Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Best practice for choosing a secondary DNS server on a one DNS server network

Posted on 2013-01-24
6
Medium Priority
?
708 Views
Last Modified: 2013-01-28
We're having a debate about best practice for configuring a secondary DNS server on a one DNS server network.

On a one server (Windows / DC / DNS / DHCP / File) network, DHCP will be configured to give out the Domain Controller' s address as the Primary DNS server.

What's the best practice for configuring a secondary DNS server?

One school of thought is that for this small network with no other servers, there would be no viable second DNS server to give out so it shouldn't be configured.
Another school of thought is that an external, public DNS server should be listed.  This has the advantage that clients would still be able to use the Internet if their DNS server is offline.  This disadvantage is that the public DNS server would be worthless at resolving internal resources and could cause problems on a healthy network.

I've been unable to find any best practices to refer to settle this dispute.

Thoughts?
0
Comment
Question by:limeleap
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 38815091
You really should have a second dns server even if its a second hand computer. Is this a AD site?
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 750 total points
ID: 38816959
Another school of thought is that an external, public DNS server should be listed.
You don't want to use an external DNS server as an alternate.  This will cause more problems than it solves, as any clients that end up using that server for whatever reason (a temporary lack of response from the internal server, for example) won't automatically fail back and will be unable to resolve any names that they don't have cached.  (And BTW, those negative responses get cached too, so even if a client reverts to using the preferred DNS server, it still won't be able to resolve any internal names that it's got a cached negative response for until the cached record expires or the client's resolver cache is flushed.)
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38817158
The best practice for configuring a secondary DNS server is to... HAVE a secondary DNS server :)

But i'm sure you've thought of that and if you really can't, then that means you probably have a very small network, domain, user base,.. so i would probably grab all the critical internal hostnames (exchange, intranet, servers, etc.). compile them on a hosts file and be ready to deploy those hosts files to all users/servers remotely in case of an emergency, and configure secondary DNS server to point to my ISP.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38817731
Running with one domain controller is risky as if it goes down there are no other servers to take over the role which means there will be hours or probably days of downtime depending on the scenario.

If the DNS is down then the AD cannot function as well, and hence having an additional DNS server becomes necessary.

You also have DHCP. This service can also be installed and athorized on the second server. You can then backup the DHCP configuration and restore on the second server when necessary.

You can also move all the roles to the second servers as and when required and put the first server in maintenance with out impacting business or working after business hours. Also doing maintenance acitivities during business hours means you would have people in the office for any help required as opposed to working afterhours when everyone is away.

Offcourse all this comes with extra cost but I think the benefits that it provides would  justify the cost.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38819320
Looking back at my previous post, I see I forgot to state that bringing up a second DC/DNS server in the domain is the ideal solution here.  Then you've got redundancy for AD as well as DNS, so domain operations and Internet access don't get interrupted if one box goes down.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
The ISP server won't return nothing, though; it'll return an NXDOMAIN response (basically, "record not found"), and that response will be cached on the client.  (I believe negative responses get cached for five minutes by default, but this is configurable via the registry.)  Further queries by that client for that same record won't even hit a DNS server until the cached record expires or the cache is flushed.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.
If it's that important to him to get to Facebook/Reddit/imgur when the server is down, he'll spring for a second server.  :)
0
 

Author Comment

by:limeleap
ID: 38828853
Thanks for the responses.  While I set up multiple DC's on larger networks including my own, a second server is not an option in this scenario.  Small businesses with only a few users wont tolerate the associated costs.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Resolve DNS query failed errors for Exchange
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question