DNS for Backup DHCP Server

Posted on 2007-12-04
Last Modified: 2008-03-17
I have two dhcp servers, one is Windows 2003 Server and the other is a DHCP Server that's on our firewall. I've set up the firewall dhcp as a backup:
- Split Scope - Windows DHCP ( - 192.168.140) / Firewall DHCP ( - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?

This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP.  I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).

Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.

Question by:tracyms
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
LVL 19

Expert Comment

ID: 20404322
Having a backup is a good idea... I agree that you should put your internal DNS as first on your firewall and add your ISP DNS to the DHCP on the Windows server.  This will provide consistency in DNS resolution.
LVL 12

Expert Comment

ID: 20404324
If the DHCP service fails on the server, this does not mean that clients will automatically switch to using DHCP on the firewall.  This also does not mean that they will be assigned a new IP address upon a restart either.  In each case the clients will continue to use their currently assigned DNS and IP information.

As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection.  You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.

LVL 70

Expert Comment

ID: 20404387
As far as DNS is concerned clients should ONLY point to the windows DNS server as is the case now - do not change it. if you have additional windows DNS servers these can be added as alternate DNS servers but ISPs DNS servers should NEVER be stipulated as preferred/alternate DNS servers - the only place they should be as is as forwarders on the DNS server itself. This is ESSENTIAL to ensure proper internal DNS resolution. To set up forwarders see
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

LVL 13

Expert Comment

ID: 20404392
I would definately recommend setting your Windows DNS server as the Primary DNS in your router's DHCP scope... This will keep all users who pull an IP address off your Router's DHCP working and playing with your Windows AD (by registering in AD DNS).  If you have multiple Windows boxes hosting internal DNS, list them all first, then your ISP DNS.  Your workstations will automatically try to register their name with the Primary DNS server listed, they don't go to the secondary/tertiary if the registration with the Primary fails.  But if there are multiple Windows DNS servers, it'll keep your AD functioning - as the workstation will fail registration, but will do lookups against the secondary/tertiary servers for name resolution.
LVL 70

Expert Comment

ID: 20404503
The ISP MUST NOT appear in the preferred/alternate DNS settings - if you place it here it WILL eventually cause problems. In order to understand why you need to know a little about how the preferred and alternate DNS servers are used.

In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.

The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.

In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.

if you ha
LVL 13

Accepted Solution

ScooterAnderson earned 500 total points
ID: 20404581
Very good points KCTS... In general, you really don't want your ISP DNS being directly accessable from a client workstation in an Active Directory Domain.  However, in the instance where you have a single Windows DC, with DHCP and DNS with client workstations only pointing to the DC as their Primary DNS server - if that DC goes down, the usefulness of the domain collapses and even browsing the Internet is impossible, as the only DNS source the workstations know is the DC.  No DC, no DNS, no DNS forwarding...  

The registration of workstations in DNS/AD is very important, but for some organizations - they would like the "survivability" of at least part of the usefulness of the workstations by them being able to browse the internet, pop mail off an external mail server, etc...  Once the DC is backup and functioning, a reboot of the client will set everything back straight again.  
(you may have been about to make this point, when your posting got cut off...)..
LVL 70

Expert Comment

ID: 20404668
I don't know what happened to my last bit?

I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.

Author Comment

ID: 20405563
Thanks All, to clarify:

- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.

In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.

Author Comment

ID: 20481980
I decided to only use my ISP dns on the backup dhcp server. It's highly probable that I will need to bring down the entire server in most cases and users won't have access to any server resources but the use of Internet is mostly what I want to always keep available.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question