- We are using Active Directory integrated DNS on two windows 2000 domain
controllers.
- We have approximately 500 domains/zones

The default SOA and NS records for our servers are dc1.ourdomain.com and/or
dc3.ourdomain.com however we want to change them to dns1.ourdomain.com and
dns2.ourdomain.com.

1) How can I change the default SOA and NS with AD integrated DNS?
2) How can I correct the SOA and NS records for all our existing DNS zones?

Thanks
Brad



By the way, the reason for making this change is two fold:

1) We're retiring dc1.ourdomain.com and dc3.ourdomain.com. They will be
replace with two windows 2003 servers (DC1 and DC2). (DC3 will be gone)

2) This results in errors when running DNS reports at DNSstuff.com:

Missing (stealth) nameservers

FAIL: You have one or more missing (stealth) nameservers. The following
nameserver(s) are listed (at your nameservers) as nameservers for your
domain, but are not listed at the parent nameservers (therefore, they may or
may not get used, depending on whether your DNS servers return them in the
authority section for other requests, per RFC2181 5.4.1). You need to make
sure that these stealth nameservers are working; if they are not responding,
you may have serious problems! The DNSreport will not query these servers,
so you need to be very careful that they are working properly.

dc3.ourdomain.com.
dc1.ourdomain.com.

This is listed as an ERROR because there are some cases where nasty problems
can occur (if the TTLs vary from the NS records at the root servers and the
NS records point to your own domain, for example).

Missing nameservers 2
ERROR: One or more of the nameservers listed at the parent servers are not
listed as NS records at your nameservers. The problem NS records are:
dns1.ourdomain.com.
dns2.ourdomain.com.

In news:OV3%23CndZIHA.1188@TK2MSFTNGP04.phx.gbl,
Brad Baker <brad@nospam.nospam> typed:
> - We are using Active Directory integrated DNS on two windows 2000
> domain controllers.
> - We have approximately 500 domains/zones
>
> The default SOA and NS records for our servers are dc1.ourdomain.com
> and/or dc3.ourdomain.com however we want to change them to
> dns1.ourdomain.com and dns2.ourdomain.com.
>
> 1) How can I change the default SOA and NS with AD integrated DNS?
> 2) How can I correct the SOA and NS records for all our existing DNS
> zones?
> Thanks
> Brad
>
>
>
> By the way, the reason for making this change is two fold:
>
> 1) We're retiring dc1.ourdomain.com and dc3.ourdomain.com. They will
> be replace with two windows 2003 servers (DC1 and DC2). (DC3 will be
> gone)
> 2) This results in errors when running DNS reports at DNSstuff.com:
>
> Missing (stealth) nameservers
>
> FAIL: You have one or more missing (stealth) nameservers. The
> following nameserver(s) are listed (at your nameservers) as
> nameservers for your domain, but are not listed at the parent
> nameservers (therefore, they may or may not get used, depending on
> whether your DNS servers return them in the authority section for
> other requests, per RFC2181 5.4.1). You need to make sure that these
> stealth nameservers are working; if they are not responding, you may
> have serious problems! The DNSreport will not query these servers, so
> you need to be very careful that they are working properly.
> dc3.ourdomain.com.
> dc1.ourdomain.com.
>
> This is listed as an ERROR because there are some cases where nasty
> problems can occur (if the TTLs vary from the NS records at the root
> servers and the NS records point to your own domain, for example).
>
> Missing nameservers 2
> ERROR: One or more of the nameservers listed at the parent servers
> are not listed as NS records at your nameservers. The problem NS
> records are: dns1.ourdomain.com.
> dns2.ourdomain.com.

Your using AD with DNS for public servers? Usually not recommended, but
that's ok.

To change it, goto properties of the zone, nameservers tab and change them
in there. Whatever you put in there needs to exist.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

> Your using AD with DNS for public servers? Usually not recommended, but
> that's ok.

I can certainly switch (its something I've considered anyway) but can you
point me to any documentation which backs up your statement? That would go a
long way in convincing management that this is something we should do.

