Best practices for DNS AD on domain controllers

Andrea · 23-11-2008

Hello,
I've two windows server domain controllers, 2008 srv and 2003 srv configured
with DNS AD integrated. I would like to know which are the best practices
for set IP DNS order on servers. This is my actual configuration:

DC1:
Primary DNS is local eth IP (192.168.1.1)

DC2:
Primary DNS is local eth IP (192.168.1.2)

Is this good configuration? or I have to set also secondary IP same as this:

DC1:
Primary DNS is local eth IP (192.168.1.1)
Secondary DNS is DC2 eth IP (192.168.1.2)

DC2:
Primary DNS is local eth IP (192.168.1.2)
Secondary DNS is DC1 eth IP (192.168.1.1)

?
Otherwise it is better to use localhost IP (127.0.0.1)?

Thanks very much!
Andrew

Meinolf Weber · 24-11-2008

Hello Andrea,

This is the better choise.

DC1:
Primary DNS is local eth IP (192.168.1.1)
Secondary DNS is DC2 eth IP (192.168.1.2)

DC2:
Primary DNS is local eth IP (192.168.1.2)
Secondary DNS is DC1 eth IP (192.168.1.1)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hello,
> I've two windows server domain controllers, 2008 srv and 2003 srv
> configured
> with DNS AD integrated. I would like to know which are the best
> practices
> for set IP DNS order on servers. This is my actual configuration:
> DC1:
> Primary DNS is local eth IP (192.168.1.1)
> DC2:
> Primary DNS is local eth IP (192.168.1.2)
> Is this good configuration? or I have to set also secondary IP same as
> this:
>
> DC1:
> Primary DNS is local eth IP (192.168.1.1)
> Secondary DNS is DC2 eth IP (192.168.1.2)
> DC2:
> Primary DNS is local eth IP (192.168.1.2)
> Secondary DNS is DC1 eth IP (192.168.1.1)
> ?
> Otherwise it is better to use localhost IP (127.0.0.1)?
> Thanks very much!
> Andrew

Andrea · 24-11-2008

Meinolf Weber ha scritto:
> Hello Andrea,
>
> This is the better choise.
>
> DC1:
> Primary DNS is local eth IP (192.168.1.1)
> Secondary DNS is DC2 eth IP (192.168.1.2)
>
> DC2:
> Primary DNS is local eth IP (192.168.1.2)
> Secondary DNS is DC1 eth IP (192.168.1.1)
>

ok, but if I have more than two domain controllers ?
For example, five dc...
I've to configure all DNS list with all dc?

thanks

Meinolf Weber · 24-11-2008

Hello Andrea,

If you like you can add more then a second DNS server to the secondary list
of DNS servers. But the question is how often are both of the DNS servers
are together down?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Meinolf Weber ha scritto:
>
>> Hello Andrea,
>>
>> This is the better choise.
>>
>> DC1:
>> Primary DNS is local eth IP (192.168.1.1)
>> Secondary DNS is DC2 eth IP (192.168.1.2)
>> DC2:
>> Primary DNS is local eth IP (192.168.1.2)
>> Secondary DNS is DC1 eth IP (192.168.1.1)
> ok, but if I have more than two domain controllers ?
> For example, five dc...
> I've to configure all DNS list with all dc?
> thanks
>

Andrea · 25-11-2008

Meinolf Weber ha scritto:
> Hello Andrea,
>
> If you like you can add more then a second DNS server to the secondary
> list of DNS servers. But the question is how often are both of the DNS
> servers are together down?

sorry but why both of the DNS servers must be together down?

Meinolf Weber · 25-11-2008

Hello Andrea,

That was not meant with my sentence. They must not be together down. The
secondary DNS server will be used, if the preferred DNS is not responding.
So if the preferred is down and also the secondary is down, then the machine
will not be able to contact a DNS server and get problems/errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Meinolf Weber ha scritto:
>
>> Hello Andrea,
>>
>> If you like you can add more then a second DNS server to the
>> secondary list of DNS servers. But the question is how often are both
>> of the DNS servers are together down?
>>
> sorry but why both of the DNS servers must be together down?
>

Ace Fekay [Microsoft Certified Trainer] · 25-11-2008

In news:ggf0c8$cp4$2@nnrp.ngi.it,
Andrea <pinco_fake@tin.it> requesting assistance, typed the following:
> Meinolf Weber ha scritto:
>> Hello Andrea,
>>
>> If you like you can add more then a second DNS server to the
>> secondary list of DNS servers. But the question is how often are
>> both of the DNS servers are together down?
>
> sorry but why both of the DNS servers must be together down?

Andrea,

To add to Meinolf's posts, here is a breakdown of how it works. Keep in
mind, it is based on the DNS Client Side resolver, even the DC is a "DNS
Client" since it is using a DNS server to resolve queries, whether using
itself or another DNS server specified in IP properties.

DNS Client side resolver service
http://technet.microsoft.com/en-us/l.../cc779517.aspx

To summarize, if there are multiple DNS entries on a machine (whether a DC,
member server or client), it will ask the first entry first. If it doesn't
have the answer, it will go to the second entry after a time out period, or
TTL, which can last 15 seconds or more as it keeps trying the first one, at
which then it REMOVES the first entry from the eligible resolvers list, and
won't go back to it for another 15 minutes. This can cause issues within AD
when accessing a resource such as a printer, folder, getting GPOs to
function, etc. NOw if the ISP's is the first one, obviously it will be
knocked out when a client is trying to login. This can be noticed by a
really really logon time period the client will experience before it goes to
the second one, your internal DNS. So now the first one is knocked out for
15 minutes. Then say the client decides to go to an internet site. It will
be querying the internal DNS at this point. As long as the internal DNS is
configured with forwarders to an outside DNS, or use it;s Roots, it will
resolve it. So why even bother with an ISP in the client? Another good
reason to ONLY use the internal DNS server in the VPN's DHCP service for VPN
clients. Keep in mind, the client will probably be configured with an ISP's
anyway if outside the network. Fine, otherwise it can't find the VPN server
on the internet anyway. But once the VPN authenticates and is connected, the
VPN interface will be the first on the binding order, which now you WANT to
only have the internal DNS servers in that interface.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.