Microsoft DNS on Windows Server 2012 R2
We have a couple of different scenarios.
The first: DNS is on a Windows Server 2012 R2 DC. Let's pretend this server IP address is 192.168.42.31.
The second: DNS is on a Windows Server 2012 R2 Member Server.Let's pretend this server IP address is 192.168.42.51.
My question: How should the IPV4 Properties be set for the Preferred DNS Server and Alternate DNS Server in each scenario? I've read/heard different things--and had some weird results when I've implemented some suggestions--and I want a definitive "This is what you should do and why." type of answer.
I grabbed the picture below from the net just in case it will help explain what I'm looking for.
Not that it signifies, but we do allow DHCP to update DNS.
![IPV4 Settings]()
The first: DNS is on a Windows Server 2012 R2 DC. Let's pretend this server IP address is 192.168.42.31.
The second: DNS is on a Windows Server 2012 R2 Member Server.Let's pretend this server IP address is 192.168.42.51.
My question: How should the IPV4 Properties be set for the Preferred DNS Server and Alternate DNS Server in each scenario? I've read/heard different things--and had some weird results when I've implemented some suggestions--and I want a definitive "This is what you should do and why." type of answer.
I grabbed the picture below from the net just in case it will help explain what I'm looking for.
Not that it signifies, but we do allow DHCP to update DNS.
Why is DNS on a MEMBER server? Why not make it a DC if you want DNS on it. *IF* you understand AD, it's advisable to have two DCs anyway.
In that case, DNS should be integrated into AD so that changes replicate easily and quickly to ALL DNS servers.
You NEVER, EVER, put a NON-AD aware DNS server into your servers or clients network properties. I don't know if you've enabled zone transfers or if a member server's DNS can be stored in AD (in part because I wouldn't and I don't know anyone who would set it up that way). If not you have problems.
In that case, DNS should be integrated into AD so that changes replicate easily and quickly to ALL DNS servers.
You NEVER, EVER, put a NON-AD aware DNS server into your servers or clients network properties. I don't know if you've enabled zone transfers or if a member server's DNS can be stored in AD (in part because I wouldn't and I don't know anyone who would set it up that way). If not you have problems.
Hi--
DNS is AD integrated. We do have multiple DNS servers. I am just looking for an answer to the specific scenarios I noted in the question.
Also...DNS on non-DC can be done, in case someone coming back to look at this question wonders.
Add DNS Service to Non-DC Server
Thanks.
DNS is AD integrated. We do have multiple DNS servers. I am just looking for an answer to the specific scenarios I noted in the question.
Also...DNS on non-DC can be done, in case someone coming back to look at this question wonders.
Add DNS Service to Non-DC Server
Thanks.
There is no DEFINITIVE answer. Other than you DO NOT use third party DNS servers.
Would be GREATLY helpful if you explained WHY you need this information. Among other things, DNS replicates to other DNS servers - IF you have it configured correctly. So it shouldn't matter which is primary and which is secondary if DNS is replicating properly.
Consider that DNS is a cache based system. If the primary is unavailable it will check with the secondary and cache that result for a period of time, regardless of whether the primary returns to service. (There's a reason there's a IPCONFIG /FLUSHDNS switch).
Would be GREATLY helpful if you explained WHY you need this information. Among other things, DNS replicates to other DNS servers - IF you have it configured correctly. So it shouldn't matter which is primary and which is secondary if DNS is replicating properly.
Consider that DNS is a cache based system. If the primary is unavailable it will check with the secondary and cache that result for a period of time, regardless of whether the primary returns to service. (There's a reason there's a IPCONFIG /FLUSHDNS switch).
I need this information because I want to know the best practice for the configuration so I can ensure we are doing so in our environment.
I have read numerous posts that say ONLY the DNS server IP should be there, I have read others that said the Replication partner should be there, I have read others that say the DNS server you are ON should be in the Alternate DNS entry, some that said it should be Primary, and you are indicating that it does not matter one way or the other.
When I created my post, I entered a pretty basic question that theoretically should have a basic answer. You can assume all aspects of my DNS are setup appropriately for any replication/AD integration, etc and it works okay. I am trying to optimize our configuration so I have a clear, concise record of HOW and WHY we are configuring things a certain way, and the DNS entries on the NIC card are one of those things I want to explain in our internal documentation WHY we have them configured that WAY, preferably with some documentation to back it up.
I have read numerous posts that say ONLY the DNS server IP should be there, I have read others that said the Replication partner should be there, I have read others that say the DNS server you are ON should be in the Alternate DNS entry, some that said it should be Primary, and you are indicating that it does not matter one way or the other.
