DNS Best Practices for Domain Controllers

Published on
33,654 Points
4 Endorsements
Last Modified:
Why shall we use Best Practices?

Because these settings / configurations were tested and implemented in production environments, and achieved great success out of it.

Symptoms of miss configuration on NIC on Domain Controller (DC):

1. We'll see network latency.
2. Domain Controllers (DCs) will not replicate with each other on reguler interval.
3. Servers and Workstations will go out of sync with regards to Domain resources.

Correct the DNS: (Applies to 2003, 2008, 2008R2 and 2012 DCs)

Open CMD run as Administrator and type: ncpa.cpl. This opens Network Connections.

01. Under Network adapters > select TCP/IP IPv4 properties.
02. Always make sure preferred DNS entry as DC itself (if it has DNS role).
03. Secondary DNS can be any DC of the domain which has DNS server role installed.
04. Rest of the servers shall have DNS of PDC as preferred DNS and other as secondary DNS.
05. Remove from preferred and secondary DNS, you can keep it as Third DNS.
06. In IPv6 properties, set it to "Obtain IP Address Automatically" and "Obtain DNS Server Address Automatically".

Note: Never disable IPv6. Why you should not Disable IPv6 and

Why you should leave IPv6 alone

If at all your environment forces to disable IPv6, then I would suggest you to make IPv4 as preferred over IPv6. You can do this by adding

"DisabledComponents " DWORD (32-bit) Value (20, Hexa Decimal) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\Tcpip6\Parameters \
For More info Check this link: How to Disable IPv6

07. Make sure "Register this connection's addresses in DNS" has check mark.
08. Disable any unused NIC cards, Because Multihomed Network is not recommended in AD.
Active Directory communication fails on multihomed domain controllers
and Multihomed DCs with DNS by Ace Fekay
09. Never add Default Gateway as DNS address, this will never resolve DNS addresses in AD intigrated DNS.
10. IP Address, Subnet Mask, Default Gateway and Preferred DNS entries are mandatory. If you have second DC in the domain add it as secondary DNS.
11. We can get rid of disabled Network Adapters using this article: Disabled Adapters.

Why NIC Binding is Important:

Any resource in the domain (Server, Workstation or Printer etc) will contact first NIC in Network Connections. If we have more than 1 NIC, the connectivity may fail by trying or will take longer time to connect.

Fix it:

01. In Network Connections select Advanced from File Menu list.
02. From Advanced menu select Advanced Settings.
03. In Adapter and Binding Tab, under Connections area keep active NIC (DNS configured) on top of the list.
04. In provider Order Tab, always keep Microsoft drivers on top.

Note: Sometimes File Menu is not visible, press ALT key from keyboard once to make file menu appear.


These settings are default and best practices of mine and so many other experts that I've been observing in multiple communities and forums. There will be no nagitive impact on Domain Controllers. However I would suggest you to test these settings on test environment first.
LVL 18

Expert Comment

02. Always make sure preferred DNS entry as DC itself (if it has DNS role).

I am not saying this is incorrect even I am not fully agreed that this is correct ..:-) How this going to worked out if the AD service starts before DNS service and it can't locate dns server...BTW I am just asking about your opinion on this ..
LVL 10

Author Comment


Ifyou are referring to server 2008 AD DS service process, then I would say we are starting DNS Server service and Preferred DNS setting that we are talking about is in DNS Client Service and NIC properties. So AD DS service start process will not interact with DNS Client Service unless it has something to do with network communication or connectivity.

Featured Post

Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month