Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Proper way to configure DNS for child domain

6 views
Skip to first unread message

JoeD

unread,
Aug 4, 2008, 3:51:09 PM8/4/08
to
Hi,

What is the proper and correct way to configure DNS (AD Integrated zones)
for a child domain? I have two DC's in a child domain, let's call them DC1
and DC2. All servers run Windows 2003. Some people say to set them up like
this:

DC1
Primary server: DC1
Secondary server: DC2

DC2
Primary server: DC2
Secondary server: DC1

Other people say to set them up pointing to themselves as the primary and
use the parent DNS server as a secondary. Which way is the best practices
way? Also, on the TCP/IP adapter on the DNS server, do I need to use "Append
suffixes" radio button and check box? Is this necessary on the DNS server?

The way I have them set up is :

DC1
Primary: DC1
Secondary: Parent DNS server

DC2
Primary:DC2
Secondary:DC1

This is working okay but I get a few errors, namely event id 2088 and 5781.
Below is a dcdiag from DC1:


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine DC1, is a DC.
* Connecting to directory service on server DC1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 8 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: CHILD\DC1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: CHILD\DC1
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : child
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running enterprise tests on : domain.com
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Starting test: DNS
Test results for domain controllers:

DC: DC1.child.domain.com
Domain: child.domain.com


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Broadcom NetXtreme Gigabit Ethernet:
MAC address is 00:0F:1F:66:CF:62
IP address is static
IP address: 192.168.5.6
DNS servers:
Warning: 192.168.5.6 (<name unavailable>) [Invalid]
192.168.1.20 (<name unavailable>) [Valid]
192.168.5.7 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found
(primary)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Invalid
(unreachable)]
Name: b.root-servers.net. IP: 192.228.79.201 [Invalid
(unreachable)]
Name: c.root-servers.net. IP: 192.33.4.12 [Invalid
(unreachable)]
Name: d.root-servers.net. IP: 128.8.10.90 [Invalid
(unreachable)]
Name: DC01.domain.com. IP: 192.168.1.20 [Valid]
Name: DC02.other.domain.com. IP: 192.168.1.10 [Valid]
Name: e.root-servers.net. IP: 192.203.230.10 [Invalid
(unreachable)]
Name: f.root-servers.net. IP: 192.5.5.241 [Invalid
(unreachable)]
Name: g.root-servers.net. IP: 192.112.36.4 [Invalid
(unreachable)]
Name: h.root-servers.net. IP: 128.63.2.53 [Invalid
(unreachable)]
Name: i.root-servers.net. IP: 192.36.148.17 [Invalid
(unreachable)]
Name: j.root-servers.net. IP: 192.58.128.30 [Invalid
(unreachable)]
Name: k.root-servers.net. IP: 193.0.14.129 [Invalid
(unreachable)]
Name: l.root-servers.net. IP: 199.7.83.42 [Invalid
(unreachable)]
Name: m.root-servers.net. IP: 202.12.27.33 [Invalid
(unreachable)]

TEST: Delegations (Del)
No delegations were found in this zone on this DNS server

TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone child.domain.com.
Test record _dcdiag_test_record added successfully in zone
child.domain.com.
Test record _dcdiag_test_record deleted successfully in
zone child.domain.com.

TEST: Records registration (RReg)
Network Adapter [00000001] Broadcom NetXtreme Gigabit
Ethernet:
Matching A record found at DNS server 192.168.5.6:
DC1.child.domain.com

Error: Missing CNAME record at DNS server 192.168.5.6 :
8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.domain.com
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

Matching DC SRV record found at DNS server 192.168.5.6:
_ldap._tcp.dc._msdcs.child.domain.com

Error: Missing GC SRV record at DNS server 192.168.5.6 :
_ldap._tcp.gc._msdcs.domain.com
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

Matching PDC SRV record found at DNS server 192.168.5.6:
_ldap._tcp.pdc._msdcs.child.domain.com

Matching A record found at DNS server 192.168.1.20:
DC1.child.domain.com

Matching CNAME record found at DNS server 192.168.1.20:
8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.domain.com

