Solved

issuing non ad intrigrated DNS servers as secondary dns to clients part of a win server domain

Posted on 2011-03-14
4
281 Views
Last Modified: 2012-05-11
Hi,

i know this is not best practice but i was wondering if someone can give me a detailed explanation why.

question has been posed by a work colleague and i really didn't have a good enough answer other then "dont do it"

i understand that the client may have trouble resolving dc srv records im guessing it could cause issues with ad/dns replication but i am unable to explain it in a clear fashion.

issue came about with dns in an 2008sbs domain (actual fault was with the forwarder which i resolved)

someone else had looked at it first and implemented a "work around" by adding the router ip to dhcp as the secondary dns. i told him that you should never add a external dns to a server or client in a windows domain. but couldn't give a good enough reason why.


any help clearing this up would be appreciated :)
0
Comment
Question by:Edgnett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35134478
OK, well you are almost there.

By adding a secon DNS server as anything other than a Windows Server will mean that DNS lokups will fail.

The Windows client if for any reason is unable to perform a lookup on the primary server it will fail over to the secondary.  This could be because of a temporary load or temporary break in network communication.

It will not then fail over to the primary again until the secondary becomes unavailable or the cache is forcefully reset.

This will cause authentication as well as name lookup issues.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 35134495
Doing that in a Windows domain would cause problems with member systems (computers or servers) communicating on the internal network since it can't resolve using external DNS.  Not something you would want to do.  Would also cause login issues with users trying to access network resources (file shares, etc).
0
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 35134534
Because of the way DNS works...

The alternaive DNS server (note alternative NOT secondary - a secondary zone means something very diffferent) is only ever used if the preferred (note NOT primary - again that is something very different) does not repond at all to a DNS lookup

The alternate DNS is never used if the preferred DNS server responds - even if the response is a 'not found' response.
It does not try the preferred server first then the alternate.

If you have an alternate DNS server configued that is not responsible for your domain DNS then it is possible, if your preferred DNS server is busy, that it will not respond within the timeout - in such as case then from that point on, all DNS referals will go to the alternae DNS server.

As the alternate DNS server dous not have the records for your domain, all subsequent internal DNS lookups will fail and your clients will be unable to locate any domain resources.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 35134571
I’ve re-worded my comment to try to make it make more sense

In normal circumstances the Preferred DNS server is queried to resolve a name to an IP address
The alternate DNS server is only ever used it the preferred server fails to respond (at all)

Note that even if the preferred servers’ response is ‘not found’ then that is a valid response and the alternate DNS server is not used.

If for some reason (such as heavy workload) the Preferred server fails to respond within the timeout all DNS lookups from that point on will be directed to the alternate DNS server.

If the alternate DNS server is ‘external’ then it will not have any of the DNS records for your domain and as a result internal DNS queries will be unable to be resolved. As a consequence you will be unable to locate any domain resources or services via DNS and your domain will fail.

Note the use here of PREFERRED and ALTERNATE servers

In simple terms a primary DNS zone is one which is a writeable copy and a secondary is a read only version and are not approriate here
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question