none
DNS replication time and check DNS RRS feed

  • Question

  • Hello,
    I have a software that uses DNS and reverse DNS of company domain to work properly.
    At the moment, in the company, there are two domain controllers.
    Both of them has got AD, DHCP and DNS services.

    I would improve, if it is possible DNS replication time between these two domain controllers.
    These two DC are in the same VLAN.

    How can I check it?
    Is it possibile decrease DNS replication time?
    How can I check if all, about DNS, work properly?

    Thanks so much!

    Federico




    Tuesday, July 7, 2020 10:35 PM

Answers

  • In addition, dns replica is AD replica related question, please feel free to post it in AD forum. And I have consulted with AD engineer and confirm that there is no way to improve DNS replica time in the same site.

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, July 9, 2020 10:35 AM

All replies

  • You can run this command from one of your DCs:

    dcdiag /test:dns /v /s:localhost 
    If you are running Active Directory-Integrated zones (which you probably are) , since these DCs are in the same vlan and most likely in the same AD site, intra-site replication will happen pretty frequently, if not immediately.



    Seth

    A user just like you

    Wednesday, July 8, 2020 2:02 AM
  • Hi Federico,

    Thanks for your posting here.

    >>These two DC are in the same VLAN.

    How can I check it?
    Is it possibile decrease DNS replication time?

    Could you please tell us the two DC are in same site or in different site? If they are in same site, DC Replication speed is very fast and you don't need to improve. If they are in different site, you could refer to the following article to speed up DC Replication:

    https://www.mowasay.com/2017/08/speed-up-active-directory-dns-replication-between-sites/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    >>How can I check if all, about DNS, work properly?

    You can run the dcdiag command using the option /test:DNS. Test options include a DNS basic test and tests for forwarders and root hints, delegation, DNS dynamic updates, DNS record registration, and Internet name testing.

    In addition,since your question is more related with AD replica which our forum doesn't focus on. If you have other questions about AD replica, I would suggest you post it in the AD forum for better answers. Here is the link:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, July 8, 2020 2:28 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, July 9, 2020 5:18 AM
  • Hi all,
    thanks for your replies.

    I have new informations about this topics

    @Seth I have runned "dcdiag /test:dns /v /s:localhost" command on a Domain Controller.
    This is the output:

    Directory Server Diagnosis
    
    
    Performing initial setup:
    
       * Connecting to directory service on server localhost.
    
       * Identified AD Forest. 
       Collecting AD specific global data 
       * Collecting site info.
    
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=PE,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded 
       Iterating through the sites 
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local
       Getting ISTG and options for the site
       * Identifying all servers.
    
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=PE,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers 
       Getting information for the server CN=NTDS Settings,CN=PE-DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=DC-002,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PE,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
    
       * Found 2 DC(s). Testing 1 of them.
    
       Done gathering initial info.
    
    
    Doing initial required tests
    
       
       Testing server: Default-First-Site-Name\PE-DC-001
    
          Starting test: Connectivity
    
             * Active Directory LDAP Services Check
             Determining IP4 connectivity 
             * Active Directory RPC Services Check
             .........................DC-001 passed test Connectivity
    
    
    
    Doing primary tests
    
       
       Testing server: Default-First-Site-Name\PE-DC-001
    
          Test omitted by user request: Advertising
    
          Test omitted by user request: CheckSecurityError
    
          Test omitted by user request: CutoffServers
    
          Test omitted by user request: FrsEvent
    
          Test omitted by user request: DFSREvent
    
          Test omitted by user request: SysVolCheck
    
          Test omitted by user request: KccEvent
    
          Test omitted by user request: KnowsOfRoleHolders
    
          Test omitted by user request: MachineAccount
    
          Test omitted by user request: NCSecDesc
    
          Test omitted by user request: NetLogons
    
          Test omitted by user request: ObjectsReplicated
    
          Test omitted by user request: OutboundSecureChannels
    
          Test omitted by user request: Replications
    
          Test omitted by user request: RidManager
    
          Test omitted by user request: Services
    
          Test omitted by user request: SystemLog
    
          Test omitted by user request: Topology
    
          Test omitted by user request: VerifyEnterpriseReferences
    
          Test omitted by user request: VerifyReferences
    
          Test omitted by user request: VerifyReplicas
    
       
          Starting test: DNS
    
             
    
             DNS Tests are running and not hung. Please wait a few minutes...
    
