none
Configuring Split Brain DNS

    Question

  • I inherited a domain that has three DC's with public dns on a flat public ip network - the domain is example.com

    example.com contains the AD dns records and public IP records for a large number of websites and servers.

    We are moving our services to a NAT'd network and have two new DC's in private address space.  as we migrate our services to the NAT'd networks example.com dns records are advertising our internal dns servers for the example.com domain.

    I am looking for some design advice and steps to implement either split brain dns or creating a new example.loc domain for our infrastructure

    is there a way to prevent our 3 public dns servers from advertising the private network nameservers? as AD autoupdates the zone?

    Friday, September 03, 2010 2:24 PM

Answers

  • If the zones are AD integrated, you will not see anything in the DNS folder because the zone is not stored as a standard primary.  the information is stored in AD.

    If the zones are stored on a set of AD servers and you want to migrate them to a different set of AD servers, you can set up secondary zones one of the Target AD/DNS servers.  ONce the zone is there, you can covert it to AD integrated and it will then replicate to the other two AD/DNS servers.

    Since you have 2500, you should create the secondaries via a script.  Before a secondary can pull from a Primary or AD Integrated, the Primary/AD Integrated zone has to be configured to allow for zone transfers.  Another thing you have to consider since you have 2500 zones.


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 10, 2010 12:18 AM
  • uh - no

    they have always been ad integrated - the dns folder is empty

    if i change one of the existing servers to not be AD integrated will it populate the dns folder?

    dnscmd gets pretty ugly on the export - takes along time to script for 2500 zones...

    You might want to try Dean Wells' DnsDump. You can backup all the zones in one shot, then restore them elsewhere. Export a copy first, then test the import on another server, whether AD intergrated or Standard Primary.

    DNSdump Version 2.0 - Dean Wells, MSEtechnology.
    http://www.reskit.net/DNS/dnsdump.cm_

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, September 10, 2010 5:03 AM

All replies

  • If your internal AD and external web presence shares the same domain name, you most definitely should set up split-dNS.  It is as easy as duplicating the DNS zones and records on both infrastructures.  For example, your external zone will contain the external records, and your internal zone will contain the internal & external records.  The internal requires both because your internal users may need to access external resources.  Since your internal DNS servers will host the zone, they are authoritative.  IF they do not have the answer to a query for that domain, they will not "forward" or look elsewhere for an answer.

    However, keep in mind that having the same name external and internally adds additional challenges.  For one, the DCs will register a blank record in DNS with their IPs in the primary zone.  So in the example you provided, for example.com, if you have 5 DCs, you will see 5 DNS "parent records" registered by each DC.  That becomes a problem for internal users that open a web browser and type http://example.com, because they will get all of the DNS records pointing to the DCs.  Obviously, the user wanted to access the website instead.

    Read over this summary:

    Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name
    http://www.anitkb.com/2010/03/active-directory-domain-name.html

    Of course, having your internal DNS namespace as example.loc is also an option.  However, there are some negatives with that naming scheme as well.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 03, 2010 3:04 PM
  • Hello,

     

    I have to agree with JM that split brain will resolve but it has some quirks. I have always used .local for my private spaces and public TLD's separately. I guess if you can do a .local without a lot of work it would be better but if doing so means a lot of back end work then a split brain is the way to go.


    Miguel Fra / Falcon ITS
    Computer & Network Support, Miami, FL
    Visit our Knowledgebase Sharepoint Site

    Friday, September 03, 2010 3:11 PM
  • I have never seen a Split-DNS have quirks, unless they just were not implemented correctly in the first place.  Too often people over complicate them excessively.  A correctly configured Split-DNS is not that complicated at all.
     
    Having a  "NATed" network really does not mean anything or change anything.  DNS could not care less one way or the other,...DNS does not even really care about IP# when you get down to it (except for Reverse Lookup zones that many don't use anyway).  DNS only cares about Zones and Records.   Have the right Zones to match the Domain Names and have the right Records in the right Zones and everything works fine.
     
