Hey guys,

Set up a small AD network recently (W2K3 interim; supports only w2k3 and NT4 BDC's).

I made "DC1" the forest root DC (1st DC in the forest) and configured it for DNS. I brought up a 2nd DC ("DC2"). On DC1, I went ahead and configured it to replicate it's zone information to all other DNS servers in the domain. On DC2, I installed DNS on it, and a short time after it replicated the zone info from DC1.

NOW, here's my question: I'd like DC2 to be it's own standalone DNS server vs. just accepting zone updates from DC1. Would I need to configure DC2 to point to itself for DNS and well as configure it to replicate it's zone information to all other DNS servers in the domain (ie, configure it the same way I configured DC1)? Currently, my clients point to DC1 and DC2 for DNS, but I'm thinking that DC2 would be a "better" backup DNS server if it was actually a "co-main DNS" server to DC1.

TIA,

Gabe

I'm sure your reason for this but why not make the DNS server AD integrated?

If you make the DNS server on DC2 "standalone" you are defeating a big part of what DNS is about. Is there a reason you don't want these to be AD integrated? And, just so you know, the clients don't use 'both' DC1 and DC2 for DNS. They will use one or the other. If you have them set up for Preferred and Secondary, it will only use Secondary if the Preferred does not reply at all. It won't, like many people think, use DC2 is DC1 doesn't know the answer.

Hi Glen,

The primary fwd lookup zone (only one) is AD-integrated. If it is AD-integrated, do I still have to enable DNS Zone Transfers on DC1 to the other DC (running DNS)?

After re-reading my original post, I think I said alot but it meant very little... my aim is to (1) make sure DC2 handles DNS queries in case DC1 takes a dump and (2) make sure that any DNS changes I make on DC2 get replicated back over to DC1. Can (2) occur even if DC2 points to DC1 for DNS and if DC2 isn't enabled for Zone Transfers?

Gabe

If it is AD integrated then you don't have to allow zone transfers. As a matter of fact if you have only AD integrated zones then allowing zone transfers can be a security hole. If you only have the two DNS server and both are w2k, just install it on the second one, make it AD integrated and you should be done. I would uncheck the Allow Zone Transers button. DC2 will not handle queries of clients looking at DC1 unless DC2 is set up as a alternate DNS server. Any changes make to one DNS will replicate to the other DNS servers. That is the whole idea behind AD Integrated. Zone transfer is the 'old' way when you have Primary and Secondary DNS server which you won't if you use AD Integrated.

Hope that helps.

Thanks Glen, I appreciate your response.

Since I do have both DC1 and DC2 set as the preferred and alternative DNS servers, respectively, on the each client, would it be safe to have DC2 now point to itself for DNS, or should it continue to point to DC1? I think it's the former, but I just want to make sure.

I usually have them point to themselves but only after DC2 has pointed to DC1 for at least a day or two to make sure it has a complete replication perfomed and has all the records. I've read differing opinions on this because if you point them to themselves they can become and 'island' to themselves. However, if everything is set correctly with replication this shouldn't be a problem. So you could set it either way and be ok.

According to some of the documentation I've read 2003 server eliminates the worry of island effect when changing the IP of servers pointing to themselves for dns. Haven't tried it in the real world but that's what the books say..