Active Directory DNS Configuration

Hi there,

I have 20 dcs and 10 sites, every site has 2 dcs, eveyry site is connected by a WAN connection, one of the sites is the HUB site.

The question is.. how should I configure the DNS settings on the DCs? which would be the primary dns server and which one should be the secondary? I know that as a primary should be another DNS server in the same site and as a secondary itself, but.. Im not sure if this is the correct configuration, Im looking for options pros and cons.

Can you please point me in the right direction?

Thank you so much.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It is my understanding the primary should ALWAYS be itself (and the actual IP - not the loopback).  you can set the secondary to whatever you would like - to my knowledge it does not really matter.  AD handles everything else.
Matthew EnglandTechnology ConsultantCommented:
First off:

1. Is each site going to be it's own domain? (AD Sites are different than DNS Domains, and are used to control replication across WAN links.)

2. If you use AD Integrated Zones, which is the Microsoft Best Practice, then the traditional Master/Slave relationship dosn't apply. As for your clients, which they use as the primary or secondary really dosn't matter.

Brian PiercePhotographerCommented:
Use AD Integrated - that way all DNS servers are essentially Primary - all are update-able and will replicate changes to each other.

Many people suggest that setting each DNS server to point to another DNS server in the same site as its DNS server is preferable and it prevents 'racing'. However I have never had any such issues and have always configured DNS servers to point to themselves with no issues.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Mike KlineCommented:
I've personally dealt with race issues several times so I always point to another for primary and then itself.

The DS team also answered a similar question in one of the Friday Mail editions.

This similar question also came up over on activedir this summer and MVP Mark Parris emailed Ned Pyle (who wrote the link above).  Ned went into much more detail in his answer which I will blatantly steal below

******copy and paste from Ned Pyle Below not taking credit for his great work********

on DCs we recommend making the DC loopback address a secondary/tertiary or lower entry, and pointing to another DNS server as primary, for the reasons below:
It’s also stated in this DNS BPA rule:
DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
And this one:
DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
The loopback address of (or ::1 in IPV6) is recommended because, unlike even a static IP address, it never changes. So you can never accidentally forget to update your DNS entry and be completely FUBAR.

We in MS AD support still reckon that roughly 75% of our AD cases have DNS-Networking root cause, so anything you can do to avoid becoming a statistic is alright by us.
As far as RPC DNS goes, you might be thinking of RPCAuthLevel and the man-in-the-middle protection added in Win2008+:



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
M7KAuthor Commented:
thank you mike, that was all I was looking for!
Great links - have read many conflicting articles but that is pretty clear cut.
Mike KlineCommented:
Yeah thank Ned for those, anyone reading this question bookmark the askds blog

Ned has sort of become the public face of Active Directory for Microsoft because of the blog


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.