When I created my post, I entered a pretty basic question that theoretically should have a basic answer. You can assume all aspects of my DNS are setup appropriately for any replication/AD integration, etc and it works okay. I am trying to optimize our configuration so I have a clear, concise record of HOW and WHY we are configuring things a certain way, and the DNS entries on the NIC card are one of those things I want to explain in our internal documentation WHY we have them configured that WAY, preferably with some documentation to back it up.
So You have 2 DNS servers right
One is
192.168.42.31
second
192.168.42.51
I assume your gateway is 192.168.42.1
You network adapter on both DNS servers should be
1 DNS server
IP 192.168.42.31
MASK 255.255.255.0
GATEWAY 192.168.42.1
DNS 192.168.42.31 or 127.0.0.1
DNS 192.168.42.51
2 DNS Server
IP 192.168.42.51
MASK 255.255.255.0
GATEWAY 192.168.42.1
DNS 192.168.42.51 or 127.0.0.1
DNS 192.168.42.31
One is
192.168.42.31
second
192.168.42.51
I assume your gateway is 192.168.42.1
You network adapter on both DNS servers should be
1 DNS server
IP 192.168.42.31
MASK 255.255.255.0
GATEWAY 192.168.42.1
DNS 192.168.42.31 or 127.0.0.1
DNS 192.168.42.51
2 DNS Server
IP 192.168.42.51
MASK 255.255.255.0
GATEWAY 192.168.42.1
DNS 192.168.42.51 or 127.0.0.1
DNS 192.168.42.31
I just wanted to bring in some of the information from that link footech included because I feel like it was very helpful and if someone comes looking at the later, I want to make sure the information isn't lost in potentially discontinued content at the source:
Written by Ned Pyle
Question
What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
Answer
It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:
1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
5.DC’s should have at least two DNS client entries.
6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).
There are plans afoot to consolidate all this info, expand it, and get our message consistent and consolidated. This has started in the Windows Server 2008 R2 BPA for DNS.
https://technet.microsoft.com/en-us/library/cc725625(WS.10).aspx
Written by Ned Pyle
Question
What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
Answer
It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:
1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
5.DC’s should have at least two DNS client entries.
6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).
There are plans afoot to consolidate all this info, expand it, and get our message consistent and consolidated. This has started in the Windows Server 2008 R2 BPA for DNS.
https://technet.microsoft.com/en-us/library/cc725625(WS.10).aspx
I read Neds piece years ago - couldn't find it when I looked for it again... but that's why I said:
There is no DEFINITIVE answer. Other than you DO NOT use third party DNS servers.My answer is very similar to:
It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now.
I was looking for some documentation specifically related to the question I asked: "How should the IPV4 Properties be set for the Preferred DNS Server and Alternate DNS Server in each scenario? " It is true that there isn't a definitive answer, but you left out all the stuff that actually answered my question like #2 and #3.
Okay-I'm going to award the points based on these factors:
1. The question was ultimately "How should the IPV4 Properties be set for the Preferred DNS Server and Alternate DNS Server in each scenario?" and I requested a "This is what you should do and why" type of answer.
2. Any response that did not accurately and specifically reflect an answer to that question with data to backup assertions will not be awarded points. Efforts to answer questions are appreciated, but to be fair, answers that don't actually answer the question that was asked, provide inaccurate or misleading information or provide absolutely no further understanding/documentatio
3. I went back and read the responses and evaluated whether any of them really helped answer the question I asked. If I had come upon only that answer in response to a search I assessed whether I would have been able to use the information in it to address my question. Only one of the responses actually contained that type of information, thus I am awarding all of the points to that response.
1. The question was ultimately "How should the IPV4 Properties be set for the Preferred DNS Server and Alternate DNS Server in each scenario?" and I requested a "This is what you should do and why" type of answer.
2. Any response that did not accurately and specifically reflect an answer to that question with data to backup assertions will not be awarded points. Efforts to answer questions are appreciated, but to be fair, answers that don't actually answer the question that was asked, provide inaccurate or misleading information or provide absolutely no further understanding/documentatio
3. I went back and read the responses and evaluated whether any of them really helped answer the question I asked. If I had come upon only that answer in response to a search I assessed whether I would have been able to use the information in it to address my question. Only one of the responses actually contained that type of information, thus I am awarding all of the points to that response.
Gain unlimited access to on-demand training courses with an Experts Exchange subscription.
Get AccessWhy Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions