AD Integrated DNS and member servers

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

I've searched for similar questions and haven't found this one. Thanks
for any help.

Question:
If my Windows domain's zone is set for "Active Directory-Integrated" on
my DC, and I have 2 other DNS servers (member servers only) with copies
of that zone, will my clients be able to dynamically register records,
if they are contacting one of the member server DNS servers first?

Details:
We have 3 DCs.

Only one of DCs is running DNS. On it's properties sheet for the zone
for our Windows domain says "Type: Active Directory-Integrated" on the
General tab. On the same tab, under "Dynamic Updates:", it says,
"Secure only".

We also have two member servers running DNS. On the properties sheet
for the zone for our Windows domain, they both says, "Type: Secondary".
On the general tab for these zones, under "IP address:", the IP
address of my DC with DNS is listed. (Help text says this should be the
master for the zone and the IP listed is the IP of the DC/DNS server,
so I think that's right.)

For DHCP, we are using a non-MS DHCP server.

In the DHCP server, do I have to be giving out the DC/DNS server's IP
address at all as a DHCP option to get dynamic updates of names from my
clients?

If a client boots up and reaches a member server DNS server first, will
the client's attempt to dynamic update be successful?

What happens in that event? Does the member server/DNS pass the update
along to the DC with DNS on it?



Thanks again for any insight.

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

First, thank you both for offering help. I truly appreciate your
responses.

Well, we seem to have a controversy! (Just kidding)

Dean,

Could you be more specific in what you are saying is not correct?
Also, if you can point me to some documentation I'd be eternally
grateful.

(Actually, if I could have found this documentation to begin with, I
wouldn't have posted to Usenet!)

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

When submitting dyn. updates, clients first request the SOA record of
the zone which designates a name-server with the (or in AD's case, one
of many) writable copies of the zone. The updates will be submitted
there and (latency in mind) will replicate back to the secondaries.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

MartyEgan wrote:
> I've searched for similar questions and haven't found this one.
> Thanks for any help.
>
> Question:
> If my Windows domain's zone is set for "Active Directory-Integrated"
> on my DC, and I have 2 other DNS servers (member servers only) with
> copies of that zone, will my clients be able to dynamically register
> records, if they are contacting one of the member server DNS servers
> first?
>
> Details:
> We have 3 DCs.
>
> Only one of DCs is running DNS. On it's properties sheet for the zone
> for our Windows domain says "Type: Active Directory-Integrated" on the
> General tab. On the same tab, under "Dynamic Updates:", it says,
> "Secure only".
>
> We also have two member servers running DNS. On the properties sheet
> for the zone for our Windows domain, they both says, "Type:
> Secondary". On the general tab for these zones, under "IP address:",
> the IP address of my DC with DNS is listed. (Help text says this
> should be the master for the zone and the IP listed is the IP of the
> DC/DNS server, so I think that's right.)
>
> For DHCP, we are using a non-MS DHCP server.
>
> In the DHCP server, do I have to be giving out the DC/DNS server's IP
> address at all as a DHCP option to get dynamic updates of names from
> my clients?
>
> If a client boots up and reaches a member server DNS server first,
> will the client's attempt to dynamic update be successful?
>
> What happens in that event? Does the member server/DNS pass the
> update along to the DC with DNS on it?
>
>
>
> Thanks again for any insight.

