Does DNS HAVE to be on an AD DC?

[Guest]

Hey People,

I have an ongoing problem on our network, which is pretty mixed in it's own
right.
We have primarily a Netware network, with a mixed 2K/2K3 AD domain and some
Linux servers.

Our DNS is on a Linux server with a backup on a Netware server. There is no
DNS running on Windows at all. These DNS configurations have all the
Microsoft AD records and are dynamically updated by AD.

Recently, after rebooting the main DC (2K3 with most FSMO roles) several
WinXP clients take about 12 mins to login. The Netware authentication seems
to go OK, but it seems that the AD part is the slow bit. Windows 2000 PCs
have no issue.

Sounds like DNS doesn't it? However it has worked fine previously. Only
other change of late may have been an updated Novell client on the PCs.

If anyone can suggest anything I'd be eternally grateful!!

 

[Richard G. Harper]

Does it HAVE to be? No.

SHOULD it be? Absolutely.

Does this sound like a typical DNS/AD problem? Yep, sure does.

Microsoft's DNS and DHCP clients help to keep AD working more smoothly when
they are run instead of third-party DNS and DHCP solutions.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Herb Martin]

No, and it doens't "have to be" on Windows even
but there are significant advantages DNS to support
AD Domains -- and it is most common to see the
DNS on the DC.

Hey People,

I have an ongoing problem on our network, which is pretty mixed in it's own
right.
We have primarily a Netware network, with a mixed 2K/2K3 AD domain and some
Linux servers.

Our DNS is on a Linux server with a backup on a Netware server. There is no
DNS running on Windows at all. These DNS configurations have all the
Microsoft AD records and are dynamically updated by AD.

Recently, after rebooting the main DC (2K3 with most FSMO roles) several
WinXP clients take about 12 mins to login. The Netware authentication seems
to go OK, but it seems that the AD part is the slow bit. Windows 2000 PCs
have no issue.

Many/most such problems ARE DNS related if your
network is basically sound.

Sounds like DNS doesn't it? However it has worked fine previously. Only
other change of late may have been an updated Novell client on the PCs.

Yes. Sounds like it.

If anyone can suggest anything I'd be eternally grateful!!

Here's a "quick check list" for DNS to support AD:


1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Michael D. Ober]

Check the binding order on the network connection. The Novell virus
(client) may have changed the binding order. Windows attempts to connect to
servers in the protocol binding order, with a timeout that can be up to 10
minutes per protocol.

Mike.

 

[Phillip Windell]

I would have all machines that are domain members use only the DNS on the
DC,..yes leave it on the DC. In the Forwarder's List in the DC/DNS config
place which ever DNS Server of yours that you want to be the next one in the
"food chain" (probably the Linux one). You could also list the Netware one
in the Forwarder's List under the Linux one.

Every Windows machine that is part of that Domain would use the DC/DNS and
*only* that one. Even the DC itself would only point to itself and nothing
else. The Forwarder's List would take care of the rest.