Thank You,
Brad



"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:u1eNWGvZIHA.2268@TK2MSFTNGP02.phx.gbl...
> In news:OV3%23CndZIHA.1188@TK2MSFTNGP04.phx.gbl,
> Brad Baker <brad@nospam.nospam> typed:
>> - We are using Active Directory integrated DNS on two windows 2000
>> domain controllers.
>> - We have approximately 500 domains/zones
>>
>> The default SOA and NS records for our servers are dc1.ourdomain.com
>> and/or dc3.ourdomain.com however we want to change them to
>> dns1.ourdomain.com and dns2.ourdomain.com.
>>
>> 1) How can I change the default SOA and NS with AD integrated DNS?
>> 2) How can I correct the SOA and NS records for all our existing DNS
>> zones?
>> Thanks
>> Brad
>>
>>
>>
>> By the way, the reason for making this change is two fold:
>>
>> 1) We're retiring dc1.ourdomain.com and dc3.ourdomain.com. They will
>> be replace with two windows 2003 servers (DC1 and DC2). (DC3 will be
>> gone)
>> 2) This results in errors when running DNS reports at DNSstuff.com:
>>
>> Missing (stealth) nameservers
>>
>> FAIL: You have one or more missing (stealth) nameservers. The
>> following nameserver(s) are listed (at your nameservers) as
>> nameservers for your domain, but are not listed at the parent
>> nameservers (therefore, they may or may not get used, depending on
>> whether your DNS servers return them in the authority section for
>> other requests, per RFC2181 5.4.1). You need to make sure that these
>> stealth nameservers are working; if they are not responding, you may
>> have serious problems! The DNSreport will not query these servers, so
>> you need to be very careful that they are working properly.
>> dc3.ourdomain.com.
>> dc1.ourdomain.com.
>>
>> This is listed as an ERROR because there are some cases where nasty
>> problems can occur (if the TTLs vary from the NS records at the root
>> servers and the NS records point to your own domain, for example).
>>
>> Missing nameservers 2
>> ERROR: One or more of the nameservers listed at the parent servers
>> are not listed as NS records at your nameservers. The problem NS
>> records are: dns1.ourdomain.com.
>> dns2.ourdomain.com.
>
> Your using AD with DNS for public servers? Usually not recommended, but
> that's ok.
>
> To change it, goto properties of the zone, nameservers tab and change them
> in there. Whatever you put in there needs to exist.
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>

In news:uG7JHV0ZIHA.4440@TK2MSFTNGP06.phx.gbl,
Brad Baker <brad@nospam.nospam> typed:
> > Your using AD with DNS for public servers? Usually not recommended,
> > but that's ok.
>
> I can certainly switch (its something I've considered anyway) but can
> you point me to any documentation which backs up your statement? That
> would go a long way in convincing management that this is something
> we should do.
> Thank You,
> Brad

No, just common knowledge to not use a DC for something that is just hosting
DNS. All documentation points to how to use a DC for what it is meant and
designed for. If management chose to use a DC for public DNS hosting, I'm
sure they had some sort of reason that I can't think of.

So you got me curious now, and with all due respect, I am not criticizing
anyone, just curious - What was the reason for choosing to use DCs for
public DNS servers? Just for AD integrated zones? There's a huge overhead
with DCs just to reap that benefit, especially with hundreds of zones. Are
these DCs your domain controllers for your internal corporate domain as
well?

Besides, a DC's overhead just slows it down, especially with hosting
hundreds and hundreds of zones. When I used to host DNS for public records,
I had two standalone servers, disabled NetBIOS on it as well as F&P services
as well as used IPSec to control port access. Ran lean and mean. It will be
difficult to do that with DCs. A DC is meant to host a directory service
providing centralized account and security control for it's domain, not for
hosting public zones.

Here's an interesting read, but I don't think it adds much to the
conversation other than recommending not to do this:
Rarely would you ever host public DNS on your DC...
http://www.neowin.net/forum/lofivers...p/t598323.html

The SOAs will also change back forth on the zones because of AD processes,
replication between the two DCs, as well as DNS registration. This is
something that may make you wonder what is going on, but is part of the
whole process.

Multihoming a DC can be a disaster for the DC as well.

Ace

>> No, just common knowledge to not use a DC for something that is just
>> hosting
DNS. All documentation points to how to use a DC for what it is meant and
designed for. If management chose to use a DC for public DNS hosting, I'm
sure they had some sort of reason that I can't think of.

I've honestly never read or heard anyone mention this. I was not with my
company when the decision was made to utilize our AD integrated DNS servers
for hosting public DNS. I suspect the rationale was to save resources.

When my company was first forming ten years ago, two extra DNS servers would
have been too expensive. Since then we have grown from 1 customer to 250
with over 500 DNS zones. As we grew there weren't any DNS performance
problems per se, and as the old addage goes - if its not broke don't fix it!

I'm sure we could afford seperate DNS servers now. The only issue is
convincing management. I'm sure they will want some sort of explanation and
references to Microsoft or third party documentation explaining why we
should do that.



>> So you got me curious now, and with all due respect, I am not criticizing
anyone, just curious - What was the reason for choosing to use DCs for
public DNS servers? Just for AD integrated zones? There's a huge overhead
with DCs just to reap that benefit, especially with hundreds of zones. Are
these DCs your domain controllers for your internal corporate domain as
well?

As mentioned above - cost savings and ease. We already had DNS servers setup
for AD I'm sure it just made sense at the time to re-use it. As far as
performance goes we've never really noticed an issue.

The only reason we're running into a problem now is due to the way AD
integrated DNS works - I.E. it seems to register some records (primarily
SOA and NS) itself and its using server names that we don't really want
utilized. We're planning up upgrading our DC's and as such the DC server
names will change. This will result in problems with all our DNS zones as I
think we will end up with invalid NS records and conceivably SOA records.

