DNS Servers on a 2-Server Cluster

[Racson]

Hi to all:

I need to setup a cluster with 2 servers using Windows Server 2003 Enterprise Edition for fault tolerance and availability.

Environment:

Since these two servers (Server1 and Server2) will be the only ones in the company they will both be domain controllers and DNS Servers as well.

I am currently doing some testing at home. I have three PCs (Server1, Server2, and Client1) I want to configure the whole thing before the "Real Deal".

Server1 is the first node in the cluster, and Server2 will be inactive. So If Server1 fails it will "failover" Server2.

CNFinancialgroup.com is already registered and hosted by an external company. We are not planning on hosting our own web site.

The Local Domain Name that will be used on the network will be CNFinancialGroup.local or maybe .net

They will have a public IP address (or static IP address)

At home, Server1 is already configured with Active Directory, and DNS server was configured through the DNS Wizard that was launched when Promoting Server1 to a Domain Controller.

DNS on Server1 has two Forward lookup zones: CNFinancialGroup.local and _msdcs.CNFinancialGroup.local (What are these two?); and one Reverse Lookup Zone 192.168.1.x Subnet (Created manually).

They are Active Directory integrated Zones

PROBLEMS:

1) I want to make sure that DNS on Server1 is configured correctly. I can browse the internet without problem. and enter \\client1 in RUN menu and it works fine. Does this means DNS is working fine?.. Should I add/change something? I read about stub zones and I think it applies to my situation, since the local domain name "CNFinancialGroup.local" is not register.

2) How Should I configured DNS on Server2? DNS on Server2 must work when Server1 is down completely.

I have not configured Primary Zones nor Secondary Zones on neither of the Servers. I think this is ok, since DNS are active directory integrated zones.

When I added Active Directory role in Server2 it does not launch DNS wizard becase it uses the DNS server on Server1.

Thanks a lot for any input on this!

Edited August 15, 2006 by Racson

[Mr Snrub]

Don't cluster DCs.

Do not give DCs public IP addresses.

There is also no point in clustering DNS - especially when you have only 2 servers - just set one as primary and the other as secondary.

In the event of a DNS failure, the clients will switch to use the other DNS server - they don't continue to first try the primary, then have to time out before querying the secondary.

A domain is "fault tolerant" by its nature - clients will query DNS to locate DCs and authenticate users.

AD-integrated DNS takes away the hassle of zone transfers and is a "mulit-master" model, so point the DCs to themselves for primary DNS and the other DC for secondary (they should never need to use the secondary DNS as the DNS service should be running locally, and so long as replication is working then DNS updates get copied between the servers automatically).

You only need the DNS zone configured for your local domain, then configure both DCs with DNS forwarders pointing to your ISP DNS servers to resolve external addresses - don't complicate things with stub zones.

Never expose critical servers that need to run a large number of services to the Internet - if you absolutely have to route to the Internet then use NAT and a firewall, but ideally VPN (to a perimeter firewall) if it is just remote clients needing to authenticate.

Reading material (but seriously, don't cluster DCs):

http://support.microsoft.com/?id=281662

[jftuga]

I agree with the idea of not clustering DCs. It adds unnecessary overhead and complexity. DCs, by design, provide load-balancing & failover redundancy without clustering.

-John

Edited August 16, 2006 by jftuga

[fizban2]

a 3rd agreement, is possible add in a ISA server or another firewall product that will public access to the internet, DC with a public IP is just asking for trouble. there is no need to cluster the 2 DCs as if one DC fails the other is already running, the fail over will be instantanious. plus by having both server active as DCs you get the benefit of having 2 servers to balance the load rather then one server sitting as a reserve that may never be used, things to cluster, Exchange, SQL, Oracle, Services like that that don't really have any Built in redundency to them.

[Racson]

Thanks you all for replying.

The reason they want the cluster is to have a high availability of their loan software. They use emcompass. This application uses Microsoft SQL Desktop Engine.

My client say they can't afford a server down for long periods of times. Thats why a cluster solution was presented, and since there will be only 2 servers in the office they both have to be DCs, and DNS servers.

About the Public IP address, hmmm, I think the internet will come though a modem or router, (Router will get the public IP address) This router will also be a NAT (It's a regular linksys router) unless my client order an internet access from a company that will provide a router. Then my client will need a firewall. am I right?

The DCs won't actually get the public IP address assign to them... If I sound a little confuse here, advice me on this...

Thanks!

[fizban2]

depending on their internet provider and the type of line they are leasing (DSL, Cable, T1) will determine if their modem will contain a router that will utilize NAT, on most higher end modems the routing function is left to a actual router the can deliver NAT and firewall functionality. if they are trully looking for a hig availability solution for this software, the cluster should be only used for this software, in the case of the MSDE i am not sure how clustering would work with this (i would assume it would be near the same as SQL but i do not know if all the functionality for this is available. That would be something to check into. a Firewall is a must, weither it be built into the router or standalone system, some type of firewall is needed. if they rruly want this HA system then they might be willing to spring for 2 servers (these don't have to be killer machines, they can be sized according to the number of users using the system and the system requirements and project growth of the system) that can be used specifically for this purpose. It is an investment on their part but they do get the peace of mind that their software will always be available for their users.

[cluberti]

In an AD environment, both of the nodes must be DNS servers and Global Catalog servers. Also, FSMO roles MUST be on one server and one server only, so this will have to be an active/active cluster. If one of the cluster nodes fails, and that DC is holding a domain FSMO role (and in your case, one or both of the nodes WILL hold at least one of the FSMO roles), these roles may have to be yanked away to the running node if/when this happens. Follow KB255504 if this is necessary. However, if there is time to transfer the roles before a server node holding FSMO roles fails completely, follow KB255690.

281662: Windows 2000 and Windows Server 2003 cluster nodes as domain controllers

http://support.microsoft.com/default.aspx?...kb;EN-US;281662

223346: FSMO placement and optimization on Active Directory domain controllers

http://support.microsoft.com/default.aspx?...kb;EN-US;223346

255504: Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

http://support.microsoft.com/default.aspx?...kb;EN-US;255504

255690: How to view and transfer FSMO roles in the graphical user interface

http://support.microsoft.com/default.aspx?...kb;EN-US;255690

834231: When a Windows Server 2003 cluster node is a domain controller, you may receive an error message when you add domain users to the cluster file share

http://support.microsoft.com/default.aspx?...kb;EN-US;834231

898634: Active Directory domain controllers are not supported as Exchange Server cluster nodes

http://support.microsoft.com/default.aspx?...kb;EN-US;898634

Note that this is NOT a recommended configuration - Domain controllers by default have very high fault tolerance already built-in to the AD roles other than the FSMO roles, and as such are quite redundant already without cluster. Also note that if these are busy DCs, and you are also running a clustered application, you will have to plan hardware accordingly for both nodes. If this is an x86 (32bit) set of servers, I would HIGHLY recommend 4GB of RAM and at least 2 processors for each node - lsass.exe will be quite busy, and with the added load of a clustered app or two, any crash or overload of lsass.exe, csrss.exe, or winlogon.exe will BUGCHECK AND CRASH YOUR BOX. Keep that in mind (hopefully you can at least see the pitfalls of clustered DCs by now!).

Edit - fixed link for 898634.

Edited August 16, 2006 by cluberti