Active Directory DNS Configuration

Posted on 2011-10-04
Last Modified: 2012-05-12
Hi there,

I have 20 dcs and 10 sites, every site has 2 dcs, eveyry site is connected by a WAN connection, one of the sites is the HUB site.

The question is.. how should I configure the DNS settings on the DCs? which would be the primary dns server and which one should be the secondary? I know that as a primary should be another DNS server in the same site and as a secondary itself, but.. Im not sure if this is the correct configuration, Im looking for options pros and cons.

Can you please point me in the right direction?

Thank you so much.
Question by:M7K
    LVL 1

    Expert Comment

    It is my understanding the primary should ALWAYS be itself (and the actual IP - not the loopback).  you can set the secondary to whatever you would like - to my knowledge it does not really matter.  AD handles everything else.
    LVL 7

    Expert Comment

    by:Matthew England
    First off:

    1. Is each site going to be it's own domain? (AD Sites are different than DNS Domains, and are used to control replication across WAN links.)

    2. If you use AD Integrated Zones, which is the Microsoft Best Practice, then the traditional Master/Slave relationship dosn't apply. As for your clients, which they use as the primary or secondary really dosn't matter.

    LVL 70

    Expert Comment

    Use AD Integrated - that way all DNS servers are essentially Primary - all are update-able and will replicate changes to each other.

    Many people suggest that setting each DNS server to point to another DNS server in the same site as its DNS server is preferable and it prevents 'racing'. However I have never had any such issues and have always configured DNS servers to point to themselves with no issues.
    LVL 57

    Accepted Solution

    I've personally dealt with race issues several times so I always point to another for primary and then itself.

    The DS team also answered a similar question in one of the Friday Mail editions.

    This similar question also came up over on activedir this summer and MVP Mark Parris emailed Ned Pyle (who wrote the link above).  Ned went into much more detail in his answer which I will blatantly steal below

    ******copy and paste from Ned Pyle Below not taking credit for his great work********

    on DCs we recommend making the DC loopback address a secondary/tertiary or lower entry, and pointing to another DNS server as primary, for the reasons below:

    It’s also stated in this DNS BPA rule:
    DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
    And this one:
    DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

    However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
    The loopback address of (or ::1 in IPV6) is recommended because, unlike even a static IP address, it never changes. So you can never accidentally forget to update your DNS entry and be completely FUBAR.

    We in MS AD support still reckon that roughly 75% of our AD cases have DNS-Networking root cause, so anything you can do to avoid becoming a statistic is alright by us.
    As far as RPC DNS goes, you might be thinking of RPCAuthLevel and the man-in-the-middle protection added in Win2008+:




    Author Comment

    thank you mike, that was all I was looking for!
    LVL 1

    Expert Comment

    Great links - have read many conflicting articles but that is pretty clear cut.
    LVL 57

    Expert Comment

    by:Mike Kline
    Yeah thank Ned for those, anyone reading this question bookmark the askds blog

    Ned has sort of become the public face of Active Directory for Microsoft because of the blog



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now