45

This is a Canonical Question about Active Directory DNS Settings.

Related:

Assuming an environment with multiple domain controllers (assume that they all run DNS as well):

  • in what order should the DNS servers be listed in the network adapters for each domain controller?
  • Should 127.0.0.1 be used as the primary DNS server for each domain controller?
  • Does it make any difference, if so what versions are affected and how?
Community
  • 1
MDMarra
  • 100,183
  • 32
  • 195
  • 326

3 Answers3

40

According to this link and the Windows Server 2008 R2 Best Practices Analyzer, the loopback address should be in the list, but never as the primary DNS server. In certain situations like a topology change, this could break replication and cause a server to be "on an island" as far as replication is concerned.

Say that you have two servers: DC01 (10.1.1.1) and DC02 (10.1.1.2) that are both domain controllers in the same domain and both hold copies of the ADI zones for that domain. They should be configured as follows:

DC01
Primary DNS   10.1.1.2
Secondary DNS 127.0.0.1

DC02
Primary DNS   10.1.1.1
Secondary DNS 127.0.0.1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • What about an environment with a DC and a DNS server with an ADI zone? Should the DC still be configured as primary to the secondary? – George Jan 29 '13 at 22:57
  • @George I don't follow what you're asking. Are you asking about an environment with only one domain controller? – MDMarra Jan 29 '13 at 23:03
  • Yes, that's correct. Sorry, I thought about adding this but thought it might bulk out the question. (Also - for the record I know that a single DC environment isn't an "ideal config") – George Jan 29 '13 at 23:34
  • 2
    In a single DC environment, you should just have the DC use itself with nothing as the secondary. This is to reduce replication problems, but if you only have one DC then there's no replication. But, yeah...don't do that. Have two DCs. – MDMarra Jan 29 '13 at 23:41
  • Yeah. Not got a "great" environment at the moment, as it were. But as you may have seen from my other question that you answered, expansion is on the way so, new AD domains and time to do things properly *evil laugh*. Thanks. – George Jan 29 '13 at 23:42
  • @MDMarra What about the case where there is only one DC (with DNS) at a small, remote site, but the domain has quite a few other DCs around the world at other sites? (Needless to say, they all replicate between themselves.) Surely you shouldn't set the primary DNS of this single remote DC to a distant DC in another country. I would assume that it should use itself as the primary DNS, but would the secondary DNS be loopback or a remote, distant DNS? – Dono Apr 25 '19 at 03:21
18

From http://technet.microsoft.com/en-us/library/ff807362%28v=ws.10%29.aspx

If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself, or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

I also want to share this snippet from the book Windows Server 2008 R2 Unleashed:

enter image description here

However, even if you are never affected by the "island" problem, your DC will still reboot much faster and with fewer errors if it uses another already up and running DC as its primary DNS resolver.

Community
  • 1
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Woah, the island problem is fixed? MS documentation for 2008 R2 used to reference it and now it has magically disappeared (I had block quoted it in a document for a client so I know I'm not crazy!) – MDMarra Jul 25 '13 at 14:57
  • 3
    Well, I would say that they mitigated it mostly, but as this article shows, it still seems possible to get yourself into a bad spot if you have some very particular circumstances: http://support.microsoft.com/kb/2001093 So at the end of the day, you will *probably* be fine with 127.0.0.1 as primary DNS on your modern DCs in a multi-DC domain. I have personally seen very large domains that were operating cleanly even though they had all their DCs set up with 127.0.0.1 as primary DNS. But it's still not best practice. Just do what your BPA says, folks. ;) – Ryan Ries Jul 25 '13 at 15:27
5

Never, ever have a DC use itself as Primary DNS.

All sorts of havoc can (and Murphy dictates: will) happen if the AD services become online before the DNS service is live after a reboot. (Or DNS crashes, gets DOSsed, whatever.)
There is also interaction between DHCP (with dynamic DNS updates) and DNS which depends heavily upon DNS working properly.

Always put 127.0.0.1 last. Also: Don't be tempted to use the real LAN ip-address of the server either.
Dynamic DNS updates from DHCP are very sensitive to this.
(127.0.0.1 always exist and can be accessed faster. The real ip-address might not always be available/be busy. In some scenarios the dynamic DNS updates can actually DOS the LAN adapter if there is a high amount of simultaneous DHCP requests combined with sub-par NIC/drivers.)

Tonny
  • 6,252
  • 1
  • 17
  • 31
  • While you're right about pretty much everything and there are a million reasons to have more than one DC, this isn't one of them. This configuration prevents replication problems. If you don't have The need to replicate, you don't need to worry about preventing replication problems. – MDMarra Jun 03 '12 at 00:08
  • @MDMarra: You are right about replication/DNS interaction... But the original question was a general question and not replication specific. I was more thinking about DHCP-DNS issues. Usually at least one of the DC's also provides DHCP with dynamic DNS updates. All sorts of weirdness may occur if DNS is not properly configured. I will update my answer to clarify that. – Tonny Jun 04 '12 at 08:56
  • 1
    It's actually a security issue if DHCP is deployed on a DC. if its at all possible, it shouldn't be. – MDMarra Jun 04 '12 at 10:05
  • "Always put 127.0.0.1 last" Can you elaborate more on the reasons behind this? – Bigbio2002 Jun 04 '12 at 23:35