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

Standard Secondary zones do not support dynamic updates. The DHCP scope
should give the DC/DNS server IP for primary DNS - In MS DHCP server the
preference order is configured in the scope option. So, the only time a DNS
client would query a secondary DNS server would be when the DC/DNS server is
unreachable. If this occurs at machine startup, the client would not be
able to register in DNS.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"MartyEgan" <martyegan@gmail.com> wrote in message
news:1121966592.918567.111300@g44g2000cwa.googlegroups.com...
> I've searched for similar questions and haven't found this one. Thanks
> for any help.
>
> Question:
> If my Windows domain's zone is set for "Active Directory-Integrated" on
> my DC, and I have 2 other DNS servers (member servers only) with copies
> of that zone, will my clients be able to dynamically register records,
> if they are contacting one of the member server DNS servers first?
>
> Details:
> We have 3 DCs.
>
> Only one of DCs is running DNS. On it's properties sheet for the zone
> for our Windows domain says "Type: Active Directory-Integrated" on the
> General tab. On the same tab, under "Dynamic Updates:", it says,
> "Secure only".
>
> We also have two member servers running DNS. On the properties sheet
> for the zone for our Windows domain, they both says, "Type: Secondary".
> On the general tab for these zones, under "IP address:", the IP
> address of my DC with DNS is listed. (Help text says this should be the
> master for the zone and the IP listed is the IP of the DC/DNS server,
> so I think that's right.)
>
> For DHCP, we are using a non-MS DHCP server.
>
> In the DHCP server, do I have to be giving out the DC/DNS server's IP
> address at all as a DHCP option to get dynamic updates of names from my
> clients?
>
> If a client boots up and reaches a member server DNS server first, will
> the client's attempt to dynamic update be successful?
>
> What happens in that event? Does the member server/DNS pass the update
> along to the DC with DNS on it?
>
>
>
> Thanks again for any insight.
>

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

Inline ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Doug Sherman [MVP] wrote:
> Standard Secondary zones do not support dynamic updates. The DHCP
> scope should give the DC/DNS server IP for primary DNS

I'm afraid this isn't correct ... nor would it be remotely scalable if
all queries were directed toward the primary.

> - In MS DHCP
> server the preference order is configured in the scope option. So,
> the only time a DNS client would query a secondary DNS server would
> be when the DC/DNS server is unreachable. If this occurs at machine
> startup, the client would not be able to register in DNS.

Again, not correct I'm afraid.

>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "MartyEgan" <martyegan@gmail.com> wrote in message
> news:1121966592.918567.111300@g44g2000cwa.googlegroups.com...
>> I've searched for similar questions and haven't found this one.
>> Thanks for any help.
>>
>> Question:
>> If my Windows domain's zone is set for "Active Directory-Integrated"
>> on my DC, and I have 2 other DNS servers (member servers only) with
>> copies of that zone, will my clients be able to dynamically register
>> records, if they are contacting one of the member server DNS servers
>> first?
>>
>> Details:
>> We have 3 DCs.
>>
>> Only one of DCs is running DNS. On it's properties sheet for the
>> zone for our Windows domain says "Type: Active Directory-Integrated"
>> on the General tab. On the same tab, under "Dynamic Updates:", it
>> says, "Secure only".
>>
>> We also have two member servers running DNS. On the properties sheet
>> for the zone for our Windows domain, they both says, "Type:
>> Secondary". On the general tab for these zones, under "IP
>> address:", the IP address of my DC with DNS is listed. (Help text
>> says this should be the master for the zone and the IP listed is the
>> IP of the DC/DNS server, so I think that's right.)
>>
>> For DHCP, we are using a non-MS DHCP server.
>>
>> In the DHCP server, do I have to be giving out the DC/DNS server's IP
>> address at all as a DHCP option to get dynamic updates of names from
>> my clients?
>>
>> If a client boots up and reaches a member server DNS server first,
>> will the client's attempt to dynamic update be successful?
>>
>> What happens in that event? Does the member server/DNS pass the
>> update along to the DC with DNS on it?
>>
>>
>>
>> Thanks again for any insight.

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

There are many, many hits, here's one specific to Microsoft's
implementationderived form google -

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/19a63021-cc53-4ded-a7a3-abaf82e7fb7c.mspx

The page is lengthy, so search for the following text without the quotes
and read on -

"DHCP Client service performs the"

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

MartyEgan wrote:
> First, thank you both for offering help. I truly appreciate your
> responses.
>
> Well, we seem to have a controversy! (Just kidding)
>
> Dean,
>
> Could you be more specific in what you are saying is not correct?
> Also, if you can point me to some documentation I'd be eternally
> grateful.
>
> (Actually, if I could have found this documentation to begin with, I
> wouldn't have posted to Usenet!)

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

Marty,

Here's a pretty in-depth explanation of the dynamic update process (watch
for wrapping on the URL, it's long):

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/19a63021-cc53-4ded-a7a3-abaf82e7fb7c.mspx

--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)

All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.


