none
Global DNS setup and Replication

    Question

  • Hi team

    We have three Active directory sites (India-USA-Australia). These all sites are connected through VPN. (USA-The Master is connected with both site but India and Australia are not connected directly). For our global DNS resolution of global websites and web applications we have one public dns in USA and another one is Australia. If there is any down time in USA all services are affected (global websites/services).

    To avoid this unwanted situation, I’m planning to place two more global/public DNS Servers (one dns in each site). These DNS server are not part of active directory. There is not any replication between these two DNS servers.

    Hosted Zones in USA Site. Example.com Important host records (ns1.au.example.com and ns2.au.example.com). These records will be used as name severs in Australia global dns.

    Hosted Zone in Australia Site Example.com.au (Name server: ns1.au.example.com and ns2.au.example.com)

    Hosted Zone in India Site N/A. We need to setup DNS. There is a subdomain for India site services (India.example.com) and these records are in USA site.

    I want help in below points.

    1. Can we configure replication on those machines which are not member of domain? They are connected using LAN as well as can be connected using WAN links. If yes how to configure DNS Replications on standalone servers.

    2. How to configure DNS in a way so that user can access our services by those local site Servers rather than coming to other DNS servers.

     3. Any command to check replication between all dns servers?


    Regards Suman B. Singh
    Friday, January 07, 2011 9:10 AM

Answers

  • DNS zone "replication" (in the sense of the word), with zones stored in AD, is actually AD based, not DNS based. To check replication, you would check AD Event logs. To fforce replication, you would use AD Sites & Services, server, NTDS, rifght-click Connections, replicate now.

    Assuming that these zones you are speaking of are not part of the company AD infrastructure nor do they host the AD zone, your options are:

    1. If replication for zones is an absolute requirement, you could create their own AD domain just for this purpose, that is not part of the corporate infrastructure.
    2. You can create one Primary zone, and make others all Secondaries specifying the Primary as the Master. This is not replication, rather it's zone transfers.
    3. You could use a registrar's DNS. Most of them have a 99.9999% uptime.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, January 07, 2011 12:54 PM
  • If they will be configured on your DCs, then you can set the zones to become AD integrated. Just choose one DC, create the zone, and make it AD integrated. If you want the zone to exist on all DCs in the domain, set it to the middle button. If you want it to exist on all DCs in all domains the forest, set it to the top button. The zone will *automatically* be replicated to all DCs in the replication scope. Jsut do it once. If you do it more than once, you will introduce a duplicate zone issue that will be harder to clean up.

    Remember, any zones on your AD DNS is not meant for public use, rather just internal use. If you need it for public use, I would suggest using an external, separate DNS or use your registrar's nameserver services.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 08, 2011 1:29 AM
  • I thought I gave you some ideas?

    Re-reading your original post, and just to make sure I fully understand your goals, and correct me if I am wrong:

    • The zones you mentioned have nothing to do with Active Directory (no SRV records, LDAP records, GcIpAddress, LdapIpAddress records, etc).
    • The zones only hold A records, and possibly CNAMEs for the websites.
    • The zones are only for website access.
    • The websites with webapps running are internal and can be accessed by people internally, as well as externally and have been port-translated to allow access from the outside world.
    • Each location has their own websites/web apps that are only accessed by the respective users that exist in their own locations and not from other locations, eg, USA users would only access their own website, and not India's or Australia.

    If this is correct, my recommendation to create a Primary Zone on an internal DNS server and make Secondaries on the external nameservers (using zone transfers), would *seem* to be the best bet.

    The other recommendation is to use your Registrar's nameservers for these zones. THe reason I mentioned this is if the USA site goes down, then the implications are far more reaching then just website access, for it will affect AD & Exchange (if you have Exchange) functionality corporate-wide.

    So if USA's VPN goes down, which as said will affect AD and other directory services functionality, and if the Primary Zone is being held at USA, and your main goal is to insure that users in their respective locations can still access the website, then the Registrar's is your better bet. You would just go into your registrar's admin page, and administer the zone, and it will be replicated across all their DNS servers.

    I was going to also mention that if you make the zones AD intergrated and set them to forest-wide replication, all DNS servers running on DCs in all domains would have a copy of the zone automatically. Then you can designate one of the DCs in each location as a "Master" and set the public-facing Secondary DNS servers in their own respective location to use that specific DNS server as the Master for zone transfers.