    However one thing I never do,...I never have more than one record pointing to the same IP#.  There is only one "A" Record pointing to a particular IP, ever.  If any other "host name" has to use the same IP then It is always a CNAME pointing to the "A" record that already exists,...and the "A" Record is always the real true machine name of the machine involved when dealing with the LAN side of things.  I can't put my finger on it exactly, but I have always been suspicious that it is something alone those lines that creates the "quirks" that some people have that I never seem to have.
     
    I always used to preach that the AD Domain should always be spelled differently than the Public Domain,...after years of that I have done a 180 and now I always preach that they should always be spelled the same and then use Split-DNS to cover it

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Falcon ITS" <=?utf-8?B?RmFsY29uIElUUw==?=> wrote in message news:185632cb-d0a9-4c91-b73d-12eee522b65e...

    Hello,

     

    I have to agree with JM that split brain will resolve but it has some quirks. I have always used .local for my private spaces and public TLD's separately. I guess if you can do a .local without a lot of work it would be better but if doing so means a lot of back end work then a split brain is the way to go.


    Miguel Fra / Falcon ITS
    Computer & Network Support, Miami, FL
    Visit our Knowledgebase Sharepoint Site

    Friday, September 03, 2010 3:45 PM
  • I have two questions:

    all dns zones are active directory integrated - how do i prevent the external zone example.com from replicating the internal example.com zone?

     

    The two internal DC's are also LDAP servers - LdapIPAdress needs to have the A records to provide ldap service s - is there a workaround possible?


    Friday, September 03, 2010 4:13 PM
  • 1. AD Integrated?   Not a requirement,...but usually, yes.  If you have to DCs (most do) then you don't want to manually keep them in sync. If they are AD Integrated then you make a change on on DC and shortly later it replicates to the other.
     
    2. Internal example.com Zone -vs- external example.com Zone.  Impossible, the situation cannot even exist.  The Domain name is the Zone name, therfore it is impossible to have two Zones with the same name.  If both your internal AD Domain and the external Public Domain name have the same spelling then you only have One Zone in the DNS.  You will have one Zone with records from both the internal and external "worlds" together in the Zone.  If External records are associated with a machine that physically exists within the LAN in Active Directory then you just use a CNAME pointing to the A Records of the "real" machine.  But if the rocords point to a machine physically out in Internet-Land such as a Web site hosted by a Hosting Company then you use an "A" Record with the Public IP# of the Site.
     
    3. I you have to create LsapIPAdress Records,...then just do it,...there is nothing to workaround that I see.
     
     
    Split-DNS really is way more simpler than people who don't use it often believe.  A lot of articles you might find on Split-DNS out in Internet Land may be overly complex and don't explain it clearly and end up adding to the confusion.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "networkengineer49" <=?utf-8?B?bmV0d29ya2VuZ2luZWVyNDk=?=> wrote in message news:827d9009-87cb-4aeb-a2a6-b047e3588ce7...

    I have two questions:

    all dns zones are active directory integrated - how do i prevent the external zone example.com from replicating the internal example.com zone?

     

    The two internal DC's are also LDAP servers - LdapIPAdress needs to have the A records to provide ldap service s - is there a workaround possible?


    Friday, September 03, 2010 4:38 PM
  • Just a few other notes here from my perspective.  

    In regards to having an external and internal DNS infrastructure, these two zones SHOULD NOT replicate to each other.  You are not going to create a primary/secondary relationship between the internal and external DNS servers.  Your internal zone will most likely be an AD Integrated zone hosting the records for your internal hosts, including AD SRV records.  Your external zone will be a primary zone and contain only the external records.  The only other step is to add the external records to your internal zone, only if needed.  Just as you should have more than DNS server on the internal network for redundancy, the same goes for the external set as well.  One external server will host the primary zone, the other will host a secondary zone.  The external servers do not, and probably should not be members of the domain.

