Preferred and Secondary DNS servers on single 2012r2 DC with AD,DNS and DHCP

Hello All, I hope this isn't too easy or a repetitive question. One weak area I have is understanding how to configure DNS on a domain controller -the only DC on a network. It has the AD and DNS and we made it the DHCP server. OS is 2012r2. Let me explain what configurations I have on the server and router...  We have a static IP address on a SonicWALL router, configured with the ISP DNS servers. Now - here's one possible fault... I have teamed the NICs on the server (2), just the standard options.... I think I have read somewhere that may not be a good idea on a DNS server... not sure... So the teamed NICs have the servers IP address on the LAN assigned. I have server set up to use root hint servers and no forwarders and the root hint servers are resolving. I am using the ISP primary DNS as preferred DNS server on the DC NIC (teamed), for the secondary I am using the DC's LAN IP address - versus the loopback address...  I am away from the site at the moment but will go onsite soon. I have read a lot of stuff lately and its pretty diverse... meaning different opinions for similar circumstances others have had. Do I need to get rid of the ISP's DNS server in the DC LAN properties altogether? Using root hints, if it matters to next question, what would  use for the Primary and Secondary DNS servers in the DC's NIC properties then? I have read - use the DC's IP address as the first (primary).... I just need an answer I can feel good about - and I will wait to be at the server before I make a change so I don't knock down the network from afar.

Errors - I run the BPA on AD and DNS and I get errors in both - the DNS seems easy to interpret - complains about the ISP external DNS server unable to resolve internal records etc... and AD is reporting issues with advertising and registering DNS records and other advertisement such as LDAP and PDC for the domain....  I think if I can get the DNS sorted out on preferred / secondary on the DC then some of this will clear up. I ran dcdiag /test:dns and got a lot of the same DNS errors reported. We migrated a Server 2003 DC to this one a couple years ago and I also have my concerns about all the stuff I still see in AD that belonged to the old 2003 server, like old SQL version entries etc...  and that's another topic for later perhaps...  

As for Internet access for the computers on the domain and the server - I don't see any real issues there but I do see where access shares over the network  - has become spotty and I am starting with the server - clean it up and then see how shares are across the LAN.  Again.... thank you for your time and assistance.
Mark Lytleowner operatorAsked:
Who is Participating?
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
A teamed NIC has a single IP - that does not cause issues with the DNS server. Only if you "team" by using different IPs on the same subnet, and that is a very very bad idea not having any foundation but found to be done often.

Never use an external DNS server together with Active Directory - it won't be able to accept the dynamic registration of AD services required.
On a DC it is a good idea to have a different MS server (doesn't need to be a DC) as primary. If not available, the loopback address should be used. Then create forwarders to the ISP. I would not rely on the root hints - those are a means of last resort only.
Mark Lytleowner operatorAuthor Commented:
Thanks for the quick response... so yes the teamed NIC has a single IP, we do not have another MS server avail... so to confirm, - use the loopback address, as primary - and configure forwarders to the DNS servers belonging to ISP (2), what about a secondary DNS on server, would that be the IP address on the teamed NICs? Also - are there other MS servers or 3rd Party forwarders that can be added with the ISP DNS servers as forwarders?

Thank You!
Shaun VermaakTechnical Specialist/DeveloperCommented:
Put the ISP DNS entries in as forwarders, not in DNS settings

Also, use the attached file as a guide
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
There is no use of a secondary DNS server on the DC if it isn't in the same domain, so just leave that empty. The primary is the loopback address, as you have nothing else available.
Mark Lytleowner operatorAuthor Commented:
Thanks Guys! I will try within a couple days and let you know.
Mark Lytleowner operatorAuthor Commented:
Shaun Vermaak, what am I looking at in the guide you posted?

Name      IP            PDCe        AD Site      Link Speed      DNS Settings
fqf          Yes      Site A      Fast      
qfwwf      No      Site A      Fast      
qfwwf      No      Site B      Slow      
wq          No      Site B      Slow
Mark Lytleowner operatorAuthor Commented:
My BPA results are much better. I used OpenDNS and the ISP DNS servers as forwarders. It seems browsing to external sites 'IS' quicker as well as accessing shares on the network... thanks for clearing up the mystery for me.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.