Solved

Primary and Secondary DNS

Posted on 2006-11-06
17
999 Views
Last Modified: 2012-05-05
In in a windows environment, I have heard that once the primary DNS server becomes unavailable, the client will use the secondary DNS server for resolution, and will continue to use the secondary DNS server until IT becomes unavailable.  This of course would cause havoc on networks setup by techs who use an external dns server as a secondary in an active directory enviroment.

I'm looking for a microsoft article that confirms the primary is no longer polled until the secondary becomes unavailable, or the workstation is rebooted.
0
Comment
Question by:tduplantis
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Hi,

You should not, under any circumstances, list a Public DNS Server as an alternate for an Active Directory Domain. You're right that it does cause havoc as clients will not be able to find the Service Records required for authentication and domain services to operate.

Is there no possibility of having a second DNS server internally?

If you need to use the Public DNS Addresses then they should be configured as Forwarders within an Internal DNS Server (so unresolved requests for non-authoritative domains will be sent there).

HTH,

Chris
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Agreed. 50% of questions in these TA's seem to boil down to this.  I don't know a MS technt article but ultimately it is obvious.  Your client pc's and servers need to query dns for a record in your internal dns.  They go to external DNS for whatever reason.  Query goes all the way to root server or whatever trying to find your .random ended domain giving long pause and non-working network.

Will see if I can find a doc. must be one somewhere!

Steve
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

There are a few bits listed on it here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#E1AAG

Although it doesn't specifically mention not having public DNS servers listed it does emphasise the importance of correct name resolution within your domain.

The thing is, it's difficult to feel motivated to provide documentation on the resolver itself when adding public DNS server addresses into client-end IP configuration is responsible for so many problems (just as Steve mentions).

Remember that even if you do maintain these settings that Windows DNS Resolver has a Negative Cache as well, although it's only 5 minutes it's still 5 minutes more than a brief network flicker at the wrong time would cause. Most of the nice to read DNS documentation is in book form, and I would recommend reading "DNS & BIND" which is now onto it's fifth edition:

http://www.oreilly.com/catalog/dns5/

That covers the resolver and it's behaviour in quite a lot of detail - something that's quite tricky to find as publicly available documentation outside of RFCs.

Chris
0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
i agree with the above two posts but i just want to add a little bit about a common MIS-conception.  many people (like your techs) think that you put the internal DNS server as primary and a public on as secondary so that the primary will take care of internal dns queries and then the secondary will take care of external queries. WRONG WRONG WRONG.  if the primary server is up, then the secondary server is never even queired at all.
do a simple "NSLOOKUP www.yahoo.com" to confirm this. you will see that the answer comes from the primary DNS server, not the public secondary.

http://support.microsoft.com/kb/291382

Question: Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers?

Answer: No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.
0
 
LVL 6

Expert Comment

by:trippleO7
Comment Utility
From this MS Article (Using Secondary Servers):  http://technet2.microsoft.com/WindowsServer/en/library/83564a51-441e-4b4d-b4ac-2fbbb53c39271033.mspx?mfr=true


"...Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used. Additionally, if a primary server is down, a secondary server can provide some name resolution in the zone until the primary server is available..."

Read up on the links in that article for more detail.
0
 
LVL 4

Author Comment

by:tduplantis
Comment Utility
I should have worded the question differently.  I'm am well aware that you should never use an external DNS server in active directory domain.

What I am looking for is confirmation from Microsoft that the secondary DNS server will continue to be used after the primary went unvailable, then became available again.  I will peruse the answers that have been posted and see if that has already been answered.  Thanks!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

The Resolver works on a per query basis - it doesn't discard a server if it's not up as it doesn't provide continual connectivity testing to the DNS Server - that would be very wasteful of network bandwidth when the mechanism is intended to be as light as possible.

It will try the first name server in the server list, then the second, then the third and so on stopping when it encounters one that is available (waiting for the connection time-out each time).

If, for whatever reason, your main server doesn't respond within the specified timeout period it will skip onto the public one - this is the main reason it shouldn't be included from the AD perspective as it's rare you can truly guarantee that the server will be perpetually available.

It's possible that the MS resolver behaves differently from the standard resolvers, however I suspect that is quite unlikely and the method of operation is as described above.

Chris
0
 
LVL 4

Author Comment

by:tduplantis
Comment Utility
Actually I have a tech who is disputing my entire argument!  I'm trying to put together a document on setting up simple AD domains and configuring DNS.  His argument is that using a external secondary DNS server in a single server domain is good since they will still be able to use the internet should the domain controller go down.

I know this is folly as I ahve fixed many domain issues by removing any external DNS configurations on workstations and servers, but I need proof to validate my argument.  So the question has been split.

1.  Documentation on how long a client uses the secondary DNS server should the primary become unavailable, then available again.  Does the client poll the primary everytime it tries to resolve a name, even it it was unavailable the last time it tried?