"MartyEgan" <martyegan@gmail.com> wrote in message
news:1121974848.525492.224660@o13g2000cwo.googlegroups.com...
> First, thank you both for offering help. I truly appreciate your
> responses.
>
> Well, we seem to have a controversy! (Just kidding)
>
> Dean,
>
> Could you be more specific in what you are saying is not correct?
> Also, if you can point me to some documentation I'd be eternally
> grateful.
>
> (Actually, if I could have found this documentation to begin with, I
> wouldn't have posted to Usenet!)
>

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

MartyEgan wrote:
> First, thank you both for offering help. I truly appreciate your
> responses.
>
> Well, we seem to have a controversy! (Just kidding)
>
> Dean,
>
> Could you be more specific in what you are saying is not correct?
> Also, if you can point me to some documentation I'd be eternally
> grateful.
>
> (Actually, if I could have found this documentation to begin with, I
> wouldn't have posted to Usenet!)

What Dean meant by incorrect is this: If a client or server is pointing to
a Secondary zone (MS or BIND) of a Primary zone that in which dynamic
updates are allowed, the client will grab the MNAME (the Master's or the
Primary zone's IP) out of the secondary zone's records (specifically that
record which is listed as the SOA) and send the dynamic update request to
the Primary.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

The controversy, if any, is merely whether or when you should configure a
client to point to a secondary DNS zone server for primary DNS. It is
absolutely 100% true that standard secondary zones do not support dynamic
updates. It is also true per Dean, Laura, and Todd that the records in a
standard secondary zone can point you to a primary or AD integrated zone
which does support dynamic updates.

It is also absolutely 100% true that MS DHCP scope options determine the
DNS server preference order (assuming you configure them). I mentioned this
only because you said you are using non-MS DHCP, and I have no way of
knowing the capabilities of this non-MS DHCP server.

Within the context of your question, I believe it was fair to assume that
the only circumstances under which you would query a secondary DNS server
would be when you were unable to reach the one and only AD integrated
server:

"If this occurs at machine startup, the client would not be able to register
in DNS." That's what I said, and within the assumed context it is also 100%
true.

Doug Sherman
MCSE, MCSA, MCP+I, MVP


"MartyEgan" <martyegan@gmail.com> wrote in message
news:1121974848.525492.224660@o13g2000cwo.googlegroups.com...
> First, thank you both for offering help. I truly appreciate your
> responses.
>
> Well, we seem to have a controversy! (Just kidding)
>
> Dean,
>
> Could you be more specific in what you are saying is not correct?
> Also, if you can point me to some documentation I'd be eternally
> grateful.
>
> (Actually, if I could have found this documentation to begin with, I
> wouldn't have posted to Usenet!)
>

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

The original question is cleary stated; to reiterate -

"... will my clients be able to dynamically register records, if they
are contacting one of the member server DNS servers first?"

.... to which you replied -

"So, the only time a DNS client would query a secondary DNS server would
be when the DC/DNS server is unreachable. If this occurs at machine
startup, the client would not be able to register in DNS."

.... I'm afraid it remains inaccurate.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Doug Sherman [MVP] wrote:
> The controversy, if any, is merely whether or when you should
> configure a client to point to a secondary DNS zone server for
> primary DNS. It is absolutely 100% true that standard secondary
> zones do not support dynamic updates. It is also true per Dean,
> Laura, and Todd that the records in a standard secondary zone can
> point you to a primary or AD integrated zone which does support
> dynamic updates.
>
> It is also absolutely 100% true that MS DHCP scope options determine
> the DNS server preference order (assuming you configure them). I
> mentioned this only because you said you are using non-MS DHCP, and I
> have no way of knowing the capabilities of this non-MS DHCP server.
>
> Within the context of your question, I believe it was fair to assume
> that the only circumstances under which you would query a secondary
> DNS server would be when you were unable to reach the one and only AD
> integrated server:
>
> "If this occurs at machine startup, the client would not be able to
> register in DNS." That's what I said, and within the assumed context
> it is also 100% true.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
>
> "MartyEgan" <martyegan@gmail.com> wrote in message
> news:1121974848.525492.224660@o13g2000cwo.googlegroups.com...
>> First, thank you both for offering help. I truly appreciate your
>> responses.
>>
>> Well, we seem to have a controversy! (Just kidding)
>>
>> Dean,
>>
>> Could you be more specific in what you are saying is not correct?
>> Also, if you can point me to some documentation I'd be eternally
>> grateful.
>>
>> (Actually, if I could have found this documentation to begin with, I
>> wouldn't have posted to Usenet!)

