Solved

DNS for Backup DHCP Server

Posted on 2007-12-04
9
557 Views
Last Modified: 2008-03-17
I have two dhcp servers, one is Windows 2003 Server and the other is a DHCP Server that's on our firewall. I've set up the firewall dhcp as a backup:
- Split Scope - Windows DHCP (192.168.1.1 - 192.168.140) / Firewall DHCP (192.168.1.141 - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?

This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP.  I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).

Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.

0
Comment
Question by:tracyms
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 19

Expert Comment

by:darron_chapman
ID: 20404322
Having a backup is a good idea... I agree that you should put your internal DNS as first on your firewall and add your ISP DNS to the DHCP on the Windows server.  This will provide consistency in DNS resolution.
0
 
LVL 12

Expert Comment

by:weareit
ID: 20404324
If the DHCP service fails on the server, this does not mean that clients will automatically switch to using DHCP on the firewall.  This also does not mean that they will be assigned a new IP address upon a restart either.  In each case the clients will continue to use their currently assigned DNS and IP information.

As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection.  You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.

-saige-
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20404387
As far as DNS is concerned clients should ONLY point to the windows DNS server as is the case now - do not change it. if you have additional windows DNS servers these can be added as alternate DNS servers but ISPs DNS servers should NEVER be stipulated as preferred/alternate DNS servers - the only place they should be as is as forwarders on the DNS server itself. This is ESSENTIAL to ensure proper internal DNS resolution. To set up forwarders see http://www.petri.co.il/configure_dns_forwarding.htm
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 20404392
I would definately recommend setting your Windows DNS server as the Primary DNS in your router's DHCP scope... This will keep all users who pull an IP address off your Router's DHCP working and playing with your Windows AD (by registering in AD DNS).  If you have multiple Windows boxes hosting internal DNS, list them all first, then your ISP DNS.  Your workstations will automatically try to register their name with the Primary DNS server listed, they don't go to the secondary/tertiary if the registration with the Primary fails.  But if there are multiple Windows DNS servers, it'll keep your AD functioning - as the workstation will fail registration, but will do lookups against the secondary/tertiary servers for name resolution.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 70

Expert Comment

by:KCTS
ID: 20404503
The ISP MUST NOT appear in the preferred/alternate DNS settings - if you place it here it WILL eventually cause problems. In order to understand why you need to know a little about how the preferred and alternate DNS servers are used.

In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.

The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.

In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.

if you ha
0
 
LVL 13

Accepted Solution

by:
ScooterAnderson earned 500 total points
ID: 20404581
Very good points KCTS... In general, you really don't want your ISP DNS being directly accessable from a client workstation in an Active Directory Domain.  However, in the instance where you have a single Windows DC, with DHCP and DNS with client workstations only pointing to the DC as their Primary DNS server - if that DC goes down, the usefulness of the domain collapses and even browsing the Internet is impossible, as the only DNS source the workstations know is the DC.  No DC, no DNS, no DNS forwarding...  

The registration of workstations in DNS/AD is very important, but for some organizations - they would like the "survivability" of at least part of the usefulness of the workstations by them being able to browse the internet, pop mail off an external mail server, etc...  Once the DC is backup and functioning, a reboot of the client will set everything back straight again.  
(you may have been about to make this point, when your posting got cut off...)..
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20404668
I don't know what happened to my last bit?

I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.
0
 

Author Comment

by:tracyms
ID: 20405563
Thanks All, to clarify:

- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.

In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.
0
 

Author Comment

by:tracyms
ID: 20481980
I decided to only use my ISP dns on the backup dhcp server. It's highly probable that I will need to bring down the entire server in most cases and users won't have access to any server resources but the use of Internet is mostly what I want to always keep available.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now