DC DNS Settings



  • I've never come to a conclusion on this one, and the Internet seems to be 50-50.

    So, figured I'd take a poll here at ML.

    What do you set the DNS to on your domain controllers?

    Do you set itself as primary and the other DC as secondary, or vice versa?



  • @BRRABill said in DC DNS Settings:

    I've never come to a conclusion on this one, and the Internet seems to be 50-50.

    So, figured I'd take a poll here at ML.

    What do you set the DNS to on your domain controllers?

    Do you set itself as primary and the other DC as secondary, or vice versa?

    always itself primary and the other DC as secondary.
    127.0.0.1
    X.X.X.X



  • You mean for the clients and non-DNS servers?

    In most deployments, the "primary" and "secondary" DC (there is no such thing in AD, there is just a forest master and a PDC emulator) will also hold the DNS roles. For the clients (and non-DNS-servers) DNS settings, well, it's simply the order I've installed them (primary DNS is the "first" DC, secondary the "second" DC).

    Is there any specific reason why one would switch this?



  • For our DC's we use itself as primary and alternate as a secondary DC.



  • I do the same, itself as primary.

    But it seemed like there were a lot of people on the Internet with the opposite.

    Of course, they aren't the geniuses here at ML. 🙂



  • @BRRABill said in DC DNS Settings:

    I do the same, itself as primary.

    But it seemed like there were a lot of people on the Internet with the opposite.

    Of course, they aren't the geniuses here at ML. 🙂

    Well, there's a lot of "half-knowledge" out there. But I'm curious, what are the reasons for swapping? Anything that makes sense?



  • I always thought with 2 dns servers you set them to point at each other as primary and then to themselves as secondary. Most people always told my something like this:

    If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.



  • @JaredBusch said in DC DNS Settings:

    @BRRABill said in DC DNS Settings:

    I've never come to a conclusion on this one, and the Internet seems to be 50-50.

    So, figured I'd take a poll here at ML.

    What do you set the DNS to on your domain controllers?

    Do you set itself as primary and the other DC as secondary, or vice versa?

    always itself primary and the other DC as secondary.
    127.0.0.1
    X.X.X.X

    @JaredBusch is correct and there should be no grey area here or 50/50 on the Internet. This is a very well known Microsoft stated practice and a requirement for MS certification and MS has explained why it is this way. There is no reason for it to be any other way, doing anything other than this introduces unnecessary latency and network traffic without any benefit.



  • @Romo said in DC DNS Settings:

    I always thought with 2 dns servers you set them to point at each other as primary and then to themselves as secondary. Most people always told my something like this:

    Tell those people to go look at their MS reference material again 😉



  • Just found this in technet:

    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx



  • @Romo said in DC DNS Settings:

    Just found this in technet:

    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

    But it says if "only to itself", of course we would never say to skip having the secondary.



  • @Romo said in DC DNS Settings:

    https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

    Interesting, this goes against MS' DNS certification requirements in the past.



  • @scottalanmiller said in DC DNS Settings:

    @Romo said in DC DNS Settings:

    Just found this in technet:

    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

    But it says if "only to itself", of course we would never say to skip having the secondary.

    Yes but it also says

    The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    It's really confusing.

    Even dell has it like that http://www.dell.com/support/article/us/en/04/SLN155801/en

    In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.
    If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.



  • @Romo said in DC DNS Settings:

    @scottalanmiller said in DC DNS Settings:

    @Romo said in DC DNS Settings:

    Just found this in technet:

    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    https://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx

    But it says if "only to itself", of course we would never say to skip having the secondary.

    Yes but it also says

    The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    It's really confusing.

    Even dell has it like that http://www.dell.com/support/article/us/en/04/SLN155801/en

    In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.
    If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.

    Yeah, apparently there is an islanding issue that can happen. Their wording is definitely not good.



  • So I should not change my DNS servers settings then?

    Primary: Second Dns
    Secondary: 127.0.0.1



  • @Romo said in DC DNS Settings:

    So I should not change my DNS servers settings then?

    Primary: Second Dns
    Secondary: 127.0.0.1

    Apparently not.



  • @scottalanmiller

    This is why I asked.

    See what I mean?

    Can we at ML come up with a best practice?



  • Looks like I got the question wrong 😉



  • Always pointed it to itself, as the primary ... Also, doesn't Microsoft itself recommend this as a Best Practice ?



  • So, does it really seem like we're all doing it wrong?

    That DC1 should have DC2 listed as its primary DNS server? And DC1 secondary?



  • @BRRABill I have two DCS,
    DC1 has DC2 as primary and itself as secondary. Then for DC2, DC1 is primary and itself secondary.



  • @brianlittlejohn said in DC DNS Settings:

    @BRRABill I have two DCS,
    DC1 has DC2 as primary and itself as secondary. Then for DC2, DC1 is primary and itself secondary.

    Seems like that is what is now recommended. Though all the first few posters did not have it set up that way, and that is apparently not the way MS used to recommend.



  • @BRRABill said in DC DNS Settings:

    I do the same, itself as primary.

    But it seemed like there were a lot of people on the Internet with the opposite.

    Of course, they aren't the geniuses here at ML. 🙂

    I take it back, my servers were NOT set up like this.

    Not that anyone cares. Just wanted to set the record straight. 🙂



  • I have been doing the Primary points to other DNS and secondary to itself for over 5 years, and probably more like 15.



  • @Dashrender said in DC DNS Settings:

    I have been doing the Primary points to other DNS and secondary to itself for over 5 years, and probably more like 15.

    Me, too. Never an issue.

    I wish we could have figured out why MS seems to be recommending it.



  • Adding to this:

    I've also always point the primary to 127.0.0.1 and secondary to the secondary controller. If no secondary controller, then a public DNS.



  • @fuznutz04 said in DC DNS Settings:

    Adding to this:

    I've also always point the primary to 127.0.0.1 and secondary to the secondary controller. If no secondary controller, then a public DNS.

    Funny there are so many ways to do this that don't break it.



  • @BRRABill said in DC DNS Settings:

    @fuznutz04 said in DC DNS Settings:

    Adding to this:

    I've also always point the primary to 127.0.0.1 and secondary to the secondary controller. If no secondary controller, then a public DNS.

    Funny there are so many ways to do this that don't break it.

    That don't break it.... right away.



  • So here is a quesiton. When you first add a secondary DC/DNS, do you go back to the original DC and update the DNS on the NIC? Or do you leave the original pointing only to 127.0.0.1?


Log in to reply