?
Solved

Active Directory DNS Configuration

Posted on 2011-10-04
7
Medium Priority
?
427 Views
Last Modified: 2012-05-12
Hi there,

I have 20 dcs and 10 sites, every site has 2 dcs, eveyry site is connected by a WAN connection, one of the sites is the HUB site.

The question is.. how should I configure the DNS settings on the DCs? which would be the primary dns server and which one should be the secondary? I know that as a primary should be another DNS server in the same site and as a secondary itself, but.. Im not sure if this is the correct configuration, Im looking for options pros and cons.

Can you please point me in the right direction?

Thank you so much.
0
Comment
Question by:M7K
7 Comments
 
LVL 1

Expert Comment

by:desaille
ID: 36913578
It is my understanding the primary should ALWAYS be itself (and the actual IP - not the loopback).  you can set the secondary to whatever you would like - to my knowledge it does not really matter.  AD handles everything else.
0
 
LVL 7

Expert Comment

by:Matthew England
ID: 36913648
First off:

1. Is each site going to be it's own domain? (AD Sites are different than DNS Domains, and are used to control replication across WAN links.)


2. If you use AD Integrated Zones, which is the Microsoft Best Practice, then the traditional Master/Slave relationship dosn't apply. As for your clients, which they use as the primary or secondary really dosn't matter.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 36913687
Use AD Integrated - that way all DNS servers are essentially Primary - all are update-able and will replicate changes to each other.

Many people suggest that setting each DNS server to point to another DNS server in the same site as its DNS server is preferable and it prevents 'racing'. However I have never had any such issues and have always configured DNS servers to point to themselves with no issues.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 36914343
I've personally dealt with race issues several times so I always point to another for primary and then itself.

 
The DS team also answered a similar question in one of the Friday Mail editions.

http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest

This similar question also came up over on activedir this summer and MVP Mark Parris emailed Ned Pyle (who wrote the link above).  Ned went into much more detail in his answer which I will blatantly steal below

******copy and paste from Ned Pyle Below not taking credit for his great work********


on DCs we recommend making the DC loopback address a secondary/tertiary or lower entry, and pointing to another DNS server as primary, for the reasons below:
 
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
 
It’s also stated in this DNS BPA rule:
 
DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
http://technet.microsoft.com/en-us/library/ff807362(WS.10).aspx
 
And this one:
 
DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
http://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx
 
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
 
The loopback address of 127.0.0.1 (or ::1 in IPV6) is recommended because, unlike even a static IP address, it never changes. So you can never accidentally forget to update your DNS entry and be completely FUBAR.

We in MS AD support still reckon that roughly 75% of our AD cases have DNS-Networking root cause, so anything you can do to avoid becoming a statistic is alright by us.
 
As far as RPC DNS goes, you might be thinking of RPCAuthLevel and the man-in-the-middle protection added in Win2008+:
 
http://blogs.technet.com/b/askds/archive/2010/02/12/friday-mail-sack-not-usmt-edition.aspx#dns
***********************************

Thanks

Mike
0
 

Author Comment

by:M7K
ID: 36920247
thank you mike, that was all I was looking for!
0
 
LVL 1

Expert Comment

by:desaille
ID: 36920394
Great links - have read many conflicting articles but that is pretty clear cut.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36920537
Yeah thank Ned for those, anyone reading this question bookmark the askds blog

Ned has sort of become the public face of Active Directory for Microsoft because of the blog

Thanks

Mike
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question