Best practice for choosing a secondary DNS server on a one DNS server network

We're having a debate about best practice for configuring a secondary DNS server on a one DNS server network.

On a one server (Windows / DC / DNS / DHCP / File) network, DHCP will be configured to give out the Domain Controller' s address as the Primary DNS server.

What's the best practice for configuring a secondary DNS server?

One school of thought is that for this small network with no other servers, there would be no viable second DNS server to give out so it shouldn't be configured.
Another school of thought is that an external, public DNS server should be listed.  This has the advantage that clients would still be able to use the Internet if their DNS server is offline.  This disadvantage is that the public DNS server would be worthless at resolving internal resources and could cause problems on a healthy network.

I've been unable to find any best practices to refer to settle this dispute.

Thoughts?
limeleapAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
DrDave242Connect With a Mentor Commented:
Another school of thought is that an external, public DNS server should be listed.
You don't want to use an external DNS server as an alternate.  This will cause more problems than it solves, as any clients that end up using that server for whatever reason (a temporary lack of response from the internal server, for example) won't automatically fail back and will be unable to resolve any names that they don't have cached.  (And BTW, those negative responses get cached too, so even if a client reverts to using the preferred DNS server, it still won't be able to resolve any internal names that it's got a cached negative response for until the cached record expires or the client's resolver cache is flushed.)
0
 
BillBondoCommented:
You really should have a second dns server even if its a second hand computer. Is this a AD site?
0
 
ddiazpCommented:
The best practice for configuring a secondary DNS server is to... HAVE a secondary DNS server :)

But i'm sure you've thought of that and if you really can't, then that means you probably have a very small network, domain, user base,.. so i would probably grab all the critical internal hostnames (exchange, intranet, servers, etc.). compile them on a hosts file and be ready to deploy those hosts files to all users/servers remotely in case of an emergency, and configure secondary DNS server to point to my ISP.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
mgpremkumarCommented:
Running with one domain controller is risky as if it goes down there are no other servers to take over the role which means there will be hours or probably days of downtime depending on the scenario.

If the DNS is down then the AD cannot function as well, and hence having an additional DNS server becomes necessary.

You also have DHCP. This service can also be installed and athorized on the second server. You can then backup the DHCP configuration and restore on the second server when necessary.

You can also move all the roles to the second servers as and when required and put the first server in maintenance with out impacting business or working after business hours. Also doing maintenance acitivities during business hours means you would have people in the office for any help required as opposed to working afterhours when everyone is away.

Offcourse all this comes with extra cost but I think the benefits that it provides would  justify the cost.
0
 
DrDave242Commented:
Looking back at my previous post, I see I forgot to state that bringing up a second DC/DNS server in the domain is the ideal solution here.  Then you've got redundancy for AD as well as DNS, so domain operations and Internet access don't get interrupted if one box goes down.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
The ISP server won't return nothing, though; it'll return an NXDOMAIN response (basically, "record not found"), and that response will be cached on the client.  (I believe negative responses get cached for five minutes by default, but this is configurable via the registry.)  Further queries by that client for that same record won't even hit a DNS server until the cached record expires or the cache is flushed.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.
If it's that important to him to get to Facebook/Reddit/imgur when the server is down, he'll spring for a second server.  :)
0
 
limeleapAuthor Commented:
Thanks for the responses.  While I set up multiple DC's on larger networks including my own, a second server is not an option in this scenario.  Small businesses with only a few users wont tolerate the associated costs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.