Making Your DNS Service Fault Tolerant
When I first started doing freelance technical writing ten years ago, I realized pretty quickly that I was going to need to set up a network in my home so that I could experiment with the various products and techniques that I write about. When I first set up my home network, it was pretty modest. It consisted of two servers and two workstations. I used one of the workstations as a word processor and saved my documents to one of the servers. I used the other server and workstation for experimental purposes.
What started out as helping out a friend by writing the occasional article for his magazine soon grew into a full time business though. I was soon writing nearly 50 articles each month. I had to add dozens of computers to my network just to be able to accommodate all of the products and techniques that I was writing about. I still maintained the basic principle that I started out with of having a production network and a test network. My test network consists of all of the machines that I use to experiment with techniques for my articles on. Pretty much anything goes for the test network since it's just a lab environment, but I have always tried to maintain my production network in an appropriate manner since it contains all of my data and all of the machines that I use for running my business.
Of course cranking out 50 or so articles each month doesn’t leave me a lot of time to play network administrator. Some things are bound to be occasionally overlooked. About a year ago, I learned the hard way that one of the details that I had overlooked when I expanded my network was a second DNS server.
As you probably know, the Active Directory is completely dependant on the DNS services. If a DNS Server goes down, then the Active Directory will completely cease to function until you bring the DNS Server back up. My problem was that the hard drive in my only DNS server failed. There are some techniques that you can use to install Windows onto a server, load the DNS services, and manually recreate the necessary DNS records in order to bring your Active Directory back online. Unfortunately though, my situation was a little more complicated than that.
When you install Windows 2000 Server or Windows Server 2003 as the first domain controller in a forest, several things happen. One of the things that happens is that Setup asks you if you want to make that server a DNS Server or if you would prefer to use an existing DNS Server. Like most people who are deploying Active Directory for the first time, I chose to install the DNS Services directly on the domain controller. Therefore, my failed server was acting as a domain controller, and as a DNS server. The first domain controller within a forest is also automatically assigned all of the operations master roles for the forest, and all of the operations master roles for the domain that the domain controller resides in. In case you are not familiar with operations master roles, they are used to designate which servers will handle various house keeping chores for the Active Directory at the domain level and at the forest level. An operations master role failure isn’t usually critical in the short term, but the Active Directory can’t function long term without these various tasks being performed.
There is one other task that was assigned to the server that failed. It was designated as the domain’s only global catalog server. As you probably know, the Active Directory allows you to create objects on any domain controller, and then the objects are replicated to the other domain controllers. This being the case, it would be theoretically possible for two different administrators to create two different objects on two different domain controllers using the same name. To prevent this from happening, the global catalog maintains a list of all of the objects in the domain. When a new object is created, the global catalog is consulted to make sure that an object by that name doesn’t already exist.
You might assume that the side effect of a global catalog failure is not being able to create new Active Directory objects. It’s a little more serious than that though. If the organization’s global catalog fails, then no one other than the domain administrator is allowed to log in. It is possible to designate multiple domain controllers as global catalog servers, but in most cases, there is only one global catalog per domain unless you specifically take the initiative to create more.
As you can see, my situation was dire to say the least. I had a hard drive crash on a domain controller, and the domain controller hosted the global catalog, all of the operations master roles, and DNS. You can seize operations master roles if need be, but doing so requires you to have a functional DNS server. You can designate additional servers to act as global catalog servers, but again, DNS must be functional so that the server can get a list of objects from the other domain controllers.
To make a long story short, my Active Directory was trashed. I tried to manually rebuild the DNS, seize the operations master roles, and designate a new global catalog server, but I just couldn’t get the new global catalog to work right without the old one being available. In the end I had to completely rebuild my Active Directory from scratch. For me, this was a major inconvenience because my network was down for a few days. Remember though that this is a network that I built in my home. You DO NOT want this situation to occur in a corporate environment. The process of rebuilding things would take a whole lot longer and be a lot more complicated if there were users involved. The only thing that you have to do to prevent this type of crash from ever occurring is to make sure that your network has at least two DNS servers and at least two global catalog servers.
The easiest way of setting up another DNS Server is to configure it to be a secondary DNS Server. To do so, go to the machine that will act as the secondary DNS, and select the Add / Remove Programs option from the Control Panel. When the Add / Remove Programs applet launches, click the Add / Remove Windows components button. You will now see a list of the optional Windows components. Select the Networking Services option and click the Details button. Next, select the Domain Name System (DNS) check box and click OK, followed by Next. Windows will now install the DNS services. You may be prompted to insert your Windows installation CD. Click Finish to close the wizard when installation completes.
The next thing that you will have to do is to open the DNS console by selecting the DNS option from the server’s Administrative Tools menu. Navigate through the console tree to DNS | your server | Forward Lookup Zone (be sure to click the plus sign next to the Forward Lookup Zone container even though there are no sub-containers). Now, right click on the Forward Lookup Zone container and select the New Zone command from the resulting shortcut menu. This will cause Windows to launch the New Zone wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen asking whether you want to create a primary, secondary, or stub zone. Select the Secondary Zone option and click Next. You will now be prompted to enter a zone name. Enter your organization’s DNS name. For example, in my organization, I would enter brienposey.com as the zone name. Click Next and you will be prompted for the IP address of the server that you want to copy zone information from. Enter the IP address of your existing DNS server and click Next. You will now see a summary screen displaying the options that you have chosen. If everything looks to be correct then click Finish.
At this point the forward lookup zone that you specified in the zone name portion of the wizard will appear. We aren’t quite done yet though. If your primary DNS server is running Windows Server 2003 then you will have to configure the primary DNS server to allow the transfer of zone information. To do so, open the DNS console on the primary DNS server. Right click on the zone and select the Properties command from the shortcut menu. When you do, you will see the zone’s properties sheet. Now, select the Zone Transfers tab, click the Allow Zone Transfers check box, and click OK. Now, go back to the secondary DNS server, right click on the zone, and select the Transfer From Master command from the shortcut menu. The zone data should transfer (you may have to try a couple of times). Now that you have a secondary DNS Server, don’t forget to change the TCP/IP configuration on your workstations to make the machines aware of the secondary DNS server.
Now that I have discussed setting up a secondary DNS Server, I want to quickly show you how to designate a domain controller to be a global catalog. Remember, you want to have at least two global catalog servers in each domain to prevent the problems that I described earlier.
To designate a domain controller to be a global catalog server, open the Active Directory Sites and Services console. Now navigate through the console tree to Active Directory Sites and Services | Sites | Default First Site Name | Servers | the server that you’ve chosen to act as a global catalog server | NTDS Settings. Now, right click on the NTDS Settings container and select the Properties command from the resulting shortcut menu. When you do, you will see the NTDS Settings Properties sheet. Select the Global Catalog check box found on the properties sheet’s General tab, and click OK. After about five minutes, the server will begin to function as a global catalog server.
Having a DNS Server can be catastrophic to your network if the DNS Server that has failed is also the organization’s only global catalog server and holds the operations master roles for the organization. In this article I explained how you can create a secondary DNS server and extra global catalog servers to prevent this problem.