Primary + Secondary DNS
Chris
I have two server 2003 servers. One is hosting Primary DNS and one secondary
DNS server using the primary for its zone records.
We did a test recently where the primary server was taken offline to see if
DNS still worked. It didnt! Our name servers for the domains we tested with
are the same as the external IPs for the two DNS servers. I would have
thought that if the primary was taken offline the 2nd nameserver would be
used to check the host record and then access the host file on the secondary
DNS server.
At this point would I need to change the host file on every zone record for
the secondary DNS server to ensure each zone is then accessed?
Chris
Meinolf Weber
Hello Chris,
Please post an unedited ipconfig /all from both DNS servers. If i understand
you right you use public ip addresses in your domain? For every machine?
On domain controllers it is good practise to use Active directory integrated
zones. Then you have replication via AD and any DNS server can add new records.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Herb Martin
"Chris" <Ch...@discussions.microsoft.com> wrote in message
news:44068643-F156-43D8...@microsoft.com...
> Hi,
>
> I have two server 2003 servers. One is hosting Primary DNS and one
> secondary
> DNS server using the primary for its zone records.
>
> We did a test recently where the primary server was taken offline to see
> if
> DNS still worked. It didnt!
Two concerns: Registration and Resolution.
When the ONLY Primary is offline not dynamic registration will be possible,
so generally it is best to use multiple AD Integrated DNS Servers instead
of a single primary (single point of failure for dynamic registration).
You also get the advantage of being able to use "secure only updates" in
this case.
For RESOLUTION, every machine needs to be set with BOTH (all)
INTERNAL DNS Servers listed in the NIC->IP->Properties.
NO external DNS Servers (e.g., the ISP or an external firewall server)
may be listed -- only those which can resolve all internal (and external)
records needed by the internal DNS clients.
> Our name servers for the domains we tested with
> are the same as the external IPs for the two DNS servers. I would have
> thought that if the primary was taken offline the 2nd nameserver would be
> used to check the host record and then access the host file on the
> secondary
> DNS server.
>
> At this point would I need to change the host file on every zone record
> for
> the secondary DNS server to ensure each zone is then accessed?
What host file? Host files have nothing to do with DNS resolution --
and would be use prior to DNS if available on the client machines.
Host files would generally be a poor practice for AD domain machines
unless you use them for very specific purposes and understand the
implication clearly.
DNS clients can have multiple DNS servers listed on the NIC->IP
properties.
Chris
Allow me to describe this better for you.
There are two servers. Each has a public IP so they're directly accessed
from the Internet, but only allowing DNS traffic through.
On the primary server each forward lookup zone is setup as primary, and each
zone record has a name server of the primary server and the secondary server.
On the secondary server each forward lookup zone is setup as secondary (from
the wizard) but only allowing notifications between these servers only as per
the notify tab. The zone records are in sync and appear to be fine.
However, when the primary server goes offline each zone record is unable to
be resolved from the Internet. Which tells me that the secondary server is
unable to resolve forward lookup zones if the primary server is offline.
Would I be correct saying that if the primary server goes offline I have to
change the host(A) record for each lookup zone (the host that's set to 'same
as parent folder) or should this be more automatic? i.e. primary server goes
off line but all the lookup zones remain and can be resolved with only the
one server running.
Thanks
Chris
Herb Martin
> Ok,
>
> Allow me to describe this better for you.
>
> There are two servers. Each has a public IP so they're directly accessed
> from the Internet, but only allowing DNS traffic through.
>
> On the primary server each forward lookup zone is setup as primary, and
> each
> zone record has a name server of the primary server and the secondary
> server.
> On the secondary server each forward lookup zone is setup as secondary
> (from
> the wizard) but only allowing notifications between these servers only as
> per
> the notify tab. The zone records are in sync and appear to be fine.
>
> However, when the primary server goes offline each zone record is unable
> to
> be resolved from the Internet. Which tells me that the secondary server is
> unable to resolve forward lookup zones if the primary server is offline.
Not true.
You have a problem either with REACHING the Secondary through
the Firewall OR you have failed to delegate the Secondary from the
parent zone and so no one even tries to find it.
Since this is public, what is the zone name?
Go to one of the web DNS checks try your zone name:
http://www.checkdns.net/quickcheckdomainf.aspx
Chris
thanks for the reply.
If you check www.staircase.co.uk you will see that there are two DNS servers
and this is clearly stated when I use your link. However, if you want to
double check it all then please do and let me know what you find.
Chris
obtain the zone data from the primary server. The zone record is identical
but it's getting its data from an Internal (private) IP. Should this be a
public IP?
Herb Martin
> Herb,
>
> thanks for the reply.
>
> If you check www.staircase.co.uk you will see that there are two DNS
> servers
> and this is clearly stated when I use your link. However, if you want to
> double check it all then please do and let me know what you find.
