Is it ok to Have DNS on the DC

Posted on 2008-02-06
Medium Priority
Last Modified: 2010-04-07
I have a small network 200 users  5 windows 2003 R2 servers Buying new system to install use for DC
Can it be the DNS nd DHCP server as well or should I have a seperate system for DNS
Question by:evopann
LVL 24

Accepted Solution

ryansoto earned 60 total points
ID: 20834087
There is no issue with running DNS on a domain controller and its mandatory with active directory integrated zones, which I would recommend running.
LVL 58

Assisted Solution

tigermatt earned 60 total points
ID: 20834146
Certainly, only in larger organisations with tens of thousands of users do you generally spread DNS across multiple servers. However, if you're using Active Directory Integrated DNS (which is highly recommended, since DNS data is stored in Active Directory and follows the replication settings for AD - much siimpler) you can only install your DNS servers for that zone to a Domain Controller (since DCs are the only servers which would have the AD data replicated to them)


Assisted Solution

adolphus850 earned 60 total points
ID: 20834157
i would recommend it too.  The main things you should try to keep off a DC is heavy duty apps like exchange and SQL.  If anything you should buy another server and introduce another DC in case the one you've got goes down.  That will save you a lot of heart and earache if it should happen.

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 70

Assisted Solution

KCTS earned 60 total points
ID: 20834163
It is far better in most cases to have DNS on the DC and to use AD Integrated DNS since the two are highly dependant on each other.

Assisted Solution

DCenaculo earned 120 total points
ID: 20834241
In windows 2000 it was not so good idea to have dns integrated with active directory if it was large, because any change to it, would generate a total replication of dns info to the others dcs. With windows 2003 that doesn't happen. Only diferences are replicated. It is recomended that you install DNS on a domain controller because the integration of the DNS n the AD provides for replication, integrated storage, security, and the other advantages inherent in the AD. Your zone files will be integrated in the AD.

Assisted Solution

DCenaculo earned 120 total points
ID: 20834275
Note that you can install DHCP server on domain controllers (and dns also) but domain controllers will have to be statically configured. They must have a static IP address, and don't forget to configure each dns ip address in the tcp/ip properties of the dns server. Sometimes we install dns server on some domain controller and forget to configure its own dns ip address on tcp/ip properties with its own ip address.
LVL 35

Assisted Solution

ShineOn earned 60 total points
ID: 20862858
Use AD-integrated-DNS for your private, AD zone.  As has been said in previous comments, AD-integrated- DNS has to be on a DC, plus it helps for redundancy and load-balancing if you have multiple DCs providing DNS services to your AD zone.

Use a separate DNS server for your public DNS, non-Windows if possible, if you host your own name servers.  Don't use your AD-integrated-DNS to also host your public NS.  AD relies on its DNS to function - you don't want to expose your AD's DNS to the public network.  I am not saying that there are current exploits for known vulnerabilities in a fully-patched Windows 2K3 DNS that would put the integrity of your forest at risk, nor am I giving any assurances that there are not.  However, why take the chance?  One may be discovered and zero-day exploited tomorrow.  Remember, just because AD needs DNS doesn't mean DNS needs AD - and try as they might to make it so, DNS is not a Windows-only proprietary service - it's a true standard.

Use a separate DNS server as your caching forwarder for public DNS lookups.  No need to put that load on your DCs.  Have the DC-hosted DNS servers refer non-AD-zone requests to the caching forwarder, and not cache the results themselves.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question