2.  Pittfalls of using an external secondary DNS server on clients in a single server Active Directory domain.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 4

Author Comment

by:tduplantis
Comment Utility
Thank Chris for that answer.  That debunks the theory I was told about secondary DNS servers.  
0
 
LVL 6

Expert Comment

by:trippleO7
Comment Utility
Well it all depends on the client.  If the primary dns server goes down, and is left with the secondary (public), then any machine that is still on will be able to get out to the net, but isn't going to access local network resources.  The other side to that is if a client machine is powered off, then it gets turned on to login, if it can't find the primary (internal), it may take foreverrrrrrrrrrrr to login as it has to time out (it may also use cached credentials if no network connection is found).

There are far less benefits to having the secondary dns be a public ip.  The only real benefit is if the server goes down while the client is powered/logged on they can still get internet access.

Facts are Facts...I think you need to create a list of Pro's and Con's...you will easily see.  Have a 2nd internal DNS server as someone above suggested.  It would solve this whole problem.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Hopefully the best practice links and the support article Mike posted go some way towards pointing out that the setup is not a good one to your Tech, DNS holds up Active Directory, the articles should certainly be understood.

The Unix / Linux documentation for Resolv.Conf is actually a little clearer about exactly what the Resolver does in these instances, the system remains simple and it's just order based. Whichever version you look at ends up saying approximately the same thing, here's one for example:

http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/resolver.5.html

The mechanism has to be kept simple and hasn't changed for years to a great extent. Persistent connection testing would remove that simplicity.

Chris
0
 
LVL 4

Author Comment

by:tduplantis
Comment Utility
I think the issue here is, if the single domain controller is down, they are not logging in (other than cached mode), or accessing any resources on the server anyway.  So, why not at least give them internet, and use a secondary external IP address on the clients?

However, my argument is, sometimes the client is not polling the primary like it should, and is indeed using that secondary more than it should.  At least, that is how it seemed in environments that I have fixed by removing any external dns servers.
0
 
LVL 6

Expert Comment

by:trippleO7
Comment Utility
Well if your Primary DNS (domain controller) isn't forwarding to a different DNS Server, Internet requests would then go to the Root Hint servers if your primary dns doesn't know where the site is....unless you tell it not to.  Anyways...To win your argument, you would need a backup domain controller with a 2nd internal DNS server (MS recommended).

Chris-Dent explained it easily enough.  Requests go in order of your DNS servers.  you could have 1, 2, 5, 10, etc.  but a client machine is always going to start at the top of the list and work it's way down.  If dns1 cant resolve, go to dns2, if dns2 cant resolve, go to dns3, etc...it will continue to do this until it finds the DNS server that can serve the client request.

Just curious, but when this DC goes down, is it planned or are you preparing for a disaster/unplanned downtime?  If planned, schedule the downtime when there are no (or less) users on the network.  I'm not sure how your environment works, but I reboot servers in the night hours (midnight-3am) for updates, etc.

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
Comment Utility

From what I assume of your position in this I guess you've already covered most of this, but to cover it again anyway.

That would be true, if the primary is too busy it will slip over to the secondary. It's all down to the connection timeout, although on a small network load shouldn't be so high that it overloads a single DNS. However, it's not unheard of and as soon as it does you have "cannot find domain" messages which can be made worse by the Negative Caching of responses (caching of responses that say no, 5 minutes by default on XP).

I guess I think more along the lines of, what's the point in a permanent internet connection for a 10 minute outage if every other day people have problems with the live network? If the outage is longer than 10 minutes, and that on a regular basis, then fault tolerance for the internal should be very seriously considered. If it's less than 10 minutes then why waste all those other 10 minute intervals when people have problems logging on due to those settings?

Besides, for those small outages there's always the clients DNS Cache, for XP that defaults to a maximum of 24 hours. If the TTL for the address is lower than it will be there too. You can see that one (and the associated TTLs) with ipconfig /displaydns on the client - it won't even bother asking the server until those expire. The TTL for Service records are genarally very very low, which is exactly why you notice DNS server outages so quickly on an internal network.

Chris
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Here's a typical real world issue here from setting secondary to ISP for reference:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_22047896.html#17867211
0
 
LVL 4

Author Comment

by:tduplantis
Comment Utility
tripple: In my environment, we support a wide range of customers, ranging from mom and pop nursing homes to very large multi facility corporations.  The mom and pops cannot always afford a second server.  They pretty much administer their own environment and call on us when there are problems.  We provide them the software to run their facility, the added layer of support for their infrastructure is just a bonus pretty much and we provide that support in reactive mode only.

I like Chris' last response.  It makes a lot of sense and I think I can use that.

Thanks everyone for your responses.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Glad I could help out.

Chris
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now