amendala
asked on
Should DCs within a site point to themselves as DNS primary servers?
Greetings all -
I had a DNS failure this morning at work that has caused me to reevaluate the way my DNS configuration is set up.
My organization has a lot of Domain Controllers but I'm only concerned with one site for now. If I have two (2) DC's within a site, should they point to themselves as primary DNS servers and then to one another for secondary's? Or... should their primary's be set to point to one another instead?
I thought I remembered seeing a recommendation for this from Microsoft somewhere but I can't remember where. If anyone has any input or links to Microsoft articles, I'd appreciate seeing them.
I had a DNS failure this morning at work that has caused me to reevaluate the way my DNS configuration is set up.
My organization has a lot of Domain Controllers but I'm only concerned with one site for now. If I have two (2) DC's within a site, should they point to themselves as primary DNS servers and then to one another for secondary's? Or... should their primary's be set to point to one another instead?
I thought I remembered seeing a recommendation for this from Microsoft somewhere but I can't remember where. If anyone has any input or links to Microsoft articles, I'd appreciate seeing them.
I think that is correct. What is the DS error, do you need help with that?
ASKER
No, I've got the issue taken care of. It was a recent patch (943485) that botched it. I'd upgraded all of my DC's to R2 except this one. So when it came back up after the patch, DNS didn't start which caused a lot of havoc. One additional reboot took care of it, now I just need to upgrade it to R2 and be done with it.
However, while I'm at it, I'm re-evaluating my DNS setup.
And when you say "I think that is correct" - what part? Which configuration?
However, while I'm at it, I'm re-evaluating my DNS setup.
And when you say "I think that is correct" - what part? Which configuration?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with PlaceboC6, that is better, do you want both server to be able to allow logins, you should make them both Global Catalog servers
ASKER
Well I've never had the slow boot time (with the primary's pointing to themselves) like you mention but I do agree with the configuration and am thinking of pointing the primary's to one another and the secondary's to themselves.
I wish I could find the Microsoft article I read once that discussed this. Unfortunately, the only one I can find refers to single DC networks.
I wish I could find the Microsoft article I read once that discussed this. Unfortunately, the only one I can find refers to single DC networks.
No worries.
As long as you are running Server 2003, there aren't many gotchas. In Windows 2000 you wanted to point all DC's to a single DC and then configure the secondary to be whatever you wanted. There was something known as being "In an island".
The only change to what I told you would be if you had only a single DNS server at the remote sites.
Then you would point the primary to the DNS server at the home office (assuming a good wan link) and the secondary to itself for the same reason I provided before. Then of course point the clients to the local server for resolution in both cases.
As long as you are running Server 2003, there aren't many gotchas. In Windows 2000 you wanted to point all DC's to a single DC and then configure the secondary to be whatever you wanted. There was something known as being "In an island".
The only change to what I told you would be if you had only a single DNS server at the remote sites.
Then you would point the primary to the DNS server at the home office (assuming a good wan link) and the secondary to itself for the same reason I provided before. Then of course point the clients to the local server for resolution in both cases.
I assume you mean PREFRRED not PRIMARY. Primary DNS servers are something different altogether.
Windows DNS servers should point to themselves as preferred DNS server. The Alternate DNS server should be blank - otherwise you can get "looping" occuring.
Its always a good idea to make at least one other DC a global catalog server as the others have said.
Also make sure that all clients have the address of a windows DNS server as their preferred DNS servert and the address of another windows DNS server as the alternate DNS server. Check both the DHCP options and the TCP/IP settings on the network card.
Make sure that the only place external DNS servers appear are on the Forwarding tab in DNS on the DNS servers themselves
Windows DNS servers should point to themselves as preferred DNS server. The Alternate DNS server should be blank - otherwise you can get "looping" occuring.
Its always a good idea to make at least one other DC a global catalog server as the others have said.
Also make sure that all clients have the address of a windows DNS server as their preferred DNS servert and the address of another windows DNS server as the alternate DNS server. Check both the DHCP options and the TCP/IP settings on the network card.
Make sure that the only place external DNS servers appear are on the Forwarding tab in DNS on the DNS servers themselves
ASKER
So while you're hanging around your keyboard, what are your thoughts on this:
(From a KB article dated 2/27/2007):
"In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different DC in the same domain as their alternative DNS server, preferably another DC in the same site."
Shrug. :) Thoughts? Thanks for the rapid replies, you're very helpful thus far.
(From a KB article dated 2/27/2007):
"In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different DC in the same domain as their alternative DNS server, preferably another DC in the same site."
Shrug. :) Thoughts? Thanks for the rapid replies, you're very helpful thus far.
ASKER
KCTS - You're correct. I'm intermixing my zone and server preference terminology. :)
Primary = Preferred
Secondary = Alternate
Primary = Preferred
Secondary = Alternate
ASKER
"The Alternate DNS server should be blank - otherwise you can get "looping" occuring."
Can you elaborate on this? I've never seen a DC set up with a blank Alternate in a multi-DC environment.
Can you elaborate on this? I've never seen a DC set up with a blank Alternate in a multi-DC environment.
KCTS, I can't believe you took the time to correct a basic word that is fairly interchangable. It is quite clear what we are talking about here.
Amendala,
This topic is one that can have arguments either way. Everyone has their own belief.
2000 best practices are different than 2003 best practices.
What I told you came straight from the mouth of two Microsoft Field Engineers that I worked with for a week. Prior to that, they were AD support personnel.