    Your other question, regarding the work-around of the LdapIPAddress.  It is NOT required for every AD infrastructure.  You can prevent the DCs from registering this record by modifying the registry.  I have done this personally on a few implementations, some small, some Enterprise (50k+ objects).  I have outlined the steps in the summary I posted above.  However, before you decide to go this route, make sure that it fits your design.  Otherwise, don't do it.

    I am one of the few that support the same internal/external name for the domain.  I think the end user gains the most advantage because its one domain name regardless of the resource (int vs ext) and it is transparent.  Just as secure if its done correctly.  However, many may not agree with that design.    

     

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 03, 2010 5:38 PM
  • I am one that agrees with that,...and agrees strongly  :-)
    I consider this to be the "new thinking",...and the separate names to be the "old thinking",...and many probably won't agree with that either :-)

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    "[JM]" <=?utf-8?B?W0pNXQ==?=> wrote in message news:2a03b0b8-54bd-4e0c-878a-419f85a155c9...

    advantage because its one domain name regardless of the resource (int vs ext) and it is transparent.  Just as secure if its done correctly.  However, many may not agree with that design.    


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 03, 2010 5:51 PM
  • 1. AD Integrated?   Not a requirement,...but usually, yes.  If you have to DCs (most do) then you don't want to manually keep them in sync. If they are AD Integrated then you make a change on on DC and shortly later it replicates to the other.
     
    2. Internal example.com Zone -vs- external example.com Zone.  Impossible, the situation cannot even exist.  The Domain name is the Zone name, therfore it is impossible to have two Zones with the same name.  If both your internal AD Domain and the external Public Domain name have the same spelling then you only have One Zone in the DNS.  You will have one Zone with records from both the internal and external "worlds" together in the Zone.  If External records are associated with a machine that physically exists within the LAN in Active Directory then you just use a CNAME pointing to the A Records of the "real" machine.  But if the rocords point to a machine physically out in Internet-Land such as a Web site hosted by a Hosting Company then you use an "A" Record with the Public IP# of the Site.
     
    3. I you have to create LsapIPAdress Records,...then just do it,...there is nothing to workaround that I see.
     
     
    Split-DNS really is way more simpler than people who don't use it often believe.  A lot of articles you might find on Split-DNS out in Internet Land may be overly complex and don't explain it clearly and end up adding to the confusion.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    ----------------------------------------------------

    Split DNS is way more simpler?  i agree with your last statement. 

    I'm here to find out how to set it up.

     

    would this scenario fix my issue:  remove public dns servers from example.com AD - create a new AD for public dns servers so they replicate. manage external dns in new domain?

    Friday, September 03, 2010 6:50 PM
  • would this scenario fix my issue:  remove public dns servers from example.com AD - create a new AD for public dns servers so they replicate. manage external dns in new domain?

    removing the public DNS servers from your AD domain doesnt not fix any issues.  The issue you are encountering is not related to the DNS server's domain membership.  Creating a new AD on the outside simply increases your footprint for vulnerabilities.  I do not recommend setting up AD for the purpose of managing two DNS servers.  

    Setting up these two servers as stand-alone systems, hardened (you can even run Server Core if you are up to it), and secured, is not a big deal to manage.  One server will have the primary zone, the other will be set up with the secondary zone.

    Just my opinion though...

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 03, 2010 7:30 PM
  • No.  Leave it alone.
     
    "networkengineer49" <=?utf-8?B?bmV0d29ya2VuZ2luZWVyNDk=?=> wrote in message news:0ba8f8e8-5b98-4d4e-9110-ab8b2bc73e62...
    would this scenario fix my issue:  remove public dns servers from example.com AD - create a new AD for public dns servers so they replicate. manage external dns in new domain?
    Friday, September 03, 2010 8:43 PM
  • This is getting too convoluted for me to follow so I looked back at your first and original post.
     