             See DNS test in enterprise tests section for results
             ......................... PE-DC-001 passed test DNS
    
       
       Running partition tests on : ForestDnsZones
    
          Test omitted by user request: CheckSDRefDom
    
          Test omitted by user request: CrossRefValidation
    
       
       Running partition tests on : DomainDnsZones
    
          Test omitted by user request: CheckSDRefDom
    
          Test omitted by user request: CrossRefValidation
    
       
       Running partition tests on : Schema
    
          Test omitted by user request: CheckSDRefDom
    
          Test omitted by user request: CrossRefValidation
    
       
       Running partition tests on : Configuration
    
          Test omitted by user request: CheckSDRefDom
    
          Test omitted by user request: CrossRefValidation
    
       
       Running partition tests on : PE
    
          Test omitted by user request: CheckSDRefDom
    
          Test omitted by user request: CrossRefValidation
    
       
       Running enterprise tests on : PE.local
    
          Starting test: DNS
    
             Test results for domain controllers:
    
                
                DC: PE-DC-001.PE.local
    
                Domain: PE.local
    
                
    
                      
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
                      
                   TEST: Basic (Basc)
                      The OS
    
                      Microsoft Windows Server 2016 Datacenter (Service Pack level: 0.0)
    
                      is supported.
    
                      NETLOGON service is running
    
                      kdc service is running
    
                      DNSCACHE service is running
    
                      DNS service is running
    
                      DC is a DNS server
    
                      Network adapters information:
    
                      Adapter [00000001] Microsoft Hyper-V Network Adapter:
    
                         MAC address is 00:15:5D:A5:9A:01
                         IP Address is static 
                         IP address: 172.29.40.11
                         DNS servers:
    
                            127.0.0.1 (pe-dc-001.pe.local.) [Valid]
                            172.29.40.12 (pe-dc-002.pe.local.) [Valid]
                      The A host record(s) for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found primary
                      Root zone on this DC/DNS server was not found
                      
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders Information: 
                         8.8.4.4 (<name unavailable>) [Valid] 
                         8.8.8.8 (<name unavailable>) [Valid] 
                      
                   TEST: Delegations (Del)
                      Delegation information for the zone: PE.local.
                         Delegated domain name: _msdcs.PE.local.
                            DNS server: pe-dc-001.pe.local. IP:172.29.40.11 [Valid]
                            DNS server: pe-dc-002.pe.local. IP:172.29.40.12 [Valid]
                      
                   TEST: Dynamic update (Dyn)
                      Test record dcdiag-test-record added successfully in zone PE.local
                      Test record dcdiag-test-record deleted successfully in zone PE.local
                      
                   TEST: Records registration (RReg)
                      Network Adapter [00000001] Microsoft Hyper-V Network Adapter:
    
                         Matching CNAME record found at DNS server 172.29.40.11:
                         d7d7aaf2-319a-49b3-85b3-0e82ede30113._msdcs.PE.local
    
                         Matching A record found at DNS server 172.29.40.11:
                         PE-DC-001.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.24075cd3-f20b-4e8e-a2fc-013a5d19fbf4.domains._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kerberos._tcp.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kerberos._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kerberos._udp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kpasswd._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _kerberos._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.gc._msdcs.PE.local
    
                         Matching A record found at DNS server 172.29.40.11:
                         gc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _gc._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.11:
                         _ldap._tcp.pdc._msdcs.PE.local
    
