We help IT Professionals succeed at work.

additional domain controller NIC DNS

dr lamer
dr lamer used Ask the Experts™
we are planning to do domain controller migration from 2008 R2 to 2016
my question is before promoting the server to domain controller
what should be the primary DNS on NIC (DC02)?
point to itself? point to old DC? or

after the migration we are planing decommission the old server (DC01)





Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you have another domain controller in place already and you're adding a new one, I always point the client DNS configuration on the new DC to an existing DC until such time that the promote is complete. Generally speaking I always pick another DC in the site as a DC's primary DNS and the DC itself as a secondary ; this is of course not possible if you have a single DC, but you should never have a single DC anyway. Personally preference and based from experiencing issues over the years and working with MS support on a multitude of cases. There is much religious debate even within Microsoft themselves about best practice with a DC's DNS client configuration. But, advice from the MS AD PFE's as as below (see AD DS PFE blog mailbag post here):

  1. If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
  2. If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
  3. When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
  4. Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
  5. DC’s should have at least two DNS client entries.
  6. Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
  7. We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
  8. (Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

A link from Microsoft on DC DNS settings best practices here.