    You need to make sure that what you think is happeing is really happpening.  Case in point,...most people do not host their own Public Names on their own DNS,...either the ISP does that or the Registrar handles it. But then are you guys being the DNS Hoster for other people?  You need to be really clear about what is really going on over there at your place.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Friday, September 03, 2010 9:07 PM
  • 1. AD Integrated?   Not a requirement,...but usually, yes.  If you have to DCs (most do) then you don't want to manually keep them in sync. If they are AD Integrated then you make a change on on DC and shortly later it replicates to the other.
     
    2. Internal example.com Zone -vs- external example.com Zone.  Impossible, the situation cannot even exist.  The Domain name is the Zone name, therfore it is impossible to have two Zones with the same name.  If both your internal AD Domain and the external Public Domain name have the same spelling then you only have One Zone in the DNS.  You will have one Zone with records from both the internal and external "worlds" together in the Zone.  If External records are associated with a machine that physically exists within the LAN in Active Directory then you just use a CNAME pointing to the A Records of the "real" machine.  But if the rocords point to a machine physically out in Internet-Land such as a Web site hosted by a Hosting Company then you use an "A" Record with the Public IP# of the Site.
     
    3. I you have to create LsapIPAdress Records,...then just do it,...there is nothing to workaround that I see.
     
     
    Split-DNS really is way more simpler than people who don't use it often believe.  A lot of articles you might find on Split-DNS out in Internet Land may be overly complex and don't explain it clearly and end up adding to the confusion.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    ----------------------------------------------------

    Split DNS is way more simpler?  i agree with your last statement. 

    I'm here to find out how to set it up.

     

    would this scenario fix my issue:  remove public dns servers from example.com AD - create a new AD for public dns servers so they replicate. manage external dns in new domain?


    I must agree with JM and Phillip. Split DNS is pretty easy to setup. Simply put, if you must host your example.com public record (assuming what this is all about), then:

    • Simply setup two stand alone servers (not joined to the domain) in a DMZ with their sole purpose is to run DNS. If you don't have a DMZ, no problem. Set them up internally. Make sure you have at least two public IPs to port remap TCP53 and UDP 53 to both of these servers.
    • On one of them, create the example.com zone and make it a Primary Zone
    • Create the public records with their corresponding public IP addresses
    • Set Zone transfers to allow only to the other server's IP address.
    • On the other server, install DNS, then create a Secondary zone for example.com and specify the master as the other server's IP.
    • Note: You will not have the option of AD integrated zones, since they are non-DC, and no need to promote them for this purpose.
    • One each, configure forwarding to your ISP's DNS server
    • Configure your internal DNS servers to Forward to these two servers.
    • Make sure that EDNS0 is enabled in your firewall
    • For the internal AD example.com zone, create the necessary www, etc records to point to the external public IP of the web server. If the web server is internal, configure the records to point to the internal IP. As JM said, you can't mess with the LdapIpAddress (the blank entry). You can circumvent that by installing IIS on all DCs and set IIS to redirect to www.example.com. However, I don't support the idea of IIS on a DC, but that's up to you if users complain that http://example.com doesn't work.

    I also agree with JM about hardening these two boxes, using Server Core, or using the SCM or go through and disable unnecessary services.

    I think hosting your public zone is easier to allow your registrar to host them.

    If I forgot something I'll post back, or if I misunderstood your intentions, let me know.

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, September 03, 2010 11:45 PM
  • Agree with Phillip and Ace on the external DNS.  The preferred recomendation is usually to host it with your ISP or registrar.  Both solutions are usually included in your Internet/domain name package at no additional cost.

    Setting up external DNS servers, does require costs, maintainence, and DNS understanding (regarding security especially).  It doesnt make much sense if you only have ONE zone to host, from a cost perspective.

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 03, 2010 11:53 PM
  • Hi,

     

    If there is any update on this issue, please feel free to let us know.

