DNS Domain Controller Setup

Posted on 2014-01-15
Last Modified: 2014-01-15
There seems to be for lack of better works a difference of opinion as to the best practice for DNS settings on a DC.  We have a large corp many sites one domain, lots of DCs.  My thinking is to set up each DC as a DNS server and forward the requests out to my Corp DCs - I think this will give us faster results internally - we have programs that are internal, over the WAN to our Corp office and out to the internet.  So I think DC01 should point to DC02 and then itself and then forward the request to The corp DC.  And DC02 should point to DC01 then itself and then forward the request to my Corp server.  Can someone please offer an opinion - Of course you set up zone also - but I'm just talking about the server requests.
Question by:WellingtonIS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 37

Expert Comment

ID: 39783319
No matter where you place DC, AD integrated DNS should be installed
Also all DCs that are DNS servers also, you must point their primary DNS IP pointing to them self only and secondary you may point to ADC in same site or if its not there then point  it to PDC
For internal name resolution you don't have to do anything other than setting up AD integrated DNS zones in DNS, eventually they will get replicated to all DCs in domain \ forest.

For internet access, if you have centralized proxy server \ firewall that controls the internet traffic, then no need to setup DNS on remote locations for internet name resolution.
However if your main site DNS server is the single point for resolving queries to internet (it has forwarder to public DNS servers) then you need to set default forwarder on remote location DCs and that default forwarder should point to main DC for internet name resolution
If you have multiple hub locations then you can set multiple DNS servers for internet name resolution by putting up ISP DNS in default forwarders list in DNS server properties for that Hub location.

let me know if this is what you are looking for and if i understand it correctly.


Author Comment

ID: 39783395
Yes I realize they all must point to a primary DNS server, however, don't they need to point to each other in the same domain? and shouldn't the zones then replicate to the "Primary" DNS server?  So If you have the zone transfers they will get the information from the primary and filter down to the DC on the Forest?
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39783541
All Dcs must point to itself as primary dns server in tcp/ip setings if you installed DNS service on them.
All Dcs can point to other DNS server, but as secondary DNS server in tcp/ip properties

In order to replicate Zone in forest, DC should not point to each other in primary dns server settings in tcp/ip settings.

All you need to set is, go to zone properties of AD integrated Zone
on general tab, there is replication option
in replication select "Add dns servers in this domain OR all dns servers in this forest since you have single domain \single forest
When you select above options, zone get stored in either ForestDNSZones or Domaindnszones active directory application partition in AD and gets replicated to all domain controllers in forest or domain depending upon your selected option.

If zone is not AD integrated (that is only standard primary then above options will not activated, in that case those zones will not replicated.
In order to replicate those zones to all DCs, you must select "store zone in active directory" checkbox in zone properties so that it will changed from primary to AD integrated and then you need to select appropriate option (all dns servers in domain or forest to store zone data in AD and to replicate).


Author Closing Comment

ID: 39783719

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question