>
Looks good from here too with one exception* -- is it working
(at the moment)?
If it is working NOW, then recheck everything (including what
I show manually below) when it fails next time....
You have two NameServers listed for your zone,
ns0.clever4.net 62.105.94.101
ns1.clever4.net 62.105.94.104
Querying each of them DIRECTLY gives back the same
answer for your www.staircase.co.uk (62.105.94.104)
server so presumably it works just like it is supposed to
work.
Notice that your SOA record gives web01.clever4.net
as you Primary not one of those above.
That (web01) server doesn't even have an A record when
I check it -- even against (all of) MY DNS server, or
each of yours (ns0 and ns1).
It is not good that your Primary is unreachable -- it should
be changed to reflect on of the working servers (the one
that is the primary.)
My actual checks follow:
c:\>nslookup -q=soa staircase.co.uk
Non-authoritative answer:
staircase.co.uk
primary name server = web01.clever4.net
responsible mail addr = (root)
serial = 12
refresh = 600 (10 mins)
retry = 600 (10 mins)
expire = 1209600 (14 days)
default TTL = 600 (10 mins)
c:\>nslookup -q=ns staircase.co.uk
Non-authoritative answer:
staircase.co.uk nameserver = ns0.clever4.net
staircase.co.uk nameserver = ns1.clever4.net
c:\>nslookup www.staircase.co.uk ns0.clever4.net
Server: 62.105.94.101
Name: staircase.co.uk
Address: 62.105.94.104
Aliases: www.staircase.co.uk
c:\>nslookup www.staircase.co.uk ns1.clever4.net
Server: 62.105.94.104
Name: staircase.co.uk
Address: 62.105.94.104
Aliases: www.staircase.co.uk
c:\>nslookup web01.clever4.net ns1.clever4.net
Server: 62.105.94.104
*** UnKnown can't find web01.clever4.net: Non-existent domain
========================================
Herb Martin
> Also, Within MS DNS on the secondary server, we've used an Internal IP to
> obtain the zone data from the primary server. The zone record is identical
> but it's getting its data from an Internal (private) IP. Should this be a
> public IP?
Doesn't matter as long as you don't publicize any of these internal IPs
out on the Internet.
See my other response for the issue about the "Primary" being set
wrong in the SOA (but this should not directly cause a problem.)
I can query for BOTH your nameservers (presuming they are the
ones listed in my previous message, i.e., ns1 and ns0, and I can
query EACH of them DIRECTLY from the outside.
I don't however like to see ANY inconstencies in the DNS zones.
Chris
Well the SOA is showing ns0 for both primary and secondary records. But this
doesnt explain why when ns0 goes offline domain names aren;t being
resolved...other than the host IP of each zone still pointing to the primary
server (ns0), which would be offline.
Can you see any inconsistencies from the test you have done?
Herb Martin
> Herb,
>
> Well the SOA is showing ns0 for both primary and secondary records. But
> this
> doesnt explain why when ns0 goes offline domain names aren;t being
> resolved...other than the host IP of each zone still pointing to the
> primary
> server (ns0), which would be offline.
>
> Can you see any inconsistencies from the test you have done?
Just what I showed you (but you cut it out here so I don't have it
handy to recheck). I don't even have your domain name now.
You have to find a case where it doesn't work and then test through
it systematically.
Get a machine to fail, and work from that machine.
Chris
information I have put in over the last week.
Secondly, is there anyone that can assist further as I'm not getting any
useful help here??
'> You have to find a case where it doesn't work and then test through
> it systematically.' - How is that of any use to me? I need to be pointed in the right direction, things to try, options to check, etc. If anyone has any better help please write here.
Herb Martin
> Firstly, there's the whole thread in the newsgroup so you have all the
> information I have put in over the last week.
>
> Secondly, is there anyone that can assist further as I'm not getting any
> useful help here??
>
> '> You have to find a case where it doesn't work and then test through
>> it systematically.' - How is that of any use to me? I need to be pointed
>> in the right direction, things to try, options to check, etc. If anyone
>> has any better help please write here.
That's why you should have copied through what I wrote.
You actually got excellent advice, explicit tools to work through it
but aren't doing it or aren't posting the results.
Go back and READ what you didn't learn in the previous posts.
And good luck.
Chris Dent [MVP]
Hi Chris,
Interesting problem. I read through the rest of the thread, forgive me if I
repeat anything you've already answered, just means I haven't had enough
coffee yet.
Is there a specific record within the zone you've been checking so far? Or
is that the A record for staircase.co.uk?
As Herb mentioned both those are publically accessible and resolve
perfectly. That includes the mentioned discrepancy in the SOA which can be
ignored in the context of this problem.