     

    We are looking forward to your reply.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 06, 2010 9:58 AM
    Moderator
  • we host our own public dns - we also manage/host dns zones for our 2500 customers.

    i also have public sub-zones in our example.com domain. (legacy)

    public dns for all zones including example.com is set up with registrar to point to zone publicdns.net that we host.

    this is what led me to the idea of creating a new AD for 3 public dns servers. 

    the 3 public dns servers do not offer recursive or forwarding lookups as these are only to respond to outside dns requests.

    Monday, September 06, 2010 11:33 AM
  • I still don't see the added value you will gain by setting up AD for these three public, external DNS servers.  I think AD will introduce an additional layer of complexity and services which increase the footprint of the infrastructure.  Keeping the servers running only DNS services should be appropriate for your needs, unless AD introduces something that the business requires.

    If you want to further secure those DNS servers, you may consider hardening them by running Windows Core.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Monday, September 06, 2010 3:45 PM
  • I still don't see the added value you will gain by setting up AD for these three public, external DNS servers.  I think AD will introduce an additional layer of complexity and services which increase the footprint of the infrastructure.  Keeping the servers running only DNS services should be appropriate for your needs, unless AD introduces something that the business requires.

    If you want to further secure those DNS servers, you may consider hardening them by running Windows Core.

     


    Visit: anITKB.com, an IT Knowledge Base.


    I totally agree. I think networkengineer49 is trying to take advantage of AD integrated zones so he/she doesn't have to setup zone transfers, then again, the complexity and surface exposure outweighs the security aspects, where I would rather use non-joined, standalones and use DNSCMD to configure zones on this large of a scale, and use the SCW or simply disable unnecessary services to reduce the overall surface exposure of the machines on the internet, along with perimeter firewall rules only allowing TCP & UDP 53.


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, September 06, 2010 7:12 PM
  • If i set up the 3 servers only running dns and setting up zone transfers from the master, where is my redundancy for the master?  AD would make them all the same.  if i lose one I just replace it.  if i lose a dns server that doesn't run AD how do i recover the master and how much scripting has to happen to get the three servers purring again?
    Tuesday, September 07, 2010 11:41 AM
  • If you have one Master and two secondaries, and you loose the master...you simply change the role of a secondary to a master.  that's it.   To change a secondary to become a master, you simply access the DNS zone properties, on the General Tab, you change the DNS type to Primary.

    Then, you rebuild the failed server and make it a secondary.  Update remaining secondaries to pull from the new master.  If you do not want the new one to be a master, then you change the roles once again after all servers are back on line.

    This may sound complicated, but I still think it is a better approach than to build AD for simply managing replication among three DNS servers.  However, its just an opinion, technically you can set up AD as you describe and it will work as you expect it to.  You will just run the additional risk of AD related issues that may impact DNS replication.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Tuesday, September 07, 2010 12:16 PM
  • If you have one Master and two secondaries, and you loose the master...you simply change the role of a secondary to a master.  that's it.   To change a secondary to become a master, you simply access the DNS zone properties, on the General Tab, you change the DNS type to Primary.

    Then, you rebuild the failed server and make it a secondary.  Update remaining secondaries to pull from the new master.  If you do not want the new one to be a master, then you change the roles once again after all servers are back on line.

    This may sound complicated, but I still think it is a better approach than to build AD for simply managing replication among three DNS servers.  However, its just an opinion, technically you can set up AD as you describe and it will work as you expect it to.  You will just run the additional risk of AD related issues that may impact DNS replication.

     


    Visit: anITKB.com, an IT Knowledge Base.
    I agree. However, the one thing is he will need to use DNSCMD to convert the 2500 zones to Masters. It's one of the administrative tasks that are required to administer DNS.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Tuesday, September 07, 2010 1:34 PM
  • I think I'd just do the AD.  I don't think it would create much over head.  There would be no members beyond the three DNSs,...there would be no users account beyond the built in ones which is no different than the same accounts created on a stand-alone machine.  Once the 2500 Zones replicate there will hardly be any replication traffic since nothing will ever change except a few entries in the Zones every once in a while when a customer wants a records changed, and there is no reason to fool around with GPOs so there should not be that over head.  It would be a very "bare" AD setup.
     