Truth is, as long as the zone information has replicated and all DNS servers are aware of the SRV records, DC GUIDS, etc.....there isn't much to worry about in 2003 as far as where you point things.
Other than the slow boot issue I brought up before when the DC is booting and looking for information from itself before it is even a DC.
And yes, you want at least a single GC in every site for authentication. You can enable universal group caching instead in 2003, but I prefer a GC.
Amendala,
This topic is one that can have arguments either way. Everyone has their own belief.
2000 best practices are different than 2003 best practices.
What I told you came straight from the mouth of two Microsoft Field Engineers that I worked with for a week. Prior to that, they were AD support personnel.
Truth is, as long as the zone information has replicated and all DNS servers are aware of the SRV records, DC GUIDS, etc.....there isn't much to worry about in 2003 as far as where you point things.
Other than the slow boot issue I brought up before when the DC is booting and looking for information from itself before it is even a DC.
And yes, you want at least a single GC in every site for authentication. You can enable universal group caching instead in 2003, but I prefer a GC.
There is absolutely nothing wrong with having a secondary DNS server configured as long as it isn't a 3rd party DNS server. I've been through the most advanced AD/DNS training at Microsoft itself, not to mention I work on probably no fewer than 10 enterprise level domains a week and it is the norm to have secondary, or ALTERNATE Dns servers configured.
I agree with PlaceboC6 on this one. KCTS, you are wrong with saying that there should be no Alternate DNS settings.
amendala:
The you cosider this questions answered?
Have a good one
The you cosider this questions answered?
Have a good one
Sorry If you feel I am being a bit pedantic but there is a vast difference between a "preferred" and a "Primary" DNS server - the two words are NOT interchnagable and refer to entirely different things. It is better for clarity that the correct terms are used. "preferred and alternate" refer to the preference in which queries will be submitted to servers, whereas "primary and secondary" refer to read/write and read only DNS zones - Quite a difference.
As for the wisdom of having DCs with DNS point to each other as alternate DNS server, the jury is still out on that one. The topic has been discussed many times here on EE and there are pro's and cons on both sides of the argument.
I am happy to discuss the topic futher in the community forum but I think further discussion here will not help the questioner.
What is clear is that DCs with DNS should use themsleves as their preferred server and that the ISPs DNS servers must only be present in the forwarders.
As for the wisdom of having DCs with DNS point to each other as alternate DNS server, the jury is still out on that one. The topic has been discussed many times here on EE and there are pro's and cons on both sides of the argument.
I am happy to discuss the topic futher in the community forum but I think further discussion here will not help the questioner.
What is clear is that DCs with DNS should use themsleves as their preferred server and that the ISPs DNS servers must only be present in the forwarders.
"What is clear is that DCs with DNS should use themsleves as their preferred server and that the ISPs DNS servers must only be present in the forwarders." - KCTS
This, I think is perfectly stated, I believe that this is the proper way to set things up.
This, I think is perfectly stated, I believe that this is the proper way to set things up.
Yes KCTS, you are being petty. Everyone involved in the conversation knew exactly what we were discussing.
The recommendation I gave came from not only my experience working on multiple and large global/enterprise domains on a regular basis, but from the mouths of high level MS personnel. I figure heck: they wrote this OS...they train their own people...perhaps they have some validity to their suggestion.
But in the end.... Like I said before. In 2k3, as long as you are not using an ISP. It doesn't really matter who is the perferred or alternate DNS servers when two side by side DC's are pointing to each other.
The recommendation I gave came from not only my experience working on multiple and large global/enterprise domains on a regular basis, but from the mouths of high level MS personnel. I figure heck: they wrote this OS...they train their own people...perhaps they have some validity to their suggestion.
But in the end.... Like I said before. In 2k3, as long as you are not using an ISP. It doesn't really matter who is the perferred or alternate DNS servers when two side by side DC's are pointing to each other.
ASKER
"What is clear is that DCs with DNS should use themsleves as their preferred server and that the ISPs DNS servers must only be present in the forwarders."
Unfortunately, I don't think it's that clear. Microsoft has multiple publications which recommend both configurations and I can see a number of drawbacks to pointing a DC to itself as the PREFERRED server. The biggest of these relates to specific circumstances wherein all of the DNS service dependencies on the DC do not get fully instantiated due to a botched patch reboot or things of that nature. When this happens, the server fails to respond to DNS queries because of an internal looping issue that Microsoft Premier Support acknowledges is fixed in Windows Server 2008.
This happened in my enterprise a week ago and has also happened to a number of AD engineers that I've spoken to who work at one of Microsoft's datacenters here in Washington state. Therefore, their recommendation, along with that of Microsoft Premier Support Services is to set the PREFERRED server to another DC (within the same site if possible), and the ALTERNATE server to itself.
Unfortunately, I don't think it's that clear. Microsoft has multiple publications which recommend both configurations and I can see a number of drawbacks to pointing a DC to itself as the PREFERRED server. The biggest of these relates to specific circumstances wherein all of the DNS service dependencies on the DC do not get fully instantiated due to a botched patch reboot or things of that nature. When this happens, the server fails to respond to DNS queries because of an internal looping issue that Microsoft Premier Support acknowledges is fixed in Windows Server 2008.
This happened in my enterprise a week ago and has also happened to a number of AD engineers that I've spoken to who work at one of Microsoft's datacenters here in Washington state. Therefore, their recommendation, along with that of Microsoft Premier Support Services is to set the PREFERRED server to another DC (within the same site if possible), and the ALTERNATE server to itself.
You got it Amendala! :)