Solved

Update Primary DNS Server IP on a 2008 R2 Domain Controller - Is Reboot Needed?

Posted on 2015-02-04
23
429 Views
Last Modified: 2015-02-04
Hi Experts,

We have 2 physical sites (East Coast and West Coast).

East Coast is HQ
West Coast is Branch

The two offices are on different IP subnets.

The West Coast branch office has a single Windows Server 2008 R2 DC.  It's DNS settings are as follow:

DNS1     IP Address of a DC in the East Coast HQ Office
DNS2     Its Own IP Address

The issue we have is the East Coast HQ DNS1 server is a Virtual Server (Hyper-V).  We'd prefer to have the west coast office point to a "physical" DC on the east coast instead of a VM.

We just went in and simply changed the primary DNS IP on the west cost DC to use a different physical DC on the East Coast.

KEY QUESTION - Do we now need to reboot the west coast DC or will all the active directory replication services, etc. detect this change accordingly?  

I remember reading somewhere that when you make a change to TCP/IP DNS settings on a DC, you should reboot the DC for the change to take full effect.  Of course, that article may have simply been referring to a TCP/IP settings change on a 2003 server since that OS did not do immediate TCP/IP settings changes the way 2008 R2 does.

If we wait it out and do not reboot, how long before the change will take full effect in the system?  A full replication cycle?

Please help clear this up for us and provide a link to a relevant article explaining if possible.  We can't seem to find a good article describing whether a reboot is needed or not.

THANKS!!!!
0
Comment
Question by:dpmoney
  • 9
  • 6
  • 5
  • +2
23 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40588870
Of course you could reboot the server which will allow the updated IP settings to take hold.  But, I recommend doing the following on all Domain Controllers:

1. ipconfig /flushdns
2. ipconfig /registerdns“
3. restart DNS server
4. NETLOGON

Dan
0
 

Author Comment

by:dpmoney
ID: 40588887
Thanks, Dan.  

Why do all these additional commands on every DC in the organization?  

Also, do you mean restart Netlogon service in #4?  

Finally, are you suggesting all these commands on each server instead of simply rebooting the west coast box that we did the DNS setting change on?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40588894
You don't have to reboot the server just to make a change like this.  TCP/IP setting changes happen (in general) on the fly now (this has actually been in place since server 2000).
No reboots
 Unlike previous versions of Windows NT (and Windows), you won't need to reboot your computer when you change a network configuration.
(...)
No reboots?
 Well, this is one of those "works in theory" things. Most of the time, you should be able to change network settings without rebooting (though Windows 2000 will tell you if you absolutely need to reboot). However, sometimes you'll change network settings and nothing works. If this is the case, just reboot the machine. Nine times out of ten, all will be well.
Source

You may be thinking of changes to the hosts file, which prior to WinVista/Server 2008, *did* require a reboot for the changes to take affect.

-saige-
0
 

Author Comment

by:dpmoney
ID: 40588905
Thanks, @IT_Saige:

I realize the TCP/IP settings already took place immediately.  

The concern on this end is are there are Active Directory / DNS tie-ins or functionality that would require a reboot to recognize the new Primary DNS setting of the server in TCP/IP config?

For example, does the File Replication Service service "read" the primary and secondary DNS setting when service starts, and then does not look at what is in TCP/IP config until next time service restarts.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40588912
The commands do the following:

1. this purges the local DNS cache of all records.  helpful when pointing to a new DNS server or having name resolution issues.  Since you are using a different DNS Server as primary, its a good practice to do this.
2. this makes sure that the DC can register its DNS records correctly.  This will go against the new DNS settings.  If this were to fail, you would start having DNS and AD issues.
3. restarting the DNS Server makes sure that the local DNS server service can load AD Integrated zones from other DCs on the network.  If the DC's DNS client settings were incorrectly configured, you'd start having DNS and AD issues.
4. restarting the Netlogon server ensures that the necessary Domain Controller specific DNS records are correctly registered (for example the DC's SRV records)... again, if things are incorrectly configured you'd start having DNS and AD issues.

As a reference, the following links to the defacto recommendation for DNS client setting configuration for DC and servers.  You will find it referenced to all over the place where AD, DNS, DNS Client settings are being discussed:

link:  https://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Dan
0
 

Author Comment

by:dpmoney
ID: 40588923
@Dan...

Thanks for all this great info.  

Just to confirm....

1.  Are you suggesting we do these change on ALL DC's or just the DC on which we made the Primary DNS server IP setting change?

