In news:(E-Mail Removed),
Mark Lamoreaux <(E-Mail Removed)> posted their thoughts, then I offered mine
> Yes, dynamic updates are enabled. I even set it to nonsecure updates
> temporarily to make sure I don't have a security issue, but I still
> don't see automatic updates made.
>
> Apparently, my DNS server needs to have entries for triaxialdata.com
> (my internal Active Directory domain), but it only has authority to
> update triaxialdata.net because my ISP controls DNS for my external
> triaxialdata.com (the same name is used for external Internet domain
> and internal Active Directory domain).
>
> Basically, the only place I'm really seeing any erros is when I run
> Netdiag. If I run Netdiag /fix, I get several entries like the
> following:
>
> [FATAL] Failed tofix: DC DNS entry triaxialdata.com. re-registeration
> on DNS server '64.162.46.28' failed.
>
> and
>
> [DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
> [FATAL] Failed to fix: DC DNS entry
> ForestDnsZone.triaxialdata.com. re-registeration on DNS server
> '64.162.46.28' failed.
>
> To me, it looks like it's trying to register special Active Directory
> names under triaxialdata.com (my AD domain name) but I only have a
> zone for triaxialdata.net (when I tried setting up an internal zone
> for triaxialdata.com, it interferred with my ISP's DNS and people
> couldn't get to my web pages and email server at triaxialdata.com).
>
> I think I'm just missing something basic here. Any more hints?
>
> Thanks,
> Mark
Choosing the same internal/external name is called Split-Horizon. We
normally don't recommend this due to additional administrative overhead.
Apparently you haven't created the required zone called triaxialdata.com, on
your own DNS server, which AD *absolutely requires*.
291382 - Frequently Asked Questions About Windows 2000 DNS and Windows
Server 2003 DNS:
http://support.microsoft.com/?id=291382
See, AD stores all it's resource and service locations in DNS. When
something requires to look up or "find" the domain, it queries DNS. THis is
why you're getting a multitude of errors. There is no zone for AD and
therefore everything is failing vecause it cannot find itself. NT4 and AD
are two different animals and don't work the same at all.
Cardinal Rules with AD:
1. Use your own DNS
2. Create the zone on your own DNS that exactly matches the AD DNS domain
name
3. Only use your own DNS server for all member machines (DCs and clients)
4. Enable updates on the zone
5. For efficient Internet resolution, use a forwarder. If the option is
grayed out, delete the Root zone, refresh the console, and try again. If not
sure how to do that, see this article:
http://support.microsoft.com/?id=300202
Here are some other links on AD and DNS (which applies to both Win2k and
Win2k3):
DNS requirements for installing Active Directory:
http://www.microsoft.com/technet/tre...quirements.asp
Windows 2000 Step-by-Step Guides -Inlcudes many how-to's, Installing AD and
Pro as a Client, etc:
http://www.microsoft.com/windows2000...hs/default.asp
DNS Requirements for Deploying Active Directory:
http://www.microsoft.com/windows2000...d_ads_kuha.asp
Appendix B - AD Procedures Reference (NIce reference here):
http://www.microsoft.com/technet/tre...2/ADOGdApB.asp
As for your same name design, the addition administrative overhead may also
include registry entries as well. The main thing is that your users won't be
able to get to your externally hosted website, since your zone in your own
internal DNS doesn;t have that info. You would need to manually create a www
records giving it the external IP of the actual website. Also may need to
create other records as well, including ftp or anything else. Mail isn't
required here since your clients will be MAPI clients.
Keep in mind that the users will always need to use
www.triaxialdata.com to
get to it, but NOT by
http://triaxialdata.com. This is because of the
LdapIpAddress that DCs create as required for AD functionality. DFS and GPO
acquisition use this record. However this record can be altered (thru the
reg) to give your users that special need to connect by
http://triaxialdata.com, but this will alter domain functionality and is not
recommended.
Also, after reading all this, you probably agree that a different internal
name (like a .corp or something like that) may have been a better choice.
But if you are going to ask about Exchange's email domain name and how it
affects mail, it doesn't. That's because you can set whatever domain name
the machine will receive mail for in the Recipient Policy and as long as the
external MX record (hosted on the external DNS) are pointed to the Ex box,
then it will receive mail on that domain. You can set mutliples, but they
don't have anthing to do with the AD name. I host 25 domain names for my
clients, none of which have anything to do with my AD name...
Hope that clears things up.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
Similar Threads
