Should DC's with DNS point to self first?

Discussion in 'Active Directory' started by Gonzo, Feb 18, 2007.

  1. Gonzo

    Gonzo Guest

    We have 3 DC with DNS isntalled on both, how should the TCP be configured
    for DNS on each? Server 1 and 2 are in the same site, server 3 in offsite
    and replicated every 180 mins.

    Should all the DC point to them selves for the preferred DNS?
    Gonzo, Feb 18, 2007
    1. Advertisements

  2. hi,
    put the prefered DNS the other in his site and secondary self. If you put
    self on preffered DNS on startup you will have a error or a slow login
    because the DNS server service will start later, but you can ignore that
    Dragos CAMARA, Feb 18, 2007
    1. Advertisements

  3. Gonzo

    Gonzo Guest

    I have the prefered DNs pointing to another DNS server for all and the
    ALternative to their own IP now.

    One DC only had itself on the preffered!
    Gonzo, Feb 18, 2007
  4. Gonzo

    Jorge Silva Guest

    The DC/DNS Always must point to itself in preferred DNS. Place the secondary
    DNS server pointing to an existing one, so when the DC starts up, if the DNS
    service starts later then AD, the server can look for the secondary DNS.
    BTW: DCs weren't made to be rebooted, however sometimes is needed, but I
    don't see ANY reason to do a wrong configuration just because you need a
    reboot from time to time. Why should the DC look for DNS queries in another
    DNS when that DC has the DNS locally? No sense.


    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 18, 2007
  5. It depends. You can go either way, one of the common ways to make the
    decision is:

    If you seem to run into a lot of replication issues and are using AD
    Integrated DNS, pick a single DNS server to be the primary for all DCs
    and point them all at it as primary, point them at another common
    machine as secondary.

    If your replication is always seemingly working fine, point the servers
    at themselves for primary and at another common DNS server for secondary.

    When you point DNS servers at themselves and you have ADI DNS, you run
    the risk of creating DNS islands. This is where a DNS Server doesn't
    have the proper records for other DCs or no records for other DCs.
    Pointing at another DC for secondary can help alleviate this but it can
    still occur if the records are changed and those records don't get
    replicated properly for some other reason and the name resolves on the
    local DC but resolves to the wrong value, in that situation, the
    secondary doesn't help.

    The purpose for pointing a DC that runs DNS at itself is to cut down
    down on network traffic for DNS queries.

    Me personally, I prefer non-Windows DNS, but then my experience is
    primarily absolutely huge environments with hundreds of thousands of
    users and a very well established existing DNS infrastructure. Outside
    of that, when I do use Windows DNS, I prefer non-AD Integrated DNS which
    gets the replication based chicken/egg issue out of the way for DNS.
    Then if I do use ADI DNS, I prefre pointing the DCs not pointing a DC at
    itself unless the DC is at a WAN location and then I am very sensitive
    to replication failures reported by monitoring on those WAN DCs.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Feb 18, 2007
  6. The DC/DNS Always must point to itself in preferred DNS.

    No it doesn't. In fact in some situations it absolutely should not.
    I am really not sure where you came up with this. If you got it from
    MSFT docs, point me at them so I can get them removed/corrected.

    Pointing at another DC is not definitely a wrong configuration. It could
    be, but isn't necessarily. Depends on the DNS configuration.