2.  Are you suggesting these changes INSTEAD of rebooting the DC who's DNS config we updated? (or in addition to?)

We're just not clear on why we'd have to touch every DC in the org if we only made a Primary DNS Server TCP/IP setting change on one DC.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40588925
Active Directory related services (and other programs/services) on the DC don't care about the DNS settings on the NIC.  The DNS settings on the NIC allow for tcp/ip packets to be routed to their intended target.  A cache of DNS queries (or lookups) is stored on the local system so that DNS queries don't always go to the DNS server, if a computer has visited a site or address before, and the cached entries TTL has not expired, then the packet is sent to the intended target.  So to answer your question directly, FRS couldn't care less what your DNS address is.

This is contrary to when you are changing the IP address on a DC.

-saige-
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 250 total points
ID: 40589003
What I am suggesting is that if you configure 1 of your DCs in a specific way, it makes good practice to have all of them configured in a similar way.  Hence the link to a best practice article.  So yes, I would do this for all my DCs:

1. Primary DNS points to another DC's for its DNS
2. Secondary DNS points to itself

As for the reboot question, yes those commands can be used instead of rebooting the server.


1. ipconfig /flushdns
2. ipconfig /registerdns
3. restart DNS server service
4. restart NETLOGON service

** edited for clarity

As for the process being run on all DCs when only 1 DC is reconfigured.  Again, its about safety and consistency.  Running the commands is a test of the change.  Since all DCs can talk to each other, its safe to make sure that there are no old records/pointers in any service cache on the other DCs.  Therefore quickly running these commands ensures that service restarts and caches are clear and the next request for network communication gets the latest DNS records cached, which means DCs get the correct SRV records which means that services can be located on the network.

Just my soapbox, just my opinion:  Treat AD and DNS as a system with a tightly entwined relationship.  If something is not right in one part of the system, others start to fail.  Make a change to this system, best make sure all partners in the relationship have been notified and are on the same footing.

Dan
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40589008
I caution you against using a different DC as the primary DNS server on a DC.  This is not recommended and what is recommended is that each DC should point to itself for primary DNS.  This is done for the sole reason that in an event of restarting your DC and you do not have any connectivity to other DCs, your DC should work fine and be able to update its own records in DNS (as well as faster logon to console and start of other services as they are not waiting to successfully contact DNS server).

All local systems (servers, workstations, etc.) should use the local (or the closest) DC as its DNS server.
0
 

Author Comment

by:dpmoney
ID: 40589129
@Mohammed - The info you provided above is contrary to many, many, many technical articles we have read along the way.  Most resources recommend primary DNS of a DC pointing to another domain controller and secondary pointing to itself.

@Dan - thanks again for your insightful info and clear explanation.  We are leaning toward doing what you said on the server where we changed the primary DNS setting.  However, we're still not convinced this change needs to be made on all the other DCs in the organization (2 on the east coast).  because we are not changing anything here.

If we ONLY do your suggested list of steps on the single west coast DC where we made the simple DNS setting change, do you think we'll be OK?  It sounds like it would essentially be the same as simply rebooting that DC on the west coast.

@IT_Saige, thanks for your info too.  What do you think about Dan's feedback?

Thanks a lot!
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40589158
Then I highly recommend at least doing an ipconfig /flushdns on all DCs so that their caches are cleared and the initial DNS hits result in a refresh of the local caches.

I still recommend going thru the 4 command on all DCs.  But you know your operational environment better than I do.

I'll suggest that if any unusual warnings or errors begin showing their ugly heads, that you proceed with the commands.

Dan
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:dpmoney
ID: 40589176
@Dan, thanks again - you've been great and are convincing us.  The reason we are floundering about this is because we are in a critical production environment.  Any issues doing these service restarts during the day or should we wait until after hours/maintenance window?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 250 total points
ID: 40589191
@dpmoney - Honestly, I think Dan's recommendations are overkill.  You did not change the IP address of the DC, so you don't have to worry about changes in the DNS delegation records.  You don't have to worry about the the local cache of the DC needing to be updated (because the IP's of the DNS server has not changed).  All you have changed is the Primary DNS server for the NIC.

Yes, DNS and AD are tightly coupled, but you have not changed the landscape of the network.  You have simply informed your DC to look at another DNS server if it needs to query for a DNS record.

-saige-
0
 

Author Comment

by:dpmoney
ID: 40589218
@IT_Saige:

Very interesting.  You do make some very good points.  Indeed, we have not changed the landscape of our organization or the IP address of the West Coast DC.  

We ONLY changed what DNS server it is pointing to in it's Primary DNS server setting.  That's it.

At this point, the change is already done and all is fine.  We just weren't sure if there was more to do.

