DC DNS Settings

JaredBusch

@BRRABill said in DC DNS Settings:

I've never come to a conclusion on this one, and the Internet seems to be 50-50.

So, figured I'd take a poll here at ML.

What do you set the DNS to on your domain controllers?

Do you set itself as primary and the other DC as secondary, or vice versa?

always itself primary and the other DC as secondary.
127.0.0.1
X.X.X.X

thwr

You mean for the clients and non-DNS servers?

In most deployments, the "primary" and "secondary" DC (there is no such thing in AD, there is just a forest master and a PDC emulator) will also hold the DNS roles. For the clients (and non-DNS-servers) DNS settings, well, it's simply the order I've installed them (primary DNS is the "first" DC, secondary the "second" DC).

Is there any specific reason why one would switch this?

tiagom

For our DC's we use itself as primary and alternate as a secondary DC.

BRRABill

I do the same, itself as primary.

But it seemed like there were a lot of people on the Internet with the opposite.

Of course, they aren't the geniuses here at ML.

thwr

@BRRABill said in DC DNS Settings:

I do the same, itself as primary.

But it seemed like there were a lot of people on the Internet with the opposite.

Of course, they aren't the geniuses here at ML.

Well, there's a lot of "half-knowledge" out there. But I'm curious, what are the reasons for swapping? Anything that makes sense?

Romo

I always thought with 2 dns servers you set them to point at each other as primary and then to themselves as secondary. Most people always told my something like this:

If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.

scottalanmiller

@JaredBusch said in DC DNS Settings:

@BRRABill said in DC DNS Settings:

I've never come to a conclusion on this one, and the Internet seems to be 50-50.

So, figured I'd take a poll here at ML.

What do you set the DNS to on your domain controllers?

Do you set itself as primary and the other DC as secondary, or vice versa?

always itself primary and the other DC as secondary.
127.0.0.1
X.X.X.X

@JaredBusch is correct and there should be no grey area here or 50/50 on the Internet. This is a very well known Microsoft stated practice and a requirement for MS certification and MS has explained why it is this way. There is no reason for it to be any other way, doing anything other than this introduces unnecessary latency and network traffic without any benefit.

scottalanmiller

@Romo said in DC DNS Settings:

I always thought with 2 dns servers you set them to point at each other as primary and then to themselves as secondary. Most people always told my something like this:

Tell those people to go look at their MS reference material again

Romo

Just found this in technet:

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

scottalanmiller

@Romo said in DC DNS Settings:

Just found this in technet:

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

But it says if "only to itself", of course we would never say to skip having the secondary.

scottalanmiller

@Romo said in DC DNS Settings:

https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

Interesting, this goes against MS' DNS certification requirements in the past.

Romo

@scottalanmiller said in DC DNS Settings:

@Romo said in DC DNS Settings:

Just found this in technet:

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

But it says if "only to itself", of course we would never say to skip having the secondary.

Yes but it also says

The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

It's really confusing.

Even dell has it like that http://www.dell.com/support/article/us/en/04/SLN155801/en

In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.
If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.

scottalanmiller

@Romo said in DC DNS Settings:

@scottalanmiller said in DC DNS Settings:

@Romo said in DC DNS Settings:

Just found this in technet:

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

But it says if "only to itself", of course we would never say to skip having the secondary.

Yes but it also says

The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

It's really confusing.

Even dell has it like that http://www.dell.com/support/article/us/en/04/SLN155801/en

In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.
If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.

Yeah, apparently there is an islanding issue that can happen. Their wording is definitely not good.

Romo

So I should not change my DNS servers settings then?

Primary: Second Dns
Secondary: 127.0.0.1

scottalanmiller

@Romo said in DC DNS Settings:

So I should not change my DNS servers settings then?

Primary: Second Dns
Secondary: 127.0.0.1

Apparently not.

BRRABill

@scottalanmiller

This is why I asked.

See what I mean?

Can we at ML come up with a best practice?

thwr

Looks like I got the question wrong

Veet

Always pointed it to itself, as the primary ... Also, doesn't Microsoft itself recommend this as a Best Practice ?

BRRABill

So, does it really seem like we're all doing it wrong?

That DC1 should have DC2 listed as its primary DNS server? And DC1 secondary?

brianlittlejohn

@BRRABill I have two DCS,
DC1 has DC2 as primary and itself as secondary. Then for DC2, DC1 is primary and itself secondary.