Primary and Secondary DNS

Hi,

You should not, under any circumstances, list a Public DNS Server as an alternate for an Active Directory Domain. You're right that it does cause havoc as clients will not be able to find the Service Records required for authentication and domain services to operate.

Is there no possibility of having a second DNS server internally?

If you need to use the Public DNS Addresses then they should be configured as Forwarders within an Internal DNS Server (so unresolved requests for non-authoritative domains will be sent there).

HTH,

Chris

Agreed. 50% of questions in these TA's seem to boil down to this.  I don't know a MS technt article but ultimately it is obvious.  Your client pc's and servers need to query dns for a record in your internal dns.  They go to external DNS for whatever reason.  Query goes all the way to root server or whatever trying to find your .random ended domain giving long pause and non-working network.

Will see if I can find a doc. must be one somewhere!

Steve

There are a few bits listed on it here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#E1AAG

Although it doesn't specifically mention not having public DNS servers listed it does emphasise the importance of correct name resolution within your domain.

The thing is, it's difficult to feel motivated to provide documentation on the resolver itself when adding public DNS server addresses into client-end IP configuration is responsible for so many problems (just as Steve mentions).

Remember that even if you do maintain these settings that Windows DNS Resolver has a Negative Cache as well, although it's only 5 minutes it's still 5 minutes more than a brief network flicker at the wrong time would cause. Most of the nice to read DNS documentation is in book form, and I would recommend reading "DNS & BIND" which is now onto it's fifth edition:

http://www.oreilly.com/catalog/dns5/

That covers the resolver and it's behaviour in quite a lot of detail - something that's quite tricky to find as publicly available documentation outside of RFCs.

Chris

i agree with the above two posts but i just want to add a little bit about a common MIS-conception.  many people (like your techs) think that you put the internal DNS server as primary and a public on as secondary so that the primary will take care of internal dns queries and then the secondary will take care of external queries. WRONG WRONG WRONG.  if the primary server is up, then the secondary server is never even queired at all.
do a simple "NSLOOKUP www.yahoo.com" to confirm this. you will see that the answer comes from the primary DNS server, not the public secondary.

http://support.microsoft.com/kb/291382

Question: Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers?

Answer: No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.

From this MS Article (Using Secondary Servers):  http://technet2.microsoft.com/WindowsServer/en/library/83564a51-441e-4b4d-b4ac-2fbbb53c39271033.mspx?mfr=true


"...Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used. Additionally, if a primary server is down, a secondary server can provide some name resolution in the zone until the primary server is available..."

Read up on the links in that article for more detail.

I should have worded the question differently.  I'm am well aware that you should never use an external DNS server in active directory domain.

What I am looking for is confirmation from Microsoft that the secondary DNS server will continue to be used after the primary went unvailable, then became available again.  I will peruse the answers that have been posted and see if that has already been answered.  Thanks!

The Resolver works on a per query basis - it doesn't discard a server if it's not up as it doesn't provide continual connectivity testing to the DNS Server - that would be very wasteful of network bandwidth when the mechanism is intended to be as light as possible.

It will try the first name server in the server list, then the second, then the third and so on stopping when it encounters one that is available (waiting for the connection time-out each time).

If, for whatever reason, your main server doesn't respond within the specified timeout period it will skip onto the public one - this is the main reason it shouldn't be included from the AD perspective as it's rare you can truly guarantee that the server will be perpetually available.

It's possible that the MS resolver behaves differently from the standard resolvers, however I suspect that is quite unlikely and the method of operation is as described above.

Chris

Actually I have a tech who is disputing my entire argument!  I'm trying to put together a document on setting up simple AD domains and configuring DNS.  His argument is that using a external secondary DNS server in a single server domain is good since they will still be able to use the internet should the domain controller go down.

I know this is folly as I ahve fixed many domain issues by removing any external DNS configurations on workstations and servers, but I need proof to validate my argument.  So the question has been split.

1.  Documentation on how long a client uses the secondary DNS server should the primary become unavailable, then available again.  Does the client poll the primary everytime it tries to resolve a name, even it it was unavailable the last time it tried?

2.  Pittfalls of using an external secondary DNS server on clients in a single server Active Directory domain.

Thank Chris for that answer.  That debunks the theory I was told about secondary DNS servers.  

Well it all depends on the client.  If the primary dns server goes down, and is left with the secondary (public), then any machine that is still on will be able to get out to the net, but isn't going to access local network resources.  The other side to that is if a client machine is powered off, then it gets turned on to login, if it can't find the primary (internal), it may take foreverrrrrrrrrrrr to login as it has to time out (it may also use cached credentials if no network connection is found).

There are far less benefits to having the secondary dns be a public ip.  The only real benefit is if the server goes down while the client is powered/logged on they can still get internet access.

Facts are Facts...I think you need to create a list of Pro's and Con's...you will easily see.  Have a 2nd internal DNS server as someone above suggested.  It would solve this whole problem.

Hopefully the best practice links and the support article Mike posted go some way towards pointing out that the setup is not a good one to your Tech, DNS holds up Active Directory, the articles should certainly be understood.

The Unix / Linux documentation for Resolv.Conf is actually a little clearer about exactly what the Resolver does in these instances, the system remains simple and it's just order based. Whichever version you look at ends up saying approximately the same thing, here's one for example:

http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/resolver.5.html

The mechanism has to be kept simple and hasn't changed for years to a great extent. Persistent connection testing would remove that simplicity.

Chris

I think the issue here is, if the single domain controller is down, they are not logging in (other than cached mode), or accessing any resources on the server anyway.  So, why not at least give them internet, and use a secondary external IP address on the clients?

However, my argument is, sometimes the client is not polling the primary like it should, and is indeed using that secondary more than it should.  At least, that is how it seemed in environments that I have fixed by removing any external dns servers.

Well if your Primary DNS (domain controller) isn't forwarding to a different DNS Server, Internet requests would then go to the Root Hint servers if your primary dns doesn't know where the site is....unless you tell it not to.  Anyways...To win your argument, you would need a backup domain controller with a 2nd internal DNS server (MS recommended).

Chris-Dent explained it easily enough.  Requests go in order of your DNS servers.  you could have 1, 2, 5, 10, etc.  but a client machine is always going to start at the top of the list and work it's way down.  If dns1 cant resolve, go to dns2, if dns2 cant resolve, go to dns3, etc...it will continue to do this until it finds the DNS server that can serve the client request.

Just curious, but when this DC goes down, is it planned or are you preparing for a disaster/unplanned downtime?  If planned, schedule the downtime when there are no (or less) users on the network.  I'm not sure how your environment works, but I reboot servers in the night hours (midnight-3am) for updates, etc.

Here's a typical real world issue here from setting secondary to ISP for reference:

https://www.experts-exchange.com/questions/22047896/Intermittent-Printer-Issues.html#17867211

tripple: In my environment, we support a wide range of customers, ranging from mom and pop nursing homes to very large multi facility corporations.  The mom and pops cannot always afford a second server.  They pretty much administer their own environment and call on us when there are problems.  We provide them the software to run their facility, the added layer of support for their infrastructure is just a bonus pretty much and we provide that support in reactive mode only.

I like Chris' last response.  It makes a lot of sense and I think I can use that.

Thanks everyone for your responses.

Glad I could help out.

Chris