member server that you can turn
into a Primary zone.
Ace
Ace Fekay [MVP]
>
> Yes that makes perfect sense, the situation was the event logs caused
> an RPC error. After looking into the error it looks a special hotfix
> integrated into SP1. After restarting the services it solved the
> issue, what I really want to target is web servers, mail servers that
> are routing outbound mail that still requires resolution. As far as
> my specific situation the NETLOGON services were still running just
> the member services couldn't resolve the underscore records to do
> stuff like authentication requests, etc. With at least a single DNS
> server holding these records the member servers could have continued
> to process items even though the DC's DNS service wasn't running for
> a few moments There is no perfect DR plan, just needs to fix
> business requirements. I've also worked in a corporate environment
> with thousands of users where the DR plan was totally different. We
> have already started to plan for SP1 deployment along with other
> items for monitoring and recovery. If a DC is totally down because
> of virus, hardware failure or something else. Good discussion topic
> I'm finding out.
> Steve
Yes it is a big topic, and you;re right, in different corp environments, DR
needs to be taylored.
One thing if you are talking about Exchange, Exchange will fail and no mail
will flow no matter what if the DCs (specifically GCs), are not available.
So whether they can resolve the SRV records to locate a GC/DC, it wouldn't
matter if the GC/DC(s) are not available. If you have other GC/DCs available
outside of the AD Site, you can specifiy and force that in the Exchange
server's properties in the ESM (under the DSAccess tab) as a "quickie" fix.
It sure can get complicated....
Ace