DNS for Backup DHCP Server

Posted on 2007-12-04
Last Modified: 2008-03-17
I have two dhcp servers, one is Windows 2003 Server and the other is a DHCP Server that's on our firewall. I've set up the firewall dhcp as a backup:
- Split Scope - Windows DHCP ( - 192.168.140) / Firewall DHCP ( - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?

This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP.  I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).

Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.

Question by:tracyms
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
LVL 19

Expert Comment

ID: 20404322
Having a backup is a good idea... I agree that you should put your internal DNS as first on your firewall and add your ISP DNS to the DHCP on the Windows server.  This will provide consistency in DNS resolution.
LVL 12

Expert Comment

ID: 20404324
If the DHCP service fails on the server, this does not mean that clients will automatically switch to using DHCP on the firewall.  This also does not mean that they will be assigned a new IP address upon a restart either.  In each case the clients will continue to use their currently assigned DNS and IP information.

As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection.  You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.

LVL 70

Expert Comment

ID: 20404387
As far as DNS is concerned clients should ONLY point to the windows DNS server as is the case now - do not change it. if you have additional windows DNS servers these can be added as alternate DNS servers but ISPs DNS servers should NEVER be stipulated as preferred/alternate DNS servers - the only place they should be as is as forwarders on the DNS server itself. This is ESSENTIAL to ensure proper internal DNS resolution. To set up forwarders see
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

LVL 13

Expert Comment

ID: 20404392
I would definately recommend setting your Windows DNS server as the Primary DNS in your router's DHCP scope... This will keep all users who pull an IP address off your Router's DHCP working and playing with your Windows AD (by registering in AD DNS).  If you have multiple Windows boxes hosting internal DNS, list them all first, then your ISP DNS.  Your workstations will automatically try to register their name with the Primary DNS server listed, they don't go to the secondary/tertiary if the registration with the Primary fails.  But if there are multiple Windows DNS servers, it'll keep your AD functioning - as the workstation will fail registration, but will do lookups against the secondary/tertiary servers for name resolution.
LVL 70

Expert Comment

ID: 20404503
The ISP MUST NOT appear in the preferred/alternate DNS settings - if you place it here it WILL eventually cause problems. In order to understand why you need to know a little about how the preferred and alternate DNS servers are used.

In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.

The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.

In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.

if you ha
LVL 13

Accepted Solution

ScooterAnderson earned 500 total points
ID: 20404581
Very good points KCTS... In general, you really don't want your ISP DNS being directly accessable from a client workstation in an Active Directory Domain.  However, in the instance where you have a single Windows DC, with DHCP and DNS with client workstations only pointing to the DC as their Primary DNS server - if that DC goes down, the usefulness of the domain collapses and even browsing the Internet is impossible, as the only DNS source the workstations know is the DC.  No DC, no DNS, no DNS forwarding...  

The registration of workstations in DNS/AD is very important, but for some organizations - they would like the "survivability" of at least part of the usefulness of the workstations by them being able to browse the internet, pop mail off an external mail server, etc...  Once the DC is backup and functioning, a reboot of the client will set everything back straight again.  
(you may have been about to make this point, when your posting got cut off...)..
LVL 70

Expert Comment

ID: 20404668
I don't know what happened to my last bit?

I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.

Author Comment

ID: 20405563
Thanks All, to clarify:

- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.

In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.

Author Comment

ID: 20481980
I decided to only use my ISP dns on the backup dhcp server. It's highly probable that I will need to bring down the entire server in most cases and users won't have access to any server resources but the use of Internet is mostly what I want to always keep available.

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question