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

Hmmm ... I'm by no means certain but I believe I may understand your
point; are you trying to say that due to the fact that, in this
instance, where only a single writable zone exists, were that
unreachable even the referral from the secondary would fail? If so,
your conclusions are accurate and my apologies for not gleaning that
originally. With all due respect, more detail in the original response
would help avoid confusion.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Dean Wells [MVP] wrote:
> The original question is cleary stated; to reiterate -
>
> "... will my clients be able to dynamically register records, if they
> are contacting one of the member server DNS servers first?"
>
> ... to which you replied -
>
> "So, the only time a DNS client would query a secondary DNS server
> would be when the DC/DNS server is unreachable. If this occurs at
> machine startup, the client would not be able to register in DNS."
>
> ... I'm afraid it remains inaccurate.
>
>
> Doug Sherman [MVP] wrote:
>> The controversy, if any, is merely whether or when you should
>> configure a client to point to a secondary DNS zone server for
>> primary DNS. It is absolutely 100% true that standard secondary
>> zones do not support dynamic updates. It is also true per Dean,
>> Laura, and Todd that the records in a standard secondary zone can
>> point you to a primary or AD integrated zone which does support
>> dynamic updates.
>>
>> It is also absolutely 100% true that MS DHCP scope options determine
>> the DNS server preference order (assuming you configure them). I
>> mentioned this only because you said you are using non-MS DHCP, and I
>> have no way of knowing the capabilities of this non-MS DHCP server.
>>
>> Within the context of your question, I believe it was fair to assume
>> that the only circumstances under which you would query a secondary
>> DNS server would be when you were unable to reach the one and only AD
>> integrated server:
>>
>> "If this occurs at machine startup, the client would not be able to
>> register in DNS." That's what I said, and within the assumed context
>> it is also 100% true.
>>
>> Doug Sherman
>> MCSE, MCSA, MCP+I, MVP
>>
>>
>> "MartyEgan" <martyegan@gmail.com> wrote in message
>> news:1121974848.525492.224660@o13g2000cwo.googlegroups.com...
>>> First, thank you both for offering help. I truly appreciate your
>>> responses.
>>>
>>> Well, we seem to have a controversy! (Just kidding)
>>>
>>> Dean,
>>>
>>> Could you be more specific in what you are saying is not correct?
>>> Also, if you can point me to some documentation I'd be eternally
>>> grateful.
>>>
>>> (Actually, if I could have found this documentation to begin with, I
>>> wouldn't have posted to Usenet!)

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

We focused on different questions:

"If a client boots up and reaches a member server DNS server first, will the
client's attempt to dynamic update be successful?"

I took this to mean - if my client is configured to use the AD/DNS server
for primary DNS and I can't reach it, what happens if it drops to the
secondary server?

Upon re-reading the question, you are correct - Marty asked the question you
focused on - and your answer is correct.

However, he also asked the question I focused on; and my concern was that he
might be under the impression that DNS servers are picked at random or
enagage in kind of a race to respond. My point was that if the only server
that supports dynamic updates is unavailable, then ......... well, you can't
register.

Peace, Love, etc.