    It is possible the local records are wrong. Incorrect records are worse
    than no records because incorrect records do not cause a secondary lookup.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Feb 18, 2007
  7. Gonzo

    Jorge Silva Guest

    Hi Joe
    First of all, let me say that the answer is based in common configuration,
    Gonzo didn't specify any specific configuration, so I think it's fair to
    give a common DNS configuration for a common scenario.
    IMO: Yes it does, if not why you should Run DNS on that server, if you don't
    plan to take advantage of DNS don't install it on the DC. If my DNS server
    is updated why should I query another one when I have everything I need
    locally? Of course when you introduce a new DC/DNS on the domain, during
    dcpromo you should use another updated DNS server in the primary DNS NIC
    configuration, but after everything is replicated you should point the
    server again to it self. There're other specific types of configuration that
    you can take advantage of querying other DNS server than locally, but again
    this is a common scenario not specific, or maybe I miss something in Gonzo's
    LOL. I think I shouldn't even bother to respond this one obviously. I don't
    think so.
    According with general/normal configuration, IMO it is. So again: . If my
    DNS server is updated why should I query another one when I have everything
    I need locally?
    Agree, you should correct that, but after correction made, point the server
    to it self again.

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 18, 2007
  8. Gonzo

    Gonzo Guest

    I'm tottally confused now :)

    I have the 3 DC's and they all point to themselves for the alternative and
    one of the other servers for the preffered, is the not good? They are all
    in the same LAN, not WANS.
    Gonzo, Feb 18, 2007
  9. Gonzo

    Jorge Silva Guest

    I'm tottally confused now :)
    Don't be. Unless you've specific requirements, you should point each DC/DNS
    to itself under NIC preferred DNS. You can use the secondary DNS to point to
    other existing DNS.
    You've a normal network with a common configuration. For example: Make 1 DNS
    AD Integrated, allow secure updates only (beter from security prespective),
    then install in the other 2 DCs the DNS service, point the primary DNS
    server to the DC that ALREADY has the DNS up and running, wait or force
    replication... After DNS Zones have been transferred to these 2 DCs/DNS,
    point these 2 to it self gain in the NIC primary DNS, and use (if you want),
    the secondary DNS to point otther existing DNS servers.

    - Make sure that all clients only use their local(s) Dns Server. Note That
    DNS client does not utilize each of the DNS servers listed in TCP/IP
    configuration for each query. By default, on startup the DNS client will
    attempt to utilize the server in the Preferred DNS server entry. If this
    server fails to respond for any reason, the DNS client will switch to the
    server listed in the alternate DNS server entry. The DNS client will
    continue to use this alternate DNS server until: fails to respond to a DNS
    query, or The ServerPriorityTimeLimit value is reached (15 minutes by
    default). For more information:
    Here's some links to help you with:
    How To Install and Configure DNS Server in Windows Server 2003
    Best practices for DNS client settings in Windows 2000 Server and in Windows
    Server 2003
    How to Verify the Creation of SRV Records for a Domain Controller
    DNS Server becomes an island when a domain controller points to itself for
    the _msdcs.ForestDnsName domain

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 18, 2007
  10. Gonzo

    Erik Cheizoo Guest

    Beacause you want AD integrated DNS and another DC will use it.
    Because there might be situations where your DNS records are wrong or
    outdated. You might end up in a DNS deadlock situation, where replication
    does not work because of missing (or incorrect) DNS entries and DNS is
    incorrect because replication is not working.
    Besides, after the first (remote) dns lookuos, most if it will come from
    local DNS cache, so there is not really much additional network traffic.

    Erik Cheizoo
    eXcellence & Difference - We keep your business running
    Erik Cheizoo, Feb 18, 2007
  11. Gonzo

    Jorge Silva Guest

    Hi Erik
    You just answered to my post with answers/situations already provided be me.
    Sounds that you didn't read everything until the end.


    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 18, 2007
  12. IMO: Yes it does,

    I agree, it is your opinion. I do not agree with your opinion on this.
    There are several good reasons not to have the DC use itself for its
    primary. There are good reasons to use itself. Regardless, a DC DOES NOT
    have to point at itself for primary.
    Several reasons, DCs aren't the only machines that need to use DNS.
    However DCs are some of the worst impacted when DNS is not functioning

    Maybe DNS is installed just to increase the number of DNS servers to
    handle all of the clients but you still want DCs to still use a specific
    set of DNS servers. This was also a common config with WINS.

    While this may not be required in the OP's specific case, it certainly
    is an option and you shouldn't outright say it MUST be configured in a
    specific way. The OP should be fine doing it EITHER way, however if the
    OP has experienced replication issues, I would be quicker to point him
    to NOT pointing the DC at itself for DNS. I fix screwed up and
    underperforming AD deployments for a living, far more instances have
    been cases where I ran into issues due to DCs pointing at themselves
    than pointing at other DNS servers.
    This was in regards to the comment of "DCs weren't made to be rebooted"
    which is absolutely incorrect. If you read it somewhere, I need to get
    it corrected. If you came up with it on your own, you should probably
    refrain from such guesses. If you presented that comment to anyone on
    the DS team they would probably laugh quite a while.
    Again, your opinion, again I don't agree with it. Even the best practice
    documentation doesn't state it this strongly, it presents several
    options including pointing at self, pointing at another DNS server, and
    a combination strategy. None of them are listed as incorrect and none of
    them are incorrect. It depends entirely on the configuration and DESIRES
    of the administrators.

    Because it may or may not be correct. It may or may not be up to date.
    It may or may not be replicating properly. The amount of DNS queries
    from a DC are not as heavy a traffic as some people like to push as an
    issue of why they should point at themselves. Don't believe me, trace
    the calls for a month and then average that out in queries per second,
    per minute, per hour, whatever you want. If that level of queries is
    troublesome, don't deploy clients and definitely don't deploy Exchange
    because your head will snap off.
    Repointing servers in times of trouble is not something you should
    normally have to do. This comes up when you point DCs at themselves for
    DNS. If you point all DCs to a common set of DNS servers, latency and
    possibility of islanding is greatly reduced.

    Again let me reiterate again... Pointing a DC at itself as the primary
    DNS Server is absolutely not a MUST. It is absolutely NOT bad NOT to do
    it. In your opinion this may be the case but that doesn't make it so.

    With only three DCs, all running DNS, I would probably point the primary
    at one specific arbitrarily chosen server, secondary to another specific
    arbitrarily chosen DC, and set a third entry to the last.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Feb 18, 2007
  13. Gonzo

    Herb Martin Guest

    Joe's right here. A DC should point to the one that is "best" in a
    particular situation.

    The classic examples where the answer is obvious are these:

    1) Remote (single) DC-DNS where pointing elsewhere would
    cause it to go across a WAN line (that theorectically might not
    even be open for DNS) would make the DNS ineffiecent,
    unreliable, and increase WAN traffic.

    2) Two DC-DNS servers sitting on the same subnet can safely
    point at each other as PREFERRED so as to avoid the nearly
    spurious errors caused by the service startups.

    3) A single DNS-DC (the only one in the domain or holding the
    zone) really has NO choice but to point to itself.

    4) A set of Active Directory DNS-DCs where replication has
    broken down (due to WAN outages and scavening perhaps)
    MUST, at least temporarily pick a favorite DNS server and
    use that ALONE until every DC gets registered, found and
    replicated (or some other method must be found to sync
    them initially -- e.g, to "prime the DNS pump" as it were.)

    There is no "always correct" answer. This is one of those things that
    depends on the LAN/WAN situation and the particular situation.
    Herb Martin, Feb 18, 2007
  14. Gonzo

    Jorge Silva Guest

    Hi again Joe
    It's not mandatory to do so. But a good practice. If you've problems then
    that's another situation, but the poster is asking for where should the DNS
    pointing to (IMO: to itself). And the shutdown/restart reason stated before
    is definitely not a good reason to do so IMO.
    Agree. But Gonzo has DNS on his 3 servers, so that's why I said if you don't
    plan to use it why install.
    Agree, never said something that would suggest otherwise.
    Again, the shutdown/restart reason stated before is definitely not a good
    reason to do so IMO.
    IMO: No. There's no reason (in common scenario) to use other DNS server when
    you have all locally, by doing so IMO you're wasting server resources and
    network traffic just for fun (Bad configuration)
    The poster didn't stated anything about replication issues or something like
    that, if it was that would be a different story.
    BTW: And if the server that he was pointing had missing DNS records or bad
    DNS replication.... The story would be the same, it doesn't matter, if no
    specific scenario IMO the DNS should always point to itself otherwise it's
    just a waste of resources.
    Note: I never said that the DCs never do reboots, but the purpose should be
    that one.
    If the DS team laughs quite a while, they are laughing from them selves, and
    the mess that they do in the developed systems provided by them. IMO a
    STABLE system SHOULD be set to never be rebooted. Of course unfortunately
    that's not the case, so they can continue to laugh of yheir own products.
    Again, in this scenario, i don't think of any reason to do otherwise. You
    don't win nothing at all, you just loose. (in this scenario of course).


    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 19, 2007
  15. Gonzo

    Jorge Silva Guest

    Hi Herb
    This isn't a particular situation....
    This is about 3 DCs with DNS installed in samer LAN. Couldn't be simpler.


    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 19, 2007
  16. What people are saying is there's no real correct way of doing this.
    There's several ways of doing it that come down to preference/ design. You
    have to pick what's right for you. It is generally recommended that you
    point to self and another, as this minimises network traffic. Joe clearly
    stated that the amount of traffic isn't as high as people often believe, and
    you should believe him as he's been unfortunate enough to have sat in front
    of perfmon and netmon traces for literally days looking at this stuff.

    I generally don't see any issues with pointing to self. I feel that as long
    as you're aware of the initial sync requirements/ issues and know about the
    island problem, then this is fine. If you're really funny about your event
    logs, or long startup delays you may choose to point to each other. It
    really doesn't matter and you're hard pressed to come up with a winning
    argument for one argument over the other. Just like FSMO placement ;-)

    Consider either of the following for the hub site.

    Adjacent DC (random)


    Adjacent DC (random)

    For the WAN site point to self and then hub site. You generally don't want
    to go over the WAN when you've got a local copy of the database.

    So, summarised, you'll have a combination of both in most cases as I don't
    know many people who'll prefer to go over the WAN instead of locally, unless
    they're old WINS people whereby this was recommended as shed loads of WINS
    replication partners was a big no-no.
    Paul Williams [MVP], Feb 19, 2007
  17. IMO: No. There's no reason (in common scenario) to use other
    We are going in circles here, but no, this is not a bad configuration.
    It is just something you apparently don't like.

    Since it isn't bad to do so, any reason to do so is fine if that is what
    the Admin decides.
    It wasn't a topic at all, you can't assume it is fine or not. My stating
    that replication issues is A reason to do it, not the only reason to do
    it is just that, giving but a single reason why someone would definitely
    want to lean that way. Again, there are far more issues associated with
    pointing a DC at itself for primary DNS than pointing at something else.
    It tends to work fine much of the time, but that isn't a reason to say
    that is the best or only way to do it which you seem adamant in doing.

    Yes this is your opinion, and again, I absolutely do not agree with it.
    DCs should sometimes point at themselves for primary, sometimes point at
    other DNS servers for primary. It depends.
    Why? Reboots are not inherently bad. In the last 11 or so years I have
    run Windows servers that reboot weekly due to corporate policy and
    others on protected secure networks that rebooted once per year during
    required data center shutdowns. I have worked on UNIX boxes with the
    same rules. In fact, one very large multinational I know actually
    rebooted UNIX servers more often than Windows Servers because the UNIX
    support management made the decisions separate from the Windows support
    management. No reboots might be a goal for some but again, there is
    nothing inherently bad in a reboot.

