Solved

Best practice for choosing a secondary DNS server on a one DNS server network

Posted on 2013-01-24
6
698 Views
Last Modified: 2013-01-28
We're having a debate about best practice for configuring a secondary DNS server on a one DNS server network.

On a one server (Windows / DC / DNS / DHCP / File) network, DHCP will be configured to give out the Domain Controller' s address as the Primary DNS server.

What's the best practice for configuring a secondary DNS server?

One school of thought is that for this small network with no other servers, there would be no viable second DNS server to give out so it shouldn't be configured.
Another school of thought is that an external, public DNS server should be listed.  This has the advantage that clients would still be able to use the Internet if their DNS server is offline.  This disadvantage is that the public DNS server would be worthless at resolving internal resources and could cause problems on a healthy network.

I've been unable to find any best practices to refer to settle this dispute.

Thoughts?
0
Comment
Question by:limeleap
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 38815091
You really should have a second dns server even if its a second hand computer. Is this a AD site?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 38816959
Another school of thought is that an external, public DNS server should be listed.
You don't want to use an external DNS server as an alternate.  This will cause more problems than it solves, as any clients that end up using that server for whatever reason (a temporary lack of response from the internal server, for example) won't automatically fail back and will be unable to resolve any names that they don't have cached.  (And BTW, those negative responses get cached too, so even if a client reverts to using the preferred DNS server, it still won't be able to resolve any internal names that it's got a cached negative response for until the cached record expires or the client's resolver cache is flushed.)
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38817158
The best practice for configuring a secondary DNS server is to... HAVE a secondary DNS server :)

But i'm sure you've thought of that and if you really can't, then that means you probably have a very small network, domain, user base,.. so i would probably grab all the critical internal hostnames (exchange, intranet, servers, etc.). compile them on a hosts file and be ready to deploy those hosts files to all users/servers remotely in case of an emergency, and configure secondary DNS server to point to my ISP.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38817731
Running with one domain controller is risky as if it goes down there are no other servers to take over the role which means there will be hours or probably days of downtime depending on the scenario.

If the DNS is down then the AD cannot function as well, and hence having an additional DNS server becomes necessary.

You also have DHCP. This service can also be installed and athorized on the second server. You can then backup the DHCP configuration and restore on the second server when necessary.

You can also move all the roles to the second servers as and when required and put the first server in maintenance with out impacting business or working after business hours. Also doing maintenance acitivities during business hours means you would have people in the office for any help required as opposed to working afterhours when everyone is away.

Offcourse all this comes with extra cost but I think the benefits that it provides would  justify the cost.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 38819320
Looking back at my previous post, I see I forgot to state that bringing up a second DC/DNS server in the domain is the ideal solution here.  Then you've got redundancy for AD as well as DNS, so domain operations and Internet access don't get interrupted if one box goes down.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
The ISP server won't return nothing, though; it'll return an NXDOMAIN response (basically, "record not found"), and that response will be cached on the client.  (I believe negative responses get cached for five minutes by default, but this is configurable via the registry.)  Further queries by that client for that same record won't even hit a DNS server until the cached record expires or the cache is flushed.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.
If it's that important to him to get to Facebook/Reddit/imgur when the server is down, he'll spring for a second server.  :)
0
 

Author Comment

by:limeleap
ID: 38828853
Thanks for the responses.  While I set up multiple DC's on larger networks including my own, a second server is not an option in this scenario.  Small businesses with only a few users wont tolerate the associated costs.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Super Scope, DHCP 5 49
SBS 2008 DC DIAG Missing AAAA record at DNS server : 5 44
active directory 3 39
RDNS & PTR Recrods for mail server 4 16
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now