Solved

Domain Controllers & DNS

Posted on 2014-03-24
4
833 Views
Last Modified: 2015-01-24
I currently have 2 domain controllers.  One is physical Server 2008 SP2 and holds all 5 FSMO roles.  The other is also Server 2008 SP2 and is virtual.

I just installed Server 2012 R2 domain controller and performed the necessary forestprep, and domainprep functions.

My goal is to move the FSMO roles to the new physical Server 2012 R2 domain controller, and decomission the physical Server 2008 DC.

Regarding DNS - Currently while all 3 DC's are up and running what DNS servers should they be pointing to?  

Should their Primary DNS server be themselves and the secondary be the DC holding the FSMO roles?  Or should they be pointing primary to FSMO Server and secondary to themselves?

Thank you in advance.
0
Comment
Question by:BSModlin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 14

Assisted Solution

by:Andy M
Andy M earned 100 total points
ID: 39950158
Providing DNS is replicating correctly between all three servers I don't think it really matters which dns each server has assigned. Personally I would point each server to use the 2012 server and virtual 2008 server for both primary and secondary.

The only thing to look out for is once the old 2008 server is removed that no server (and DHCP) is set to use it for DNS otherwise you may start having some issues.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 400 total points
ID: 39950247
It does matter
If you have DNS role installed on domain controller, you must point its own IP (not 127.0.0.1) to itself in preferred DNS settings and alternate you can point to another server in same site (ADC) or if you don't have another in same site you could point it to PDC

Because since all domain controllers are authoritative for that domain and domain dns zone, each must be point to itself in primary dns configuration
So that DNS server will try to resolve query with itself own DNS entries and if he do not found any thing then it will look for other options
There are other  options for resolving those queries which he cannot resolve
such as entering another DNS in secondary, setting up forwarders, conditional forwarders, secondary zones etc

There is no point to route queries to another DC by setting up another DNS server address in his network card preferred dns entry

Mahesh.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39950411
Each server should be pointing to itself for primary DNS and to a different server for secondary DNS.  This will ensure DC functionality even if other DC is not available.  At one point, this was considered DNS island and was not recommended but now this is the recommendation from MS.
0
 

Expert Comment

by:Ken Stokes
ID: 40568158
Excellent Comments.  I have seen many opinions on this matter, but this seems to be the correct one.   Thank you.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question