    Domain Controllers and the domain structure is specifically designed to
    be as non-intrusive during reboots as possible. This is why there is
    such an intense domain resource location capability and clients have
    such great failover capability. Machines going down is a fact of life
    until such a time that they can supply their own power and guarantee
    connectivity beyond anything else can impact. Failure to to plan for
    that is very shortsighted.

    Every design or environment I work on I always think in the direction of
    how do things work if a given DC is unavailable for whatever reason up
    to and including having to reboot hourly for some issue. This enforces
    the idea of building for transparent fail-over which is something you
    really want to do.

    Regardless, this has little to do with a company with three DCs other
    than the fact that it is even more unlikely that such a small company
    will have protected datacenters and redudant power generators to
    maintain a server through external issues so reboots are fact of life.

    This is a shortsighted and uninformed comment. Any system now running,
    will be rebooted. I don't care what OS or RTS it is running. Failure to
    plan for and design for that is silly - even in the mainframe world
    which truly are the most stable machines out there and I built systems
    like that as well and interestingly that is where serious clustering
    started getting built which is an acknowledgment that systems do indeed
    reboot and become unavailable.

    Believing that good systems won't be rebooted is even more silly. What
    the DS team has put together is one of the more fault tolerant
    environments available for authentication/authorization. As an example,
    when the NE portion of the United States had its power failure, my
    group, the AD Admins, was the only group not scrambling trying to get
    resources working. Everyone who could get on the network could log on to
    the North America domains even though 80% of the DCs of one NA domain
    and 60% of the DCs of the other NA domain were without power. These
    machines being down was no fault of the machines, completely external.
    But since no one involved believed that a DC should never be rebooted,
    the design accounted for that and everything worked.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Feb 19, 2007
  18. Gonzo

    Jorge Silva Guest

    Hi Paul
    Yes I understand what pp are trying to say. But I also like to debate with
    Joe, and because I don't know him personally, from time to time I try to do
    a more long debate with him to check his position about certain subjects. (I
    also know that he also likes debate). He I'm annoying him, he can send me to
    hell... and I won't bother him anymore. Some times I feel that we must say
    no to Joe to see more behind his head.
    Jorge Silva, Feb 19, 2007
  19. Gonzo

    Jorge Silva Guest

    Hi Joe
    Isn't a about to like or dislike. Is about taking the maximum advantage of
    your resources, especially if they're limited.

    I also do external support to different companies, and let me tell you that
    using MS DNS, in my experience, using that type of config gave me more
    trouble then the opposite. If your experience tells you otherwise, that's ok
    by me.

    I don't think so but... Ok.

    Ok. So according to you best is to point to other existing DNS. That's fine,
    your opinion, strange that I never saw no one recommend that specific

    My Opinion? I'm lost. Don't you agree that any DNS could be corrupted or not
    having all necessary records to perform its job?
    That's why I stated that even if you point to other existing DNS, you only
    have to loose with that, because that DNS could also "suffer" from missing
    records, and again is a waste of resources.

    Yes, I also work with some companies that do the same thing. IMO a stable
    system should be ever be rebooted for any reason. I'm sorry that you don't
    feel that way too.

    Correct. But if we didn't needed reboots....

    If you're saying that the client would have to buy more hardware and waste
    more money, I agree. ;)



    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    Jorge Silva, Feb 19, 2007
  20. Gonzo

    Gonzo Guest

    Everybody thanks for the help, I decided to point the DC's to themselves
    first and another DC's for the alternative. DCdiag, replmon are happy and
    so is my MOM 2005 server with the AD MP. Boot ups at the logon screen are
    very slow, but I hope to never really reboot them.

    I'm using AD intigrated DNS in secure mode and I forward unresolved queries
    to our ISP's DNS - I'm not sure of the proper name for this - unconditional
    forwarding? Also I'm not sure why we would use root hints, I've read up a
    little and it makes no sense to me...

    Also I have not created a reverse DNS zone, should I?

    All seems to work, feel free to recommend anything :)
    Gonzo, Feb 19, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.