Limit DNS queries for DFS to specific AD DNS servers

Is there a way to implement a cost for DNS to keep dns queries to a certain
host? I have two physically separate sites that are part of the same forest.
Each site has 2 domain controllers running DNS. Each site has it's own DFS
root and not the other site's DFS root - I didn't set this up, just inherited
it. What happens is if I am at site A and do a DNS query for the DFS root in
site A, I can get the DNS server in site B, and this will timeout. Round
robin will kick in and I will eventually get a DNS server in site A and DNS
queries will work. I want to keep all queries for site A to the DNS servers
in site A and all queries for site B to the DNS servers in site B. Is this
possible?
Thanks.

--
Michael

Hello Michael,

Thank you for posting here.

According to the description, it seems that the issue is:

You are at site A and perform a DNS query for the DFS root in Site A, you
can get the DNS server in site B, and this will timeout.

You wonder if it is possible to keep all queries for site A to the DNS
servers in site A and all queries for site B to the DNS servers in site B.

Analysis and Suggestion:
======================

Based on the research, domain controllers use site information to inform
Active Directory clients about domain controllers present within the
closest site as the client. The domain controller also informs the client
whether the chosen domain controller is the closest one to it. By finding a
domain controller in the same site, the client avoids communications over
WAN links. If no domain controllers are located at the client site, a
domain controller that has the lowest cost connections relative to other
connected sites advertises itself in the site that does not have a domain
controller. The domain controllers that are published in DNS are those from
the closest site as defined by the site topology. This process ensures that
every site has a preferred domain controller for authentication.

As you said, each site has 2 domain controllers which are running DNS
server. It is possible to make the users always query to their DNS and
authenticate to their local domain controllers in their local site, you
may need to create a subnet object and a site object for each site by using
Active Directory Sites and Services. And then ensure that the local DNS
server IP address is associated with the subnet in their local site.

In this case, to fulfill the demand, you may need to create site object for
each site in which you have place domain controllers and then create subnet
objects for every IP subnet and subnet mask associated with each location.
Subnet objects are used to represent all the IP addresses within the site.

For more detailed information, please refer to:

Designing the Site Topology
http://technet.microsoft.com/en-us/l.../cc787284.aspx

My understanding of the reason why clients in Site A always referring to
the DFS server in Site B is that it may be related to Site configuration or
DFS client cache.

According to the statement in the part of Least Expensive Target Selection
in the document "How DFS works"
http://technet.microsoft.com/en-us/l.../cc782417.aspx

As the general steps that occur when a client accesses a domain-based or
stand-alone namespace are described below.

These processes assume the following:

a. The client's domain cache contains the necessary domain name referrals
and domain controller referrals.

b. The client's referral cache does not contain existing referrals for the
targets that the client is attempting to access.

c. The first root target and link target in each referral are available.

If the DFS client has once been referred to the wrong DFS target member
server before, next time when you try to access the DFS share, it will
always refers to the wrong DFS target if it is available because of the DFS
client cache.

My suggestion:

1. Create 2 each site objects which is associated with their local domain
controller and the DFS member server in the Active Directory Sites and
Services

2. Make sure the IP address of the DFS client is in the same site of the
DFS target member server

3. Flush DFS cache on the problematic client

a. install Windows Server 2003 Service Pack 1 Support Tools on a client and
run the following command to flush DFS cache:

Download: Windows Server 2003 Service Pack 1 Support Tools
http://support.microsoft.com/kb/892777

b. Dfsutil /pktflush

Hope it can be helpful

David Shen
Microsoft Online Technical Support

Hi customer,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Technical Support