                         Matching CNAME record found at DNS server 172.29.40.12:
                         d7d7aaf2-319a-49b3-85b3-0e82ede30113._msdcs.PE.local
    
                         Matching A record found at DNS server 172.29.40.12:
                         PE-DC-001.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.24075cd3-f20b-4e8e-a2fc-013a5d19fbf4.domains._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kerberos._tcp.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kerberos._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kerberos._udp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kpasswd._tcp.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _kerberos._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.gc._msdcs.PE.local
    
                         Matching A record found at DNS server 172.29.40.12:
                         gc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _gc._tcp.Default-First-Site-Name._sites.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.PE.local
    
                         Matching  SRV record found at DNS server 172.29.40.12:
                         _ldap._tcp.pdc._msdcs.PE.local
    
             
             Summary of test results for DNS servers used by the above domain
    
             controllers:
    
             
    
                DNS server: 172.29.40.11 (pe-dc-001.pe.local.)
    
                   All tests passed on this DNS server
    
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered 
                   DNS delegation for the domain  _msdcs.PE.local. is operational on IP 172.29.40.11
    
                   
                DNS server: 172.29.40.12 (pe-dc-002.pe.local.)
    
                   All tests passed on this DNS server
    
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered 
                   DNS delegation for the domain  _msdcs.PE.local. is operational on IP 172.29.40.12
    
                   
                DNS server: 8.8.4.4 (<name unavailable>)
    
                   All tests passed on this DNS server
    
                   
                DNS server: 8.8.8.8 (<name unavailable>)
    
                   All tests passed on this DNS server
    
                   
             Summary of DNS test results:
    
             
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: PE.local
    
                   PE-DC-001                    PASS PASS PASS PASS PASS PASS n/a  
             
             ......................... PE.local passed test DNS
    
          Test omitted by user request: LocatorCheck
    
          Test omitted by user request: Intersite

    @Candy
    I had a look in "Active Directory Sites and Services".
    I have seen that two domain controller servers are in the "Default-First-Site-Name".

    In addition,since your question is more related with AD replica which our forum doesn't focus on. If you have other questions about AD replica, I would suggest you post it in the AD forum for better answers.
    Thanks for this suggestion. I have asked in this forum due to it is about DNS.


    Best regards
    Federico

    Thursday, July 9, 2020 8:16 AM
  • Hi Federico,

    Thanks for your updating.

    >>I had a look in "Active Directory Sites and Services".
    I have seen that two domain controller servers are in the "Default-First-Site-Name".

    From the picture you posted, I did not see anything wrong. And the two DC are in same site, you don't need to decrease AD replica time. 

    What's the exactly problem now? 

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   


    Thursday, July 9, 2020 8:34 AM
  • Hi Candy,

    Thank you for your answer.
    An external SSO authentication system asked me to verify DNS replication, since this system, within the network, uses DNS and reverse DNS to identify the computer on the network.

    I asked you if there are any possible improvements to increase the performance of this SSO system.
    This SSO for computer authentication uses Active Directory because laptops are joined to the domain.

    I hope to be clear.
    Thank you!

    Federico
    Thursday, July 9, 2020 9:35 AM
  • Hi ,

    From the perspective of DNS replication, there is no problem in your environment, and generally the replication speed of the same site will normally not exceed 18 seconds. You don't need to improve DNS replica when two DCs are in the same site.

    For SSO system, please understand, I am not familiar with it. You would better consult SSO engineer for further help. In your current environment, there is no need to perform improvements on DNS replica when two DC are in the same site.

    Hope this can help you understand better. If you have anything unclear , please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   


    Thursday, July 9, 2020 10:04 AM
  • In addition, dns replica is AD replica related question, please feel free to post it in AD forum. And I have consulted with AD engineer and confirm that there is no way to improve DNS replica time in the same site.

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, July 9, 2020 10:35 AM