AD, DNS and Windows 2003/2008

Posted on 2011-09-23
Medium Priority
Last Modified: 2012-08-13
My configuration

3 DC
DC1 = Windows 2008 R2, DNS, GC, all 5 FMSO roles, IP =, DNS1=, DNS2=
DC2 = Windows 2003 SP2, Exchange, DNS, GC, IP=, DNS1 =, DNS2 = empty
DC3 = Windows 2003 SP2, DNS, GC, IP =, DNS1 =, DNS2 =

Is this DNS configuration OK?
What is the recommended DNS configuration in TCP/IP properties of each DC?

(I had a problem this morning that when I started DC1 alone (DC2 and DC3 where offline) DNS service would not start. When DC2, DC3 went online some minutes after, everything when back to normal, and DNS service started sucessfully,  that is the reason I prefer to check DNS configuration)

Thank you
Question by:gadsad
LVL 39

Accepted Solution

Krzysztof Pytko earned 2000 total points
ID: 36586168
Try to configure it this way

DC1: Primary DNS of DC2, Secondary DNS of itself, Tertiary DNS of (loopback interface)
DC2: Primary DNS of DC3, Secondary DNS of DC1, Tertiary DNS of (loopback interface)
DC3: Primary DNS of DC1, Secondary DNS of DC2or3, Tertiary DNS of (loopback interface)

This should prevent of "DNS island" which probably took place in your environment. DNS service couldn't start and there was problem with AD startup.

More about DNS island at


Expert Comment

ID: 36586174
The Microsoft recommended configuration is to set the Alternate DNS server for Domain Controllers to be - only if they are running DNS services though.

Unfortunately, you've not told us what your DC IP addresses are, so I could not give you a recommended configuration.

I have 2 domain controllers in each of my forests, and I make the 2 Domain Controllers point to their own IP and the other Domain Controller's IP for DNS.

In a 3 Domain Controller environment, I'd make them still talk to their own IP as the first DNS entry, and then flip a coin to see which other domain controller/DNS server gets the second one :D
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586180
They told us :) Read question once again ;)

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Expert Comment

ID: 36586216
I got confused with all the IP's :)
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36587162
Also, best practices not to use you should use the actual IP addresses. Loopback addresses themselves can cause DNS issues in multiple DNS server environment.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915738

today I was reviewing posts on EE and I found one interesting post, where Mike (mkline71) posted a link to Ask DS Team blog. There where similar question about best DNS practices. I read that article and I think it's worth placing it here for you :) In my opinion you will find all answers for your questions ;)



Author Closing Comment

ID: 36926238
thank you

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question