    Now I certainly would not involve the LAN's AD, not at all in any way,..no trusts,..no nothing.   The AD on the LAN would have to use these machines as General Forwarders,...I can't imagine anyone wanting to sit there and create 2500 Conditional Forwarders,...so I think these three DNS's will not recursion enabled so what they can't resoved get passed to other DNSs or the Root Servers.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Ace Fekay [MCT, MVP DS]" <=?utf-8?B?QWNlIEZla2F5IFtNQ1QsIE1WUCBEU10=?=> wrote in message news:c15fdcdc-f4ea-4757-bfa1-3f476b901a5c...

    I totally agree. I think networkengineer49 is trying to take advantage of AD integrated zones so he/she doesn't have to setup zone transfers, then again, the complexity and surface exposure outweighs the security aspects, where I would rather use non-joined, standalones and use DNSCMD to configure zones on this large of a scale, and use the SCW or simply disable unnecessary services to reduce the overall surface exposure of the machines on the internet, along with perimeter firewall rules only allowing TCP & UDP 53.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Wednesday, September 08, 2010 2:40 PM
  • what would you recommend for initial population of DNS?

    can two AD's exist in the same subnet? or do I need VLAN for broadcast network?

    Thursday, September 09, 2010 2:31 PM
  • Yes, two AD instances can co-exist on the same subnet.

    Initial population?  Do these zones already exist at least as Standard Primaries (text files)?  If so, you can use those, then convert them to AD integrated.


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, September 09, 2010 5:56 PM
  • Just to add about multiple ADs on the same subnet, when I was teaching classes prior to the courseware being virtualized, I would have a class of 20 students, each with their own AD all on the same classroom subnet, including my Instructor machine. They just need different names (NetBIOS and DNS).

    Also, if you are using DHCP, you only want DHCP for the main AD infrastructure, otherwise, it will be impossible to manage different DNS Options in DHCP for the mixed ADs. Aassuming you will be setting up this separate AD jsut for DNS hosting, then there's no problem.

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, September 09, 2010 11:30 PM
  • uh - no

     

    they have always been ad integrated - the dns folder is empty

     

    if i change one of the existing servers to not be AD integrated will it populate the dns folder?

     

    dnscmd gets pretty ugly on the export - takes along time to script for 2500 zones...

    Thursday, September 09, 2010 11:50 PM
  • If the zones are AD integrated, you will not see anything in the DNS folder because the zone is not stored as a standard primary.  the information is stored in AD.

    If the zones are stored on a set of AD servers and you want to migrate them to a different set of AD servers, you can set up secondary zones one of the Target AD/DNS servers.  ONce the zone is there, you can covert it to AD integrated and it will then replicate to the other two AD/DNS servers.

    Since you have 2500, you should create the secondaries via a script.  Before a secondary can pull from a Primary or AD Integrated, the Primary/AD Integrated zone has to be configured to allow for zone transfers.  Another thing you have to consider since you have 2500 zones.


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, September 10, 2010 12:18 AM
  • uh - no

    they have always been ad integrated - the dns folder is empty

    if i change one of the existing servers to not be AD integrated will it populate the dns folder?

    dnscmd gets pretty ugly on the export - takes along time to script for 2500 zones...

    You might want to try Dean Wells' DnsDump. You can backup all the zones in one shot, then restore them elsewhere. Export a copy first, then test the import on another server, whether AD intergrated or Standard Primary.

    DNSdump Version 2.0 - Dean Wells, MSEtechnology.
    http://www.reskit.net/DNS/dnsdump.cm_

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, September 10, 2010 5:03 AM