Nick,

Thanks for the help, but I have 2 DNS servers installed currently. It has to be some type of configuration error on my part. I’ll keep digging.

The issue stems on what happens when your in-house DNS server fails.

If you have the 1^st DNS as your AD server, and the 2^nd as one of the many Campus DNS servers, things will go like this :

-          Normally, you will resolve to your AD server.  This is required to allow people to login, map drives, access AD resources for authentication, etc.  Requests for regular internet sites (or MSU sites, for that matter), are handled by your AD server, and if it is not already in its cache, it will proxy the request to other DNS servers. 

-          If you AD server is unavailable, requests will be handled by MSU’s DNS servers.  This is not a problem, but MSU’s DNS servers will have no idea about your AD servers, printers, file shares, etc.  This will cause some weird issues, but users will still be able to facebook.

-          If your AD server is slower at responding to DNS than the magic threshold (I believe in Windows XP, this is a 2,000ms timer), the request will be asked of the 2^nd DNS servers on the list.  Users will still be able to facebook (as both servers know how to handle these requests), but sporadically users will not be able to map drives, authenticate, or their machines will display weird profile errors when booting. 

The trick is that MS-AD’s DNS service adds all sorts of special tags and subdomains  to their DNS responses so that Windows machines know how to get to certain resources.  This was done during the migration from NetBios (and NetPipes) to IP for address resolution.  If you look at your local AD server, you will see these entries.

Microsoft’s recommendation is to have a secondary DNS server setup to help fulfill these requests when the primary is unavailable, or too slow to answer the requests.  You would need a secondary Windows box, install DNS services, and make it a slave of your primary.  This way additions are automatically propagated to this second server. 

-Nick

I’m sure this is an easy answer but it has got me stumped. I’m running 2 DC’s with DNS. I have 1 nic on each machine. In the DNS fields of those nics I have the primary DC as the first IP to go to to resolve IPs. In the second I’ve tried leaving it empty (obviously not correct) and I’ve tried using the MSU IP’s listed in the network values on http://network.msu.edu/netinfo/netvalues.html  When I run a “Scan This Role” I get errors that say “DNS: The DNS server (IP address) on Local Area Connection must resolve Global Catalog resource records for the domain controller” and a slew of other errors. I’m also getting warnings that say “DNS: Root hint server (IP address) must respond to NS queries for the root zone.

Obviously I’m not a DNS guy but I’ve tried everything I know to do, and a ton of research and I’m no closer to getting this issue resolved. Everyone still has internet access, including my servers but I don’t like having warnings and errors in my logs. If there is a DNS guru out there that would like to help a noob out please let me know.

Thanks