Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Definitive DNS Questions!

Posted on 2014-10-16
4
Medium Priority
?
112 Views
Last Modified: 2014-11-17
Simple questions really.....we have a single AD domain at 2008R2 functional level.  We have 2 DCs on our main site (One holds all the Master roles, the other is the main one for the site), with 1 at each of our other 2 sites.  We also have an RODC in our perimeter network.  Each server hosts DNS (including the RODC).  We currently have forwarders set up on just the main AD server, which point to our ISP DNS servers.  Each server has been configured with one of the DNS servers at another site as primary DNS, with another site DNS as secondary, and 127.0.0.1 as tertiary DNS.  In the case of the RODC, it has the RWDC as the primary DNS, and itself as secondary (127.0.0.1) - the RODC only has firewall ports opened to allow it to talk to one of the RWDCs.

The question is - is this the best way of doing it?  Each site has it's own dedicated internet connection, as well as VPN links between each site - but in the past we've had problems with losing internet access if the main site loses internet.  From all the docs i've read the way it's done seems to be correct, and I don't believe we should have DNS forwarders set up on every internal DNS server, but not 100% certain!

As a side note - we are using completely separate external DNS servers for any public facing servers - these sit at a hosting centre and in our DMZ, where our external servers also sit.
0
Comment
Question by:Amaze_IT
  • 2
4 Comments
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40384221
shouldn't be using ISP for dns servers or forwarders; no need for that unless there is a specific reason
they should be pointing to itself first then to another server second (as in the case of the main site)
specifying a dns server in another site could cause issues because of wan latency
0
 

Author Comment

by:Amaze_IT
ID: 40384254
hi thanks for your reply.  to clarify, we aren't using ISP DNS servers for client DNS (servers or desktops), we only have forwarders configured on one internal DNS server to resolve external DNS.  There seems to be many confusing articles about different BP for DNS - one of the bones of contention seems to be the order of client DNS entries!
0
 

Author Comment

by:Amaze_IT
ID: 40384676
http://technet.microsoft.com/en-us/library/dd378900%28v=ws.10%29.aspx

this article specifically states that if your DNS servers are also domain controllers they should be configured with their own address first, otherwise they may become an island?

However, when i set as such, the RODC shows hundreds of 4015 DNS critical errors
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 2000 total points
ID: 40385162
Careful reading of that article shows that each DC should be configured to use its own address (or the loopback address) for DNS, but not only its own address. Further, the DC's own address (or loopback address) should not be the first address in the list (the preferred DNS server):

The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
The second point isn't as important as the first, since the default wait period between querying the preferred and alternate DNS servers is only one second.

When a DC boots, its own DNS Server service won't start until Active Directory performs an initial synchronization with another DC (unless there's only one DC in the entire domain, in which case no initial sync will be attempted because the DC knows there's nothing to sync with). This is why a DC experiences significant startup delays if it uses only its own address for DNS when there are other DCs in the domain. It also explains the rationale behind configuring a DC to use a different DC rather than itself as its preferred DNS server: its own DNS Server service won't be running immediately after a reboot, but the other DC's service will (unless that DC was rebooted at the same time, which is never a good idea).

Taking all of this into consideration, here are my preferences:

In a site with multiple DCs, I'll configure each DC to use a different DC as its preferred DNS server and itself as an alternate. A DC's own address may be second, third, or even further down the list of DNS servers, but it should appear in the list somewhere.
In a site with only one DC, the order of the DNS server list will depend on the best connection from that site to another site with a DC. If the latency across that connection is low and the connection is reliable, I'll still follow the previous rule, but if the connection is very slow and/or unreliable, I'll configure the DC to use itself first and DCs at other sites as alternates. Don't ever configure a DC to use only itself, though, unless it's the only DC in the domain.

Regarding forwarders, your mileage may vary. Since each of your sites has its own Internet connection, you can configure the DNS servers at each site to use their own forwarders, but you don't have to; as long as your root-hints list is intact, they'll use the root hints for resolving Internet names, and you won't likely see much difference in terms of performance. Just don't configure your DCs to use each other as forwarders.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question