tracyms
asked on
DNS for Backup DHCP Server
I have two dhcp servers, one is Windows 2003 Server and the other is a DHCP Server that's on our firewall. I've set up the firewall dhcp as a backup:
- Split Scope - Windows DHCP (192.168.1.1 - 192.168.140) / Firewall DHCP (192.168.1.141 - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?
This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP. I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).
Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.
- Split Scope - Windows DHCP (192.168.1.1 - 192.168.140) / Firewall DHCP (192.168.1.141 - 192.168.255)
- Microsoft Release DHCP Lease On Shutdown is set on the Windows DHCP Server (to release IPs at shutdown so it's quicker to grab from backup dhcp)
My question is should I put our internal DNS (for our AD domain) as the first DNS in the firewall's DNS settings (which has our ISP's DNS)?
This is in case just the DHCP Server in Windows goes down on the server but all else is functioning so users can still get to resources on the server. I have forwarders on our internal DNS to our ISP. I don't know how long it takes for a dhcp to look for their second dns (in case the entire server is completly down).
Also, should I place our ISP DNS as secondary/third DNS on Windows dhcp server - currently I only have our Windows DNS listed.
darron_chapman
Having a backup is a good idea... I agree that you should put your internal DNS as first on your firewall and add your ISP DNS to the DHCP on the Windows server. This will provide consistency in DNS resolution.
If the DHCP service fails on the server, this does not mean that clients will automatically switch to using DHCP on the firewall. This also does not mean that they will be assigned a new IP address upon a restart either. In each case the clients will continue to use their currently assigned DNS and IP information.
As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection. You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.
-saige-
As for changing the firewall, usually the DNS setting you are looking at is for the outbound traffic on the WAN connection. You can modify it to use the internal DNS server but I personally would not put much effort into this type of a DHCP failover on a small network.
-saige-
As far as DNS is concerned clients should ONLY point to the windows DNS server as is the case now - do not change it. if you have additional windows DNS servers these can be added as alternate DNS servers but ISPs DNS servers should NEVER be stipulated as preferred/alternate DNS servers - the only place they should be as is as forwarders on the DNS server itself. This is ESSENTIAL to ensure proper internal DNS resolution. To set up forwarders see http://www.petri.co.il/configure_dns_forwarding.htm
I would definately recommend setting your Windows DNS server as the Primary DNS in your router's DHCP scope... This will keep all users who pull an IP address off your Router's DHCP working and playing with your Windows AD (by registering in AD DNS). If you have multiple Windows boxes hosting internal DNS, list them all first, then your ISP DNS. Your workstations will automatically try to register their name with the Primary DNS server listed, they don't go to the secondary/tertiary if the registration with the Primary fails. But if there are multiple Windows DNS servers, it'll keep your AD functioning - as the workstation will fail registration, but will do lookups against the secondary/tertiary servers for name resolution.
The ISP MUST NOT appear in the preferred/alternate DNS settings - if you place it here it WILL eventually cause problems. In order to understand why you need to know a little about how the preferred and alternate DNS servers are used.
In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.
The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.
In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.
if you ha
In normal circulstances the preferred DNS server is the only one that is used, when a client needs to resovle a name it queries the preferred DNS server. This MUST be the windows server as it's the onlt DNS server that knows about the other computers on your network. The Windows DNS server is able to resolve local names and returns the IP to the client. If the name you request is not a local name then the Windows DNS server uses the forwarders to pass the query on to the ISPs servers to resolve the name.
The alternate DNS server is only ever used if the preferred DNS server fails to respond in a timely manner, the client DOES NOT query the DNS servers in turn in normal circumstances.- if for example it is down or very busy. Once this is done once then the client will use the alternate DNS server in preference to the prefered sever - and thats when problems can occur if you specify the ISP as an alternate DNS server.
In a situation where a client makes a request to the Windows DNS server , but it is busy the client will then start using the ISPs server in preference - the result - the client can no longer resolve internal names.
if you ha
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know what happened to my last bit?
I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.
I see where you are coming from ScooterAnderson, but I would still stay clear of putting the ISPs DNS on the clients. if the only DC fails you are in touble anyway. If you add the ISPs DNS to the preferred/alternate DNS you only have to hit a small glitch or busy peak and all clents switch to the ISPs server for their DNS and the whold network comes tumbling down as clients can no longer resolve internal names or locate the domain controller.
ASKER
Thanks All, to clarify:
- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.
In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.
- I have only one DC, it's pointing to itself for DNS - no other IPs (ISP) are listed
- I have the internal DNS in Windows dhcp settings - no other IPs (ISP) are listed
- the backup dhcp server is our firewall that can be used as a dhcp server
- The backup dhcp lease is set to 1 hour and is not enabled, I can enable it remotely if the server goes down
- Microsoft Release DHCP Lease On Shutdown option on the Windows dhcp server releases the windows dhcp on shutdown, which (is my understanding) will request an address lease from a dhcp server that it sees (in the case windows dhcp server is down, it will see the backup dhcp once enabled)
It is possible that the entire server will go down BUT IF ONLY THE DHCP SERVER in Windows goes down, then I'd like to know if users will still have access to AD resources (if I place our internal DNS as the first DNS in the list on the backup server). The Windows DNS does have forwarders where I've put our ISP DNS so I'm thinking it should work.
In the case the entire server goes down, and having the internal DNS as the first one in the backup - how long will it go to the next DNS in line - the ISP DNS - so they will at least have Internet access.
I understand there will be an error on the clients (not sure to what extent) as the server will be down and they won't access resources but I want them to still have Interent access.
ASKER
I decided to only use my ISP dns on the backup dhcp server. It's highly probable that I will need to bring down the entire server in most cases and users won't have access to any server resources but the use of Internet is mostly what I want to always keep available.