DNS for Backup DHCP Server

I have two dhcp servers, one is Windows 2003 Server and the other is a DHCP Server that's on our firewall. I've set up the firewall dhcp as a backup:
- Split Scope - Windows DHCP ( - 192.168.140) / Firewall DHCP ( - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?

This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP.  I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).

Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Having a backup is a good idea... I agree that you should put your internal DNS as first on your firewall and add your ISP DNS to the DHCP on the Windows server.  This will provide consistency in DNS resolution.
If the DHCP service fails on the server, this does not mean that clients will automatically switch to using DHCP on the firewall.  This also does not mean that they will be assigned a new IP address upon a restart either.  In each case the clients will continue to use their currently assigned DNS and IP information.

As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection.  You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.

Brian PiercePhotographerCommented:
As far as DNS is concerned clients should ONLY point to the windows DNS server as is the case now - do not change it. if you have additional windows DNS servers these can be added as alternate DNS servers but ISPs DNS servers should NEVER be stipulated as preferred/alternate DNS servers - the only place they should be as is as forwarders on the DNS server itself. This is ESSENTIAL to ensure proper internal DNS resolution. To set up forwarders see http://www.petri.co.il/configure_dns_forwarding.htm
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Scott AndersonPrincipal Support EngineerCommented:
I would definately recommend setting your Windows DNS server as the Primary DNS in your router's DHCP scope... This will keep all users who pull an IP address off your Router's DHCP working and playing with your Windows AD (by registering in AD DNS).  If you have multiple Windows boxes hosting internal DNS, list them all first, then your ISP DNS.  Your workstations will automatically try to register their name with the Primary DNS server listed, they don't go to the secondary/tertiary if the registration with the Primary fails.  But if there are multiple Windows DNS servers, it'll keep your AD functioning - as the workstation will fail registration, but will do lookups against the secondary/tertiary servers for name resolution.
Brian PiercePhotographerCommented:
The ISP MUST NOT appear in the preferred/alternate DNS settings - if you place it here it WILL eventually cause problems. In order to understand why you need to know a little about how the preferred and alternate DNS servers are used.

In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.

The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.

In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.

if you ha
Scott AndersonPrincipal Support EngineerCommented:
Very good points KCTS... In general, you really don't want your ISP DNS being directly accessable from a client workstation in an Active Directory Domain.  However, in the instance where you have a single Windows DC, with DHCP and DNS with client workstations only pointing to the DC as their Primary DNS server - if that DC goes down, the usefulness of the domain collapses and even browsing the Internet is impossible, as the only DNS source the workstations know is the DC.  No DC, no DNS, no DNS forwarding...  

The registration of workstations in DNS/AD is very important, but for some organizations - they would like the "survivability" of at least part of the usefulness of the workstations by them being able to browse the internet, pop mail off an external mail server, etc...  Once the DC is backup and functioning, a reboot of the client will set everything back straight again.  
(you may have been about to make this point, when your posting got cut off...)..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian PiercePhotographerCommented:
I don't know what happened to my last bit?

I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.
tracymsAuthor Commented:
Thanks All, to clarify:

- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.

In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.
tracymsAuthor Commented:
I decided to only use my ISP dns on the backup dhcp server. It's highly probable that I will need to bring down the entire server in most cases and users won't have access to any server resources but the use of Internet is mostly what I want to always keep available.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.