1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Islanding

Discussion in 'Networks' started by zebulebu, May 24, 2007.

  1. zebulebu

    zebulebu Terabyte Poster

    Anybody here remember DNS Islanding being a problem in W2K? It used to happen when you poined each DC at itself as its primary DNS - sometimes you ended up with random DNS servers registering CNAME records on other DNS servers - replication & resolution being flaky as a result.

    Now I am pretty sure that this was resolved in 2K3 - hence I've configured all our DNS servers to point to themselves primarily, with fallback to other servers as seconday configured appropriate to bandwidth, link speed & reliability.

    However, we've just had a consultant come in and make a series of assessments prior to migrating users over to AD from NT. I agree with every one of the suggestions he has made (indeed, a lot of them I've made myself in the past only to be ignored :x ) but he has also made the recommendation to have a single DNS server as the 'primary' for our domain, with all other DNS servers poitning to it for resolution as their primaries. I'm inclined to agree with him on this as well, simply because he clearly knows what he is doing (he fixed an FRS issue that has been plaguing us at one site for months in 30 minutes) but has anyone got any advice on the matter that i can mull over?

    His main reason for recommending it is one of simplicity - and clearly having a 'main' DNS server would aid in making the design simple to troubleshoot, but I'm just a little nervous about creating what I worry will end up being a potential SPOF...
    Certifications: A few
    WIP: None - f*** 'em
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    I would agree, one of our bigger clients has twenty odd VLANs and each of them has its own DNS server for its own LAN name resolution. The forwarders on each server points at a internal DNS server (located in the comms room) which hosts a forward and reverse lookup zone for each VLAN and the forwarders on that server point at BTs DNS servers.

    I installed the main DNS server a few months ago and it fixed a stack of problems with routing emails internally. I think it was something to do with the reverse DNS as the email was originating from a VLAN but the reverse DNS lookup was resolving the domain to a ‘real world’ I.P. This resulted in spam filters thinking it was spoofed emails.
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Office 365, Server 2016, CEH
  3. supag33k

    supag33k Kilobyte Poster

    With Windows 2000 Server especially prior to SP4 the dns islanding could occur, sometimes to the point where you would have to reset DC service accounts via netdom or use ntdsutil for a metadata cleanup.

    The key things to watch where:

    1. Poor/Impaired DNS resolution across the domain.
    2. Issues with FRS between DC's.
    3. Then if you lost the PDC emulator DC and the schema master you could end up in real hot water even if AD integrated DNS.
    [ie the authorative restore is incomplete or borked somehow..see the last link..:rolleyes: ]

    Microsoft refer to a possible resolution as Split-Horizon, and I have seen it where 3 DC's talk in one domain, and 3 DC's talk in another domain, both domains named "your-company.com"...not pretty!

    DNS Islanding and/or split horozon DNS can be a desired trait if you are running a linux farm for an ISP for several reasons, but for a contigous AD domain namespace it can be a very bad thing indeed.

    Some links...




    Possibly also...




    - the last seems to be a common issue with this problem.

    Note that replmon is your friend in this situation.

    The simplicity option is okay - but make the DNS as fault tolerant as possible ...SPOF is definitely very painful in DNS and AD is basically a double hit for a "lose-lose situation".

    If there are concerns over DNS/AD requirements versus giving users more bandwidth [which they usually misuse] then the server infrastructure should always come first.
    ie why use caching servers for DNS if they do not offer the full DNS functionality you may require in a remote office with poor WAN links.
    [sometimes the MS recommended way in real life for this type of thing is not very good]

    Basically this type of fault in a large production environment will see various managers/PHB's stick their beaks in for critique..indeed as Microsof presenters mention occassionally this type of thing can be a "CV generating event" :(

    Windows 2003 is a bit more resilient in this repect - though dns islanding/ split horizon can be implemented either inadvertently or deliberately.


    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  4. zebulebu

    zebulebu Terabyte Poster

    Cheers for the info Supa - loads of really useful stuff I hadn't seen before there!

    Check that! I had to sort this out once about five years ago - it wasn't fun trying to wade through all the Technet stuff I could find on it - especially since I'd only just (about a month before) passed 70-216 and though I knew everything there was to know about DNS (lol). I've done a metadata cleanup a few times since and, whilst its still not second nature - especially going through that poxy command line process of selecting domains, sites etc and making sure you remove the right DC from AD when you're not familiar with the infrastructure - its at leats a little bit more bearable once you've done it a couple of times!

    We're certainly seeing FRS issues at a few sites - Sonar throws up odd problems at a couple of sites specficially and, whilst their DNS settings are OK, I suspect that, at some distant point in the past, they were incorrect.

    FWIW, I'm going to change the infrastructure to use a 'primary' DNS server on our main site and a 'secondary' at our DR site. I'm still a little bit nervous about pointing all the DCs at one box, but I'm probably just fretting over nothing :rolleyes:

    As for the 'Split Horizon' DNS (you mean 'Split Brain', right?) I've actually implemented this before - with a DNS server authoritative for the internal domain inside the firewall and a 'public-facing' one outside it for systems accessible from the outside world. Gawd knows why, but the client wanted it that way. Embarrassingly, I've also done it by accident as well - had a brainstorm moment and called the internal domain '******.com'... I guess that would have to go down as one of those 'ID Ten T' erros on my part :oops:

    Cheers for your help, both of you!
    Certifications: A few
    WIP: None - f*** 'em

Share This Page