For the Windows 2000 environment, I’ve revised that mantra to: “DNS, DNS, DNS.” When the trust fails with the errorCannot Contact Domain Controller, I say, “Check your DNS.” When you try to run a DCPromo and you can’t contact the domain, I say, “Check your DNS.” In fact, as we found after four days of troubleshooting the failure of our Global Catalog services, DNS is a critical part of nearly all Active Directory operations. I will walk you through the dilemma we faced with the Global Catalog to help you get a feel for the critical role of DNS in Win2K.
The Global Catalog dilemma
It all started when the 28 students, as part of a lab assignment, began leaving our parent domain to form their own domains and forests. They soon found that Active Directory-integrated DNS zones are not effective across domains. Directory Replication takes place among domain controllers within a contiguous DNS namespace. If there is more than one domain in the site, each domain has its own version of Active Directory. If the domains are part of a forest, the Active Directory’s Global Catalog is the common denominator, not the Active Directory itself.
Until trusts are in place, the DNS service is necessary for the clients to “see” each other. Each domain has its own namespace as defined in the DNS zone. Trusts between domains are automatic only when you’re in the same forest. Otherwise, if you want to create trusts between two domains, you can configure each as the secondary DNS server for the other’s zone. For example, there are two domains, east.local and west.local, in two different forests. The domain controller in east.local will be configured as a Standard Primary DNS server in the east.local domain. The domain controller in the west.local domain will be configured as a Standard Secondary server for the east.local domain. The domain controller in the west.local domain must be the Standard Primary DNS server for a zone called west.local. The domain controller in the east.local domain must be a Standard Secondary DNS server in the west.local zone. Figure A shows the screen for selecting zone types.
| Figure A |
 |
| Setting DNS zone type |
One of the keys to making this work is to configure each of the zones with the other zone’s DNS server so that the DNS service will share the database entries. (You will change this back after the trust is in place.) You can accomplish this by going into each DC’s TCP/IP Properties. Then, if you configure your zones to allow zone transfers, the zone entries will automatically appear in each domain controller’s DNS cache. To speed up the process, go to Start | Programs | Administrative Tools | DNS, right-click on one of the two zones, and chooseTransfer From Master.
If you have quite a bit of old information floating around in your DNS cache, you may want to run ipconfig /flushdns from the command line. This will clear out any entries in your DNS cache that might conflict with your new configuration.
6%
1%
