Your domain joined computers should have both the primary and secondary DNS set to an internal DNS server. Source: (v=ws.10).aspx Domain Joined Computers Should Only Use Internal DNS Servers If you point the primary DNS to itself first it can cause delays. Microsoft claims this configuration improves performance and increases the availability of DNS servers. Then DC2 primary DNS is set to DC1 and its secondary set to itself using the loopback address. Then the secondary DNS is set to its self using the loopback address. I have DC1 primary DNS set to its replication partner DC2. In the above diagram, I have two domain controllers/DNS at the New York site. Secondary DNS: Set to itself using the loopback address.Primary DNS: set to another DC in the site.If you do a search on your own you will come across various answers BUT the majority recommends the configuration below. What is the best practice for DNS order on domain controllers? I’ve seen lots of discussion on this topic. The DNS server denies requests from the computers that are not part of the domain. In a nutshell, this means only members of the DNS domain can register themselves with the DNS server. Security: If you enable secure dynamic updates, then only authorized clients can update their records in DNS zones.This simplifies the configuration while ensuring redundancy is in place. Simplicity: AD Integrated zones automatically update without the need to configure zone transfers.If one DNS server fails the other server has a full copy of the DNS information and can resolve names for clients. Redundancy: Because the zone information is automatically replicated this prevents a single point of failure for DNS.The zone information is compressed allowing data to be replicated fast and securely to other servers. This allows for the zone information to get automatically replicated to other domain controllers. Replication: AD integrated zones store data in the AD database as container objects.To make the deployment of multiple DNS servers easier you should use Active Directory integrated zones. You can only use AD integrated zones if you have DNS configured on your domain controllers.ĪD integrated zones have the following advantages: Works with Microsoft, Cisco, and BIND DNS Servers.ĭownload 30-Day Free Trial Use Active Directory Integrated Zones Centralize DNS, DHCP, and IP management into a single web console. IP Address Manager (IPAM) can provide you with centralized IP address management and tracking. Recommended Tool: SolarWinds IP Address Manager If DC1 went down and there was no internal secondary DNS, the client would be unable to access resources such as email, apps, internet, and so on.īottom line: Ensure you have redundancy in place by having multiple DNS/Active Directory servers. If DC1/DNS goes down the client will automatically use its secondary DNS to resolve hostnames. The clients are configured to use DHCP, the DHCP server will automatically configure the client with a primary and secondary DNS server. In the above diagram, my site has two domain controllers and DNS servers. I’ve experienced a complete domain controller/DNS failure and I’m not joking when I say almost everything stopped working. Even browsing the internet and accessing cloud applications relies on DNS. In an Active Directory domain, everything relies on DNS to function correctly. Having two servers will ensure DNS will still function if the other one fails. DNS and Active Directory are critical services, if they fail you will have major problems. In small to large environments, you should have at least two DNS servers for redundancy. You should be following a change management process for these types of changes. Warning: I do not recommend making changes to critical services like DNS without testing and getting approval from your organization.
0 Comments
Leave a Reply. |