DNS on DC's

i have 4 DC in domain.
what's the rule for setting primary and secondary DNS on DC's

should they all point at the same DC then themselves. or all at different dc's

or at themselves ?

Thanks
Rbauckham69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GovvyCommented:
Use another DC for primary and then itself for secondary:

http://support.microsoft.com/kb/825036
0
Glen KnightCommented:
Preferred another DNS server, backup as itself.

This will prevent the server going in to a "race" condition on boot up.
0
Mike KlineCommented:
You have the right answers just want to to a blatent copy and paste because of the great answer Ned Pyle from the Microsoft AD (askds blog) gave on this too.

This answer came about from an email MVP Mark Parris sent to Ned


*****************cut and paste from here...not taking credit for their good work here ***********************8

I have "knelt before Ned" and the concise digest response to the raised points in the trail is:

The BPA is right – on DCs we recommend making the DC loopback address a secondary/tertiary or lower entry, and pointing to another DNS server as primary, for the reasons below:
 
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
 
It’s also stated in this DNS BPA rule:
 
DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
http://technet.microsoft.com/en-us/library/ff807362(WS.10).aspx
 
And this one:
 
DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
http://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx
 
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
 
The loopback address of 127.0.0.1 (or ::1 in IPV6) is recommended because, unlike even a static IP address, it never changes. So you can never accidentally forget to update your DNS entry and be completely FUBAR.

We in MS AD support still reckon that roughly 75% of our AD cases have DNS-Networking root cause, so anything you can do to avoid becoming a statistic is alright by us.
 
As far as RPC DNS goes, you might be thinking of RPCAuthLevel and the man-in-the-middle protection added in Win2008+:
 
http://blogs.technet.com/b/askds/archive/2010/02/12/friday-mail-sack-not-usmt-edition.aspx#dns

*****************************************8

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

devinnoelCommented:
If a DC can't find a DNS server, it won't even be able to authenticate users logging on locally. I always put in 127.0.0.1 as a secondary just in case somebody accidentally messes up a DNS IP, or changes the server IP, that way it can always find itself. I had that happen before, it sucks, you pretty much get to rebuild the DC.

Pointing to another DC makes sure that your DC can always find the rest of the Active Directory and not get orphaned with no clue how to find the rest of your network when something gets change.

I would point to whatever DC is going to give you the fastest response. If they are all in the same site with no real difference in ping times, it shouldn't matter much.
0
Brian PiercePhotographerCommented:
To be technical for a minute >> what's the rule for setting primary and secondary <<
There is no such rule as primary and secondary DNS servers are something different all together

No is what you really mean is preferred and alternate DNS servers that's a different matter

Put simply the jury is out. Some prefer to point each server at itself as the preferred sever as lookups are faster and more reliable.
However, pointing them at each other prevents an issue called 'racing' that can occasionally occur.

I prefer to point them at themselves and have never found 'racing' to be an issue
0
Glen KnightCommented:
KCTS, presumably then your DNS servers are not AD integrated?

Otherwise you would see the race condition quite often because DNS is required for AD but it can't start because AD isn't yet.
0
Mike KlineCommented:
Racing is not always an issue but I've seen it happen a handful of times at major agencies.  At this point I'd argue that the jury is not really out.  Microsoft support and the AD team see a lot of tickets and that is why they made the recommendations they did.

Thanks

Mike
0
Rbauckham69Author Commented:
Thanks all
excellent answers and a great debate!
so I conclude primary = another DC and secondary = loopback 127.0.0.1

Many Thanks
0
Brian PiercePhotographerCommented:
>> NO  so I conclude primary = another DC and secondary = loopback 127.0.0.1<<

I won't argue if you say PREFERRED = another DC and ALTERNATE = loopback, but please don't use the terms primary and secondary - as I said they refer to something totally different.

That said I have never had any issues with it the other way around - and yes most of my servers a AD Integrated.
0
Glen KnightCommented:
KCTS, I am amused that you keep bringing this up.  It may not be technically correct but you are the only one I know that keeps pointing it out.

I think it's human nature to refer to something that comes first to be called primary and some thing that comes second to be called secondary.
0
Brian PiercePhotographerCommented:
Call me pedantic if you like but I think that it is important to use the correct terminology to avoid confusion

As I'm sure you are aware in DNS terms PRIMARY refers to an updateable zone file and SECONDARY to a zone file which is transferred from the PRIMARY and has nothing to do with the client DNS settings

The terms PREFERRED and ALTERNATE are also more descriptive of the actual process that is involved in DNS lookups, the alternate only being used if there is no timely response from the client.

Anyway that's my view :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.