How do I resolve my DNS issues

Posted on 2011-10-13
Last Modified: 2012-06-27
Network seems to have lots of latency for opening web pages.

Firewall DNS points to Opendns and Comcast
Internal DC01 points to other internal DNS under forwarder, and Internal DC02 points to DC01.

Have I got something goofy?
I also have listen on all IP's under the INterfaces tab in DNS
I do not have use root hints selected.

I am running Server 2008 R2
Question by:manelson05
    LVL 23

    Expert Comment

    Are both DC's running AD-DNS and replicating fine?  Are they both in the same site?

    If so:

    DC01 - point to itself
    DC02 - point to itself

    Both should have forwarders to your ISP's DNS or another valid external DNS server or even using the root hints servers.

    Firewall DNS pointing anywhere is pretty pointless unless it is for reverse DNS lookups or something.

    Clients set via DHCP scopes to point to DC01 as primary and DC02 as secondary.

    That's how I'd set it up...
    LVL 38

    Expert Comment

    According to MS BPA for DNS, DCs running DNS should point to another DNS as primary, and themselves as secondary.
    LVL 23

    Accepted Solution

    MS has gone back and forth over the years.  I personally like them pointing to themselves for their primary.

    See below:

    After you have verified that replication has completed successfully, DNS may be configured on each Domain Controller in either of two ways, depending on the requirements of the environment. The configuration options are:

        Configure the Preferred DNS server in TCP/IP properties on each Domain Controller to use itself as Primary DNS Server.
            Ensures that DNS queries originating from the Domain Controller will be resolved locally if possible. Will minimize impact of Domain Controller’s DNS queries on the network
            Dependant on Active Directory replication to ensure that DNS zone is up to date. Lengthy replication failures may result in an incomplete set of entries in the zone.

        Configure all Domain Controllers to use a centralized DNS server as their Preferred DNS Server.
                Minimizes the reliance on Active Directory replication for DNS zone updates of Domain Controller locator records. This includes faster discovery of new or updated Domain Controller locator records, as replication lag time is not an issue.
                Provides a single authoritative DNS server, which may be useful when troubleshooting Active Directory replication issues
                Will more heavily utilize the network to resolve DNS queries originating from the Domain Controller
                DNS name resolution may be dependant on network stability; loss of connectivity to the Preferred DNS server will result in failure to resolve DNS queries from the Domain Controller. This may result in apparent loss of connectivity, even to locations that are not across the lost network segment.

    A combination of the two strategies is possible, with the remote DNS server set as Preferred DNS server, and the local Domain Controller set as Alternate (or vice versa). While this strategy has many advantages, there are factors that should be considered before making this configuration change:

        The DNS client does not utilize each of the DNS servers listed in TCP/IP configuration for each query. By default, on startup the DNS client will attempt to utilize the server in the Preferred DNS server entry. If this server fails to respond for any reason, the DNS client will switch to the server listed in the alternate DNS server entry. The DNS client will continue to use this alternate DNS server until:
            It fails to respond to a DNS query, or:
            The ServerPriorityTimeLimit value is reached (15 minutes by default). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
            286834  The DNS Client service does not revert to using the first server in the list
        Please note, only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server. As a result, configuring a Domain Controller with itself and another DNS server as Preferred and Alternate servers helps to ensure that a response is received, but it does not guarantee accuracy of that response. DNS record update failures on either of the servers may result in an inconsistent name resolution experience.
    LVL 38

    Expert Comment

    I definitely agree that it's not clear cut, and recommendations vary.  I'm including the below just for interesting reading.  The BPA for DNS in 2008 R2 uses these as guidelines (including many others of course).

    What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?

    It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

    1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
    2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
    3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
    4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
    5.DC’s should have at least two DNS client entries.
    6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
    7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
    8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

    Author Closing Comment

    Very thorough and informative analysis.
    Thank you


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now