Matching DC SRV record found at DNS server 192.168.1.20:
_ldap._tcp.dc._msdcs.child.domain.com

Matching GC SRV record found at DNS server 192.168.1.20:
_ldap._tcp.gc._msdcs.domain.com

Matching PDC SRV record found at DNS server 192.168.1.20:
_ldap._tcp.pdc._msdcs.child.domain.com

Matching A record found at DNS server 192.168.5.7:
DC1.child.domain.com

Matching CNAME record found at DNS server 192.168.5.7:
8ce8e939-476b-49b8-ae46-f777bd0d232a._msdcs.domain.com

Matching DC SRV record found at DNS server 192.168.5.7:
_ldap._tcp.dc._msdcs.child.domain.com

Matching GC SRV record found at DNS server 192.168.5.7:
_ldap._tcp.gc._msdcs.domain.com

Matching PDC SRV record found at DNS server 192.168.5.7:
_ldap._tcp.pdc._msdcs.child.domain.com

Error: Record registrations cannot be found for all the
network adapters

Summary of test results for DNS servers used by the above domain
controllers:

DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 202.12.27.33
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 199.7.83.42 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 199.7.83.42
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 198.41.0.4
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 193.0.14.129
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.58.128.30
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.5.5.241
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.36.148.17
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.33.4.12
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.228.79.201
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.203.230.10
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.168.5.6 (<name unavailable>)
1 test failure on this DNS server
This is a valid DNS server
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.168.5.6
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 192.112.36.4
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 128.8.10.90
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.domain.com.
failed on the DNS server 128.63.2.53
[Error details: 1460 (Type: Win32 - Description: This
operation returned because the timeout period expired.)]

DNS server: 192.168.5.7 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered

DNS server: 192.168.1.20 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered

DNS server: 192.168.1.10 (DC02.other.domain.com.)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the
forest root domain is registered

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg
Ext

________________________________________________________________
Domain: child.domain.com
DC1 PASS WARN PASS PASS PASS FAIL n/a

......................... domain.com failed test DNS


The forest root has both forwarders enabled and root hints. I am not sure
why my server is trying to register records on the root hints server?! Any
help would be great. Thanks


Phillip Windell

unread,
Aug 4, 2008, 4:31:23 PM8/4/08
to
They don't point to the parent domain at all,...only to themselves (1st) and
each other (2nd).

Active Directory Replication throughout the Forest takes care of the rest.

Child Domain DC1
Primary server: Child Domain DC1
Secondary server: Child Domain DC2

Child Domain DC2
Primary server: Child Domain DC2
Secondary server: Child Domain DC1


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"JoeD" <Jo...@discussions.microsoft.com> wrote in message
news:ECAD8118-4E66-4FEF...@microsoft.com...

JoeD

unread,
Aug 5, 2008, 8:19:01 AM8/5/08
to
Okay, do I use forwarders to the parent? Should I have the parent DNS
servers on the Name Servers Tab?

Phillip Windell

unread,
Aug 5, 2008, 10:20:42 AM8/5/08
to
Name Servers Tab:
No,..I never have. Mine only lists the two DCs of my own domain that contain
that particular Zone
Active Directory Forest Replication already takes care of all that as I said
in the last post.
The Name Servers Tab only exists as Properties of the Zone itself,...what
good is it to have a DNS listed in there that is not the DNS used for that
Zone? If you look, each Zone has such a tab,...but the Properties of the
DNS Server itself does not.

Forwarders:
Use the ISP's DNS or some other valid external DNS as the Forwarder,...or
just don't use Forwarders at all and it will *default* to using Root Hints.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"JoeD" <Jo...@discussions.microsoft.com> wrote in message

news:E9AF664B-AB1D-4D2D...@microsoft.com...

JoeD

unread,
Aug 5, 2008, 4:02:00 PM8/5/08
to
Thanks. Works like a charm.

Phillip Windell

unread,
Aug 5, 2008, 4:30:09 PM8/5/08
to
Very good , sir.
Good luck with it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"JoeD" <Jo...@discussions.microsoft.com> wrote in message

news:4C723463-DFE9-4BB6...@microsoft.com...

0 new messages