Doug Sherman
MCSE, MCSA, MCP+I, MVP


"Dean Wells [MVP]" <dwells@mask.msetechnology.com> wrote in message
news:OrchEgmjFHA.3960@TK2MSFTNGP12.phx.gbl...
> The original question is cleary stated; to reiterate -
>
> "... will my clients be able to dynamically register records, if they
> are contacting one of the member server DNS servers first?"
>
> ... to which you replied -
>
> "So, the only time a DNS client would query a secondary DNS server would
> be when the DC/DNS server is unreachable. If this occurs at machine
> startup, the client would not be able to register in DNS."
>
> ... I'm afraid it remains inaccurate.
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
> Doug Sherman [MVP] wrote:
> > The controversy, if any, is merely whether or when you should
> > configure a client to point to a secondary DNS zone server for
> > primary DNS. It is absolutely 100% true that standard secondary
> > zones do not support dynamic updates. It is also true per Dean,
> > Laura, and Todd that the records in a standard secondary zone can
> > point you to a primary or AD integrated zone which does support
> > dynamic updates.
> >
> > It is also absolutely 100% true that MS DHCP scope options determine
> > the DNS server preference order (assuming you configure them). I
> > mentioned this only because you said you are using non-MS DHCP, and I
> > have no way of knowing the capabilities of this non-MS DHCP server.
> >
> > Within the context of your question, I believe it was fair to assume
> > that the only circumstances under which you would query a secondary
> > DNS server would be when you were unable to reach the one and only AD
> > integrated server:
> >
> > "If this occurs at machine startup, the client would not be able to
> > register in DNS." That's what I said, and within the assumed context
> > it is also 100% true.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> >
> > "MartyEgan" <martyegan@gmail.com> wrote in message
> > news:1121974848.525492.224660@o13g2000cwo.googlegroups.com...
> >> First, thank you both for offering help. I truly appreciate your
> >> responses.
> >>
> >> Well, we seem to have a controversy! (Just kidding)
> >>
> >> Dean,
> >>
> >> Could you be more specific in what you are saying is not correct?
> >> Also, if you can point me to some documentation I'd be eternally
> >> grateful.
> >>
> >> (Actually, if I could have found this documentation to begin with, I
> >> wouldn't have posted to Usenet!)
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

In news:OWudopmjFHA.232@TK2MSFTNGP10.phx.gbl,
Dean Wells [MVP] <dwells@mask.msetechnology.com> stated, which I then
commented on below:
> Hmmm ... I'm by no means certain but I believe I may understand your
> point; are you trying to say that due to the fact that, in this
> instance, where only a single writable zone exists, were that
> unreachable even the referral from the secondary would fail? If so,
> your conclusions are accurate and my apologies for not gleaning that
> originally. With all due respect, more detail in the original
> response would help avoid confusion.

I must say this was one interesting thread and wish I saw it sooner!

Cheers!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

This is so great!

I should not have said:

" The DHCP scope should give the DC/DNS server IP for primary DNS"

Because it is conceivable that it might be appropriate to point a client to
a secondary DNS server for primarary DNS.

As a result, Dean and I are both right; Laura and Todd are informative, but
uninteresting; and Marty is totally confused.

Doug Sherman
MCSE, MCSA, MCP+I, MVP



"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:eYWAYjnjFHA.1464@TK2MSFTNGP14.phx.gbl...
> In news:OWudopmjFHA.232@TK2MSFTNGP10.phx.gbl,
> Dean Wells [MVP] <dwells@mask.msetechnology.com> stated, which I then
> commented on below:
> > Hmmm ... I'm by no means certain but I believe I may understand your
> > point; are you trying to say that due to the fact that, in this
> > instance, where only a single writable zone exists, were that
> > unreachable even the referral from the secondary would fail? If so,
> > your conclusions are accurate and my apologies for not gleaning that
> > originally. With all due respect, more detail in the original
> > response would help avoid confusion.
>
> I must say this was one interesting thread and wish I saw it sooner!
>
> Cheers!
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.server.dns,microsoft.public.win2000.dns (More info?)

Thanks to everyone for your assistance. It's a pleasure to see that
everyone remained so professional and that it didn't turn personal.

There was a confusing part, initially, but in the end, the answer is
clear.

When the only writeable copy of the zone is unavailable, then no
dynamic registration of records.

When the only writeable copy of the zone is available, then dynamic
registration of records can be expected to work, even if the client is
contacting a DNS server with non-writeable copies of the zone (such as
my member server DNS servers.)

Thanks again!