There are some other problems - notably that there are getting to be too
many zones on the server - which makes using the Microsoft DNS MMC slow. But
besides that, everything works fine on some rather old servers (DELL
PE1550s). Reports at dnsstuff.com gives our servers a score of Score: B-
(Noting: a rating of 'B' or higher is generally good (this tool is very
picky!)



> Here's an interesting read, but I don't think it adds much to the
conversation other than recommending not to do this:
Rarely would you ever host public DNS on your DC...
http://www.neowin.net/forum/lofivers...p/t598323.html

I wish there was an MS KB article that stated this. It would certainly be a
lot more authoritative. But thanks for the link - at least its a starting
point and something I can concretely reference when I bring this to
managements attention.



> Multihoming a DC can be a disaster for the DC as well.

I've heard that before from Microsoft support - one of our two dcs/dns
servers has multiple IPs on it. I'm hoping to fix that when we upgrade AD.




"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:e$O%23YO7ZIHA.1208@TK2MSFTNGP05.phx.gbl...
> In news:uG7JHV0ZIHA.4440@TK2MSFTNGP06.phx.gbl,
> Brad Baker <brad@nospam.nospam> typed:
>> > Your using AD with DNS for public servers? Usually not recommended,
>> > but that's ok.
>>
>> I can certainly switch (its something I've considered anyway) but can
>> you point me to any documentation which backs up your statement? That
>> would go a long way in convincing management that this is something
>> we should do.
>> Thank You,
>> Brad
>
> No, just common knowledge to not use a DC for something that is just
> hosting DNS. All documentation points to how to use a DC for what it is
> meant and designed for. If management chose to use a DC for public DNS
> hosting, I'm sure they had some sort of reason that I can't think of.
>
> So you got me curious now, and with all due respect, I am not criticizing
> anyone, just curious - What was the reason for choosing to use DCs for
> public DNS servers? Just for AD integrated zones? There's a huge overhead
> with DCs just to reap that benefit, especially with hundreds of zones. Are
> these DCs your domain controllers for your internal corporate domain as
> well?
>
> Besides, a DC's overhead just slows it down, especially with hosting
> hundreds and hundreds of zones. When I used to host DNS for public
> records, I had two standalone servers, disabled NetBIOS on it as well as
> F&P services as well as used IPSec to control port access. Ran lean and
> mean. It will be difficult to do that with DCs. A DC is meant to host a
> directory service providing centralized account and security control for
> it's domain, not for hosting public zones.
>
> Here's an interesting read, but I don't think it adds much to the
> conversation other than recommending not to do this:
> Rarely would you ever host public DNS on your DC...
> http://www.neowin.net/forum/lofivers...p/t598323.html
>
> The SOAs will also change back forth on the zones because of AD processes,
> replication between the two DCs, as well as DNS registration. This is
> something that may make you wonder what is going on, but is part of the
> whole process.
>
> Multihoming a DC can be a disaster for the DC as well.
>
> Ace
>

In news:eqtutv$ZIHA.3652@TK2MSFTNGP02.phx.gbl,
Brad Baker <brad@nospam.nospam> typed:

> > > So you got me curious now, and with all due respect, I am not
> > > criticizing
> anyone, just curious - What was the reason for choosing to use DCs for
> public DNS servers? Just for AD integrated zones? There's a huge
> overhead with DCs just to reap that benefit, especially with hundreds
> of zones. Are these DCs your domain controllers for your internal
> corporate domain as well?
>
> As mentioned above - cost savings and ease. We already had DNS
> servers setup for AD I'm sure it just made sense at the time to
> re-use it. As far as performance goes we've never really noticed an
> issue.
> The only reason we're running into a problem now is due to the way AD
> integrated DNS works - I.E. it seems to register some records
> (primarily SOA and NS) itself and its using server names that we
> don't really want utilized. We're planning up upgrading our DC's and
> as such the DC server names will change. This will result in problems
> with all our DNS zones as I think we will end up with invalid NS
> records and conceivably SOA records.

This is default DC behavior. Lot's of tinkering and registry alterations to
FORCE it to work. It's not really worth it. Another reason to use
standalones. DCs are DCs and for a DC to work, it registers records beyond
just the IP address and hostname because the netlogon service also regsiters
data that you should not alter. Another reason...

I can't see costs savings when it involves administrative overhead to
maintain and figure out how AD should work and how to alter default behavior
to make it work so it is just a DNS server.



>
>
>
> > Multihoming a DC can be a disaster for the DC as well.
>
> I've heard that before from Microsoft support - one of our two dcs/dns
> servers has multiple IPs on it. I'm hoping to fix that when we
> upgrade AD.




Upgrading AD will not with multiple NICs. It is NOT advised to
multihome a DC. Period. Google 'multihomed DCs' and view my comments as well
as other engineers'. Due to DNS registration of SRV records and the
LdapIpAddress and GcIpAddress records, multihoming causes major issues with
DCs.

Ace