DNS Best practice

Hi Experts.

Got a question we seem to disagree on amongst colleagues.

In "modern" Windows environment (2008, 2012, 2016) with multiple DNS servers within unique AD (let's keep it simple for argument sake and not talk multi AD or forests), what is the best practice when it comes to IP assigning.

#1. Each DNS server has itself (loopback) as unique DNS entry in the TCP/IP settings, and any second DNS is declared in the Name Servers tab.
#2. Each DNS server has itself (loopback) as Primary DNS entry AND any second DNS is declared as Secondary DNS entry in the TCP/IP settings.
#3. Each DNS server has the secondary DNS declared as Primary AND itself (loopback) in the TCP/IP settings.

All three scenarios seem to work 99% of the time, when it comes to AD replication mostly, but at times, we like to point fingers at each others config for any downtime that occurred, and subsequently buy a round of coffees for the team :)

Any Experts wish to comment ?
CBM CorporateAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What do you mean by loopback? The loopback is The other address is not considered loopback.

DC should never use itself as primary, unless it is the only DC. It can lead to split brain partitioning where replication gets broken because the DCs can't find each other because their own information is incorrect.

Whether or not you use local IP or loopback for secondary or tertiary probably doesn't make much difference. I always use real IP, and never lopback.
CBM CorporateAuthor Commented:
Thanks for the feedback, interesting to note I always used as this was recommended "at the time" meaning back in the NT4 world :)
Well, the loopback should be available, even when physical network is unavailable.

I don't remember it as recommended in my 3.50 documentation, nor in my NT 4 TCP/IP class. I still have those materials, as 90% is still valid today, and fundamental to networking.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Wait, NT didn't rely on DNS, and there was no replication (only zone transfers), so none of this applied.

I also see this cross posted on Spiceworks.
The 1st dns entry should points to another dc server in same site unless u have single only dc
2nd should point to dc own ip
3rd entry points to loopback address
The reason for this is, when dc boots, networking service starts 1st followed by dns client and dns server service later, until dns server service starts dns zones on local dc won't load and zone loading process also takes its own time after dns server service started, meantime dns client service locate another dns as preferred dns and start getting relevant srv records.
If you specify own ip as 1st dns entry, the process has to wait until local dns server services comes up and load zone data
If none of configured dns servers IPs responded in time, server will use 3rd address (loopback) to self declare as dns server by force and this will save from island effect

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Thanks for the feedback, interesting to note I always used as this was recommended "at the time" meaning back in the NT4 world :)
Still valid. You need it if IPSEC policy gets corrupted, NIC stack falls over etc.

Use my file attached as a guide
Robert LemMrCommented:
Follow Malesh recommendations. I have had the same DNS setup for years and never had a single issue.
I do add the "DNS suffix for this connection" in the Advanced TCP/IP settings, on all servers and workstations.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Best Practice

From novice to tech pro — start learning today.