    But keep in mind, if the USA link goes down, whether because the USA routers/VPNs or ISP is down, or Australia's or India's ISP goes down, it will affect AD and if the webapp is reliant on AD credentials, that may be affected anyway. At least with all of your zone's scope set to being Forest-wide, the zones will still exist on all DCs everywhere.

    I hope that makes sense, based on that I hopefully understood your requirements.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 08, 2011 4:20 PM
  • Hello Suman,

    It sounds like a good design that will work. Keep in mind, the one thing that still stands out from your original post:

    "If there is any down time in USA all services are affected (global websites/services)."

    I just want to point out, that any design that you propose with an internal Primary, say at USA, and it goes down, the Secondaries will still get affected, besides directory services, Exchange, and other internal services. That was why I was leaning on using a completely external, redundant nameserver service. But that won't help if USA or any of the other sites go down for the web app.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, January 09, 2011 5:46 PM

All replies

  • DNS zone "replication" (in the sense of the word), with zones stored in AD, is actually AD based, not DNS based. To check replication, you would check AD Event logs. To fforce replication, you would use AD Sites & Services, server, NTDS, rifght-click Connections, replicate now.

    Assuming that these zones you are speaking of are not part of the company AD infrastructure nor do they host the AD zone, your options are:

    1. If replication for zones is an absolute requirement, you could create their own AD domain just for this purpose, that is not part of the corporate infrastructure.
    2. You can create one Primary zone, and make others all Secondaries specifying the Primary as the Master. This is not replication, rather it's zone transfers.
    3. You could use a registrar's DNS. Most of them have a 99.9999% uptime.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, January 07, 2011 12:54 PM
  • Hi Ace,

    I really appreciate your immediate response. According to your sugegstions I understand below mentioned points.

    We can create DNS (without AD integrated) and configuring zone transfer between servers  (in all nodes) and then publish them on Internet.

    please let me know if this is correct information.

     


    Regards Suman B. Singh
    Friday, January 07, 2011 1:14 PM
  • That is correct. Zone transfers will work fine. Depending on the number of Secondaries, there may be a lag between them transferring any updates from the Master.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, January 07, 2011 1:35 PM
  • Hi Ace,

    Thank you very much for your reply. I hope we can configured other DNS ZONES too. Those DNS  will be part of our AD domain (abc.net) but not AD integrated DNS server. In these DNS we will not configure our local zone (abc.net) example.com but we will create multiple zones with myspace.com. newdns.com and mysite.com. I hope it can be acheived and as these all are domain member so replication will occur.

    Thankx for support.

     


    Regards Suman B. Singh
    Friday, January 07, 2011 1:43 PM
  • If they will be configured on your DCs, then you can set the zones to become AD integrated. Just choose one DC, create the zone, and make it AD integrated. If you want the zone to exist on all DCs in the domain, set it to the middle button. If you want it to exist on all DCs in all domains the forest, set it to the top button. The zone will *automatically* be replicated to all DCs in the replication scope. Jsut do it once. If you do it more than once, you will introduce a duplicate zone issue that will be harder to clean up.

    Remember, any zones on your AD DNS is not meant for public use, rather just internal use. If you need it for public use, I would suggest using an external, separate DNS or use your registrar's nameserver services.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 08, 2011 1:29 AM
  • Hi Ace

    Certainly EXTERNAL dns will be best for public use but again my question is same..how to configure zone transfer between those machine which are not part of domain (stand alone server). Please corret me..and let me know how its possible so that we can transfer DNS zones. If we create oen record in primary zone..it must be replicated to all dns servers.

    any idea on it?

     


    Regards Suman B. Singh
    Saturday, January 08, 2011 12:59 PM
  • I thought I gave you some ideas?

    Re-reading your original post, and just to make sure I fully understand your goals, and correct me if I am wrong:

    • The zones you mentioned have nothing to do with Active Directory (no SRV records, LDAP records, GcIpAddress, LdapIpAddress records, etc).
    • The zones only hold A records, and possibly CNAMEs for the websites.
    • The zones are only for website access.
    • The websites with webapps running are internal and can be accessed by people internally, as well as externally and have been port-translated to allow access from the outside world.
    • Each location has their own websites/web apps that are only accessed by the respective users that exist in their own locations and not from other locations, eg, USA users would only access their own website, and not India's or Australia.

    If this is correct, my recommendation to create a Primary Zone on an internal DNS server and make Secondaries on the external nameservers (using zone transfers), would *seem* to be the best bet.