Replication seems to be working fine too based on repadmin /replsummary  

At what point could we be 100% sure this worked out fine with no additional changes or a reboot?  A full replication cycle?  A day or two?  I suppose we could run a DCDiag at end of day too.

Overall, I think Dan's feedback has been very educational - just not 100% sure it applies for the change we made today.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40589227
Please provide me proof.  If you are still unsure, perform a search for "dns island" and you can see MS recommendations.  Just for your information, I went through a RAP with Microsoft (RAPs are risk assessment and planning sessions for customers with valid Enterprise Support agreement) which is provided by PFEs (Premier Field Engineers who are subject matter experts).
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40589278
If you change dns settings from one server to another except its own IP, then no need to reboot the server
Just dnscmd /clearcache and ipconfig /flushdns are enough

If you are pointing dns server to itself, then you do need to restart netlogon service and dns server service as well to ensure all records are registered

Also I am wondering when your local server has DNS server role (AD integrated) installed, why you would point it to another DNS server
I assume all dns zones are similar on both servers
Moreover in case of Domain controller name resolution if you have entered another DNS server IP as primary, for unresolved queries it will try to communicate with primary dns server which is also DC in same domain and do not have answer for that query because both servers are identical and then again query will get routed to forwarders \ conditional forwarders \ root hint servers etc

However if server pointing to itself as primary dns, for unresolved queries, it will directly look for appropriate options such as forwarders \ conditional forwarders \ root hint servers etc

According to my understanding, when you install DNS role on server, it should point to itself as primary dns (not 127.0.0.1) because he is authoritative for copy of all AD integrated zones he hosts and only he can refresh / register its own record

I am not going too back, but if you deploy parent -child domain pair, in that case all child domain dns entries will not get populated on child DC unless you point it to its own IP as primary dns and restart dns and netlogon server service.
0
 

Author Comment

by:dpmoney
ID: 40589311
@Mohammed:

It seems the question of primary and secondary DNS settings on a DC has been argued back and forth for ages.  Here is an exceprt from a TechNet article.  

Source:  http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest

It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

1.  If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
2.  If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)


Overall, this Active Directory has been around for over 10 years without issue.  We are running in 2003 Mode and have 3 2008 R2 DCs.  Just haven't made the switch to 2008 Functional Mode (yet).

This is a great thread with some healthy debate.  I just don't see us going around and changing the primary and secondary DNS settings on all DCs in our organization since they are working 100% fine and have been for years.

Here is our setup in case you are wondering:

DC01 - East Coast DC with all FSMO roles
ADS - East Coast DC
CA01 - West Coast DC

Here are the primary and secondary DNS settings as of right now:

DC01:

Primary DNS is ADS
Secondary DNS is DC01

ADS:

Primary DNS is DC01
Secondary DNS is 127.0.0.1 (dcpromo did this automatically)

CA01:

Primary DNS is DC01
Secondary DNS is CA01

All working fine.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40589318
@Mohammed - You might want to take a look at this blog post on Technet.  The interesting part that struck me was this -
It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now.
Source

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40589319
@dpmoney - Wow, call me Johnny-come-lately...  LOL.  ;)

-saige-
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40589423
I will agree that my recommendations may be considered a bit overkill but since there is limited info on the existing setup of AD, its hard to say if the change won't affect something else.

I mentioned that you know your infrastructure best and recommended that you act on your knowledge of the system. That is the best I can do... Share my experience and make the best recommendations based on limited info.

Hopefully your change worked.

Gotta put the kids in bed... Challenge number 2.

Dan
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40589459
Dan...  That challenge may be more than even EE can assist with.  ;)

-saige-
0
 

Author Comment

by:dpmoney
ID: 40589471
I am going to award the points to both IT_Saige and Dan.  You have both been very insightful and helpful throughout the thread.

Ultimately, we are going to do IT_Saige's suggestion which is nothing else.  

We were going to do the IPConfig /FlushDNS at a minimum on the west coast DC, but that is just going to clear the local DNS resolver cache on that box.  Since we did not change ANY IP addresses of any hosts, it probably is not applicable.

If we do have issues, we will certainly reference Dan's great information and will carry out those commands.

Thanks to the both of you!
0
 

Author Closing Comment

by:dpmoney
ID: 40589484
We ultimately did not reboot the domain controller after simply changing the primary DNS Server setting in TCP/IP.  This was due to a lot of back and forth between multiple parties and our own knowledge of the environment we have in our organization.  Everything seems fine so far.  We awarded points to IT_Saige (the advise we ultimately followed), but also gave points to Dan for a lot of great information in the event that problems surface unexpectedly.  Thanks to everyone who contributed!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now