How are you testing name resolution when you turn off ns0 (or ns1)?
Presumably using NSLookup on a client on your internal network?
Does the client have the two name servers we're discussing listed as
preferred and alternate in TCP/IP configuration? Or are they using a third
DNS service?
During the failure to public name queries (non-authoritative queries)
execute successfully?
And during the failure, can you access the zone via the DNS Console on ns1?
--
Chris Dent
MVP Directory Services
"Chris" <Ch...@discussions.microsoft.com> wrote in message
news:44068643-F156-43D8...@microsoft.com...
Ace Fekay [MVP]
Chris <Ch...@discussions.microsoft.com> typed:
> Firstly, there's the whole thread in the newsgroup so you have all the
> information I have put in over the last week.
>
> Secondly, is there anyone that can assist further as I'm not getting
> any useful help here??
>
> Chris
Well, there's the one thing I saw, which Herb pointed out, that the SOA
primary server is "web01.clever4.net" but it is NOT RESOLVABLE.
Look at the following query for the SOA of your zone (which Herb already ran
earlier). It says it is "web01.clever4.net."
> set q=soa
> staircase.co.uk
Server: 104.94.105.62.as15758.net
Address: 62.105.94.104
staircase.co.uk
primary name server = web01.clever4.net
responsible mail addr = (root)
serial = 12
refresh = 600 (10 mins)
retry = 600 (10 mins)
expire = 1209600 (14 days)
default TTL = 600 (10 mins)
And the following shows when I try to query for "web01.clever4.net," it
clearly SHOWS THE RECORD DOES NOT EXIST. And this is using your own DNS
servers.
> server 62.105.94.104
Default Server: 104.94.105.62.as15758.net
Address: 62.105.94.104
> web01.clever4.net
Server: 104.94.105.62.as15758.net
Address: 62.105.94.104
*** 104.94.105.62.as15758.net can't find web01.clever4.net: Non-existent
domain
So for starters, you MUST insure an "A" record for "web01" exists nder
"clever4.net" zone. Now I am not sure who clever4.net is, but I assume that
is your actual nameserver's domain name. If you actually host "clever4.net,"
create an "A" record for it.
If I were you, I would use either or both ns0.clever4.net[62.105.94.101] and
ns1.clever4.net[62.105.94.104] as your SOA instead of that web01 that's
listed. My guess it is the default listing under the Nameservers Tab under
the zone properties that gets listed because that's the actual hostname of
the server. You can change it.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
Herb Martin
"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
news:%23eVM7E4...@TK2MSFTNGP02.phx.gbl...
> In news:63E80EC5-0A38-4399...@microsoft.com,
> Chris <Ch...@discussions.microsoft.com> typed:
>> Firstly, there's the whole thread in the newsgroup so you have all the
>> information I have put in over the last week.
>>
>> Secondly, is there anyone that can assist further as I'm not getting
>> any useful help here??
>> Thanks
>>
>> Chris
>
> Well, there's the one thing I saw, which Herb pointed out, that the SOA
> primary server is "web01.clever4.net" but it is NOT RESOLVABLE.
That isn't actually a problem but it MIGHT be an indication that someone
(some DNS server) somewhere think that his Authoritative servers are
different than what they (currently) are.
[One time I had an ISP "retire" a DNS server but forget to remove the
entry at the parent domain/zone for MY domain/zone. BAD ISP BAD!]
If some people are getting to him through THAT (DNS resolution) path
they might get failures that we aren't seeing when we look at it.
Ace Fekay [MVP]
Herb Martin <ne...@learnquick.com> typed:
> > Well, there's the one thing I saw, which Herb pointed out, that the
> > SOA primary server is "web01.clever4.net" but it is NOT RESOLVABLE.
>
> That isn't actually a problem but it MIGHT be an indication that
> someone (some DNS server) somewhere think that his Authoritative
> servers are different than what they (currently) are.
>
> [One time I had an ISP "retire" a DNS server but forget to remove the
> entry at the parent domain/zone for MY domain/zone. BAD ISP BAD!]
>
> If some people are getting to him through THAT (DNS resolution) path
> they might get failures that we aren't seeing when we look at it.
That's what I'm thinking. If it is querying for the SOA, then they can't
resolve it.
Herb Martin
"Ace Fekay [MVP]" <Pleas...@SomeDomain.com> wrote in message
Actually, I was just thinking that the SOA might be a SIGNAL that
there is another delegation path out there somewhere -- not that
they would be using it because of the SOA itself.
Ace Fekay [MVP]
Herb Martin <ne...@learnquick.com> typed:
> Actually, I was just thinking that the SOA might be a SIGNAL that
> there is another delegation path out there somewhere -- not that
> they would be using it because of the SOA itself.
I see what you mean.