    The other recommendation is to use your Registrar's nameservers for these zones. THe reason I mentioned this is if the USA site goes down, then the implications are far more reaching then just website access, for it will affect AD & Exchange (if you have Exchange) functionality corporate-wide.

    So if USA's VPN goes down, which as said will affect AD and other directory services functionality, and if the Primary Zone is being held at USA, and your main goal is to insure that users in their respective locations can still access the website, then the Registrar's is your better bet. You would just go into your registrar's admin page, and administer the zone, and it will be replicated across all their DNS servers.

    I was going to also mention that if you make the zones AD intergrated and set them to forest-wide replication, all DNS servers running on DCs in all domains would have a copy of the zone automatically. Then you can designate one of the DCs in each location as a "Master" and set the public-facing Secondary DNS servers in their own respective location to use that specific DNS server as the Master for zone transfers.

    But keep in mind, if the USA link goes down, whether because the USA routers/VPNs or ISP is down, or Australia's or India's ISP goes down, it will affect AD and if the webapp is reliant on AD credentials, that may be affected anyway. At least with all of your zone's scope set to being Forest-wide, the zones will still exist on all DCs everywhere.

    I hope that makes sense, based on that I hopefully understood your requirements.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 08, 2011 4:20 PM
  • Hi Ace

    Replies...

    • The zones you mentioned have nothing to do with Active Directory (no SRV records, LDAP records, GcIpAddress, LdapIpAddress records, etc).

    Reply : Yes zones don't have nothing to do with AD. I have uploaded the proposed diagram of that network which I will design. Here ABC.com is our AD domain which doesn't have nothing to do with global services which will be publishes to external world (internet) using network translation.

    http://cid-54649019a952ab71.office.live.com/self.aspx/GLobalDnsSetupPlan/GlobalDnsProject.jpg

     

    The zones only hold A records, and possibly CNAMEs for the websites.

    Reply : Yes those zones will only hold A records as well as Cname records, incase of requirement we need to register dns name and a zone will be created in these public dns servers. We will change name servers so that registered domain will be resolved by our own dns. We have some such services. May be we needto create MX records too..only incase of hosted exchange/email services.

    • The zones are only for website access.

    Reply : Yes. for website and web based api resolutions. We have one hosted exchange network thats why we need own public DNS.

    • The websites with webapps running are internal and can be accessed by people internally, as well as externally and have been port-translated to allow access from the outside world.

    Reply : Yes these services are hosted in our IIS/FTP or other application severs and part of our AD. These services are supposed to be accessed by external world. Those persons who want to access our services must have to use our websites/web services.

    • Each location has their own websites/web apps that are only accessed by the respective users that exist in their own locations and not from other locations, eg, USA users would only access their own website, and not India's or Australia.

    Reply : Yes. Correct. Basically content is same but dns name is diffrent or some content may diffrent according to region. Ideally a user from particular region has to that web service which is available on that region. If user if from India he will use india.example.com. Our user/staff don't access because its for our business users.

     

    I have attached a proposed document for pubic dns setup. here Zone transfer/fault tolerance is main concern. If it was a manual process  (logging all public dns are creating records manually)then placing dns servers in each location was best option for me. I simply want a process where i can create a dns record in public dns and it must be replicated/transfered to other DNS automatcally. if one name server goes down rest of two must resolve the host records.

    In this diagram I have placed one server in each location which will be member of domain but will host our public dns records/zone. This server will not have any information of internal domain (abc.com). Once servers are placed in all locations. USA will hold primary zone and Australia and India will hold secondry zone. Three dns will be three name servers. In USA DNS public sever, we will configure all zones which are diverted in diffrent-diffrent dns so that it could hold all primary zones and secodry will get updated. Finally we will create network port tranaslation and will update in DOMAIN registrar page/consle.

    Do you find any security related issue as well as fear of messing network :) ? please help me. 

     

     

    Correct me if Im wrong.


    Regards Suman B. Singh
    Sunday, January 09, 2011 6:36 AM
  • Hello Suman,

    It sounds like a good design that will work. Keep in mind, the one thing that still stands out from your original post:

    "If there is any down time in USA all services are affected (global websites/services)."

    I just want to point out, that any design that you propose with an internal Primary, say at USA, and it goes down, the Secondaries will still get affected, besides directory services, Exchange, and other internal services. That was why I was leaning on using a completely external, redundant nameserver service. But that won't help if USA or any of the other sites go down for the web app.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, January 09, 2011 5:46 PM