We are running 2 domain controllers in 2 separate offices connected via a VPN tunnel. Each of them is running a local DNS server. And we have 3 public DNS servers in our data center.
First, you want to verify AD replication using replmon from the Windows Server Resource Kit or Admin Tools.
Local DNS Server Properties and Configuration
Interfaces tab – Listen on All IP addresses
Forwarders tab – All other DNS domains is selected but select 3 public DNS to forward below
Advanced tab – check the following: BIND secondaries, Enable round robin, Enable netmask ordering, Secure cache against solution, Enable automatic scavenging of stale records every 1 day; Name checking – Multibyte (UTF8), Load zone data on startup – From Active Directory and registry
Root Hints – if you use forwarders, root hints doesn’t matter
Event Logging – log all events
Create Forward Lookup and Reverse Lookup Zones
You can set a particular DNS server to be the Start of Authority for each zone. Right click the SOA entry within each zone.
SOA tab – if replication is working, all domain controllers should have the same serial number; Refresh interval – 15 min, Retry interval – 10 min, Expires after 1 day, TTL 1 hour
General tab – Status – verify that it is running, Type – Active Directory-Integrated, Replication – All DNS servers in the AD domain, Dynamic updates – Secure only
Name Servers tab – list all local DNS servers
Zone transfers tab – Allow zone transfers Only to servers listed on the Name Servers tab
To troubleshoot "A referral was returned from the server" or other DNS errors, set up a separate primary DNS server on another machine that is not connected to Active Directory and point the problematic web appplication (i.e. Microsoft CRM Server) to that DNS server. You can keep this primary DNS server on its own island to keep it clean, or you can convert it later on to a secondard DNS server so that it can receive DNS zone updates from the domain controller.