Solved

win2003 dns server ip address question

Posted on 2012-03-16
6
367 Views
Last Modified: 2012-03-19
Hi,
That's a simple question but :
I have 2 dc's dc1 10.1.2.12 and dc2 10.1.2.13
both are dns servers (srv2003)
It their on network card propriaty what dns entry should their be?
"use the following DNS server addresses
Preferred DNS Server
Alternate DNS server"

Should it be 127.0.0.1 then 10.1.2.13 for the first one
or 10.1.2.12 the 10.1.2.13
or 10.1.2.13 then 10.1.2 12
or 10.1.2.13 then 127.0.0.1
or other combinaison?
tx!
0
Comment
Question by:SigSupport
6 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Each DC should point to themself first and then to the other one. I usually do it by the IP address rather than local host address.

As far as your clients as long as they point to both it doesnt really matter which is first.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
On .12

Preferred = .13
Alternate = 127.0.0.1

On .13

Preferred = .12
Alternate - loopback

You do that to prevent race condition issues


Ned Pyle from the ask DS team had a great answer about this.

This answer came about from an email MVP Mark Parris sent to Ned


*****************cut and paste from here...not taking credit for their good work here ***********************

I have "knelt before Ned" and the concise digest response to the raised points in the trail is:

The BPA is right – on DCs we recommend making the DC loopback address a secondary/tertiary or lower entry, and pointing to another DNS server as primary, for the reasons below:
 
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
 
It’s also stated in this DNS BPA rule:
 
DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
http://technet.microsoft.com/en-us/library/ff807362(WS.10).aspx
 
And this one:
 
DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
http://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx
 
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
 
The loopback address of 127.0.0.1 (or ::1 in IPV6) is recommended because, unlike even a static IP address, it never changes. So you can never accidentally forget to update your DNS entry and be completely FUBAR.

We in MS AD support still reckon that roughly 75% of our AD cases have DNS-Networking root cause, so anything you can do to avoid becoming a statistic is alright by us.
 
As far as RPC DNS goes, you might be thinking of RPCAuthLevel and the man-in-the-middle protection added in Win2008+:
 
http://blogs.technet.com/b/askds/archive/2010/02/12/friday-mail-sack-not-usmt-edition.aspx#dns

*****************************************8

Thanks

Mike
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
So on DC1 it would be

Preferred 10.1.2.12
Secondary 10.1.2.13

On DC2 it would be
preferred 10.1.2.13
secondary 10.1.2.12
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:bluemeln
Comment Utility
On DC1, it should bet
10.1.2.12
10.1.2.13

On DC2, it should be
10.1.2.13
10.1.2.12

The DNS servers should check itself first in order to avoid network traffic to another server.
As a practice, I do not use 127.0.0.1 because of multi-homed servers. Instead I type in the literal IP address.

When they are located in a forest, I usually put the IP address of a Global Catalog DC as the second DNS entry in the second DC, so

On DC2
10.1.2.13
10.1.5.12 (if there were a 10.1.5.x domain in the same forest)
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
I disagree with the others on this, I've run into race condition issues before.  I also defer to Ned and the AD team because they see all the support calls generated.

Make sure to read the links in Ned's answer I posted above.

Thanks

Mike
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
I also used to be a primary = self and secondary = other DC.
And although I've not had race conditions I've changed my configs too.
From experience, if Ned or the Mailsack said so then that's a good enough reason to implement.

Makes a whole lot of sense too
Reposting this link, check the discussions.
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now