DNS Best practice

CBM Corporate
CBM Corporate used Ask the Experts™
Hi Experts.

Got a question we seem to disagree on amongst colleagues.

In "modern" Windows environment (2008, 2012, 2016) with multiple DNS servers within unique AD (let's keep it simple for argument sake and not talk multi AD or forests), what is the best practice when it comes to IP assigning.

#1. Each DNS server has itself (loopback) as unique DNS entry in the TCP/IP settings, and any second DNS is declared in the Name Servers tab.
#2. Each DNS server has itself (loopback) as Primary DNS entry AND any second DNS is declared as Secondary DNS entry in the TCP/IP settings.
#3. Each DNS server has the secondary DNS declared as Primary AND itself (loopback) in the TCP/IP settings.

All three scenarios seem to work 99% of the time, when it comes to AD replication mostly, but at times, we like to point fingers at each others config for any downtime that occurred, and subsequently buy a round of coffees for the team :)

Any Experts wish to comment ?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
kevinhsiehNetwork Engineer

What do you mean by loopback? The loopback is The other address is not considered loopback.

DC should never use itself as primary, unless it is the only DC. It can lead to split brain partitioning where replication gets broken because the DCs can't find each other because their own information is incorrect.

Whether or not you use local IP or loopback for secondary or tertiary probably doesn't make much difference. I always use real IP, and never lopback.


Thanks for the feedback, interesting to note I always used as this was recommended "at the time" meaning back in the NT4 world :)
kevinhsiehNetwork Engineer

Well, the loopback should be available, even when physical network is unavailable.

I don't remember it as recommended in my 3.50 documentation, nor in my NT 4 TCP/IP class. I still have those materials, as 90% is still valid today, and fundamental to networking.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

kevinhsiehNetwork Engineer

Wait, NT didn't rely on DNS, and there was no replication (only zone transfers), so none of this applied.

I also see this cross posted on Spiceworks.
Distinguished Expert 2018
The 1st dns entry should points to another dc server in same site unless u have single only dc
2nd should point to dc own ip
3rd entry points to loopback address
The reason for this is, when dc boots, networking service starts 1st followed by dns client and dns server service later, until dns server service starts dns zones on local dc won't load and zone loading process also takes its own time after dns server service started, meantime dns client service locate another dns as preferred dns and start getting relevant srv records.
If you specify own ip as 1st dns entry, the process has to wait until local dns server services comes up and load zone data
If none of configured dns servers IPs responded in time, server will use 3rd address (loopback) to self declare as dns server by force and this will save from island effect
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Thanks for the feedback, interesting to note I always used as this was recommended "at the time" meaning back in the NT4 world :)
Still valid. You need it if IPSEC policy gets corrupted, NIC stack falls over etc.

Use my file attached as a guide

Follow Malesh recommendations. I have had the same DNS setup for years and never had a single issue.
I do add the "DNS suffix for this connection" in the Advanced TCP/IP settings, on all servers and workstations.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial