0

I have a setup with only one Active Directory (not redundant). What should be configured on the client pc's to ensure the best DNS resolution ? Currently somebody configured the IP address of the AD as primary DNS and a public DNS as secondary (not the google one but the DNS of the provider).

Although it seems running fine in most of the use cases, I don't think it's a good practice and I already have seen 2 problems:

1) One time a GPO was not applied on a PC. Probably the pc tried to resolve SRV record and for wathever reason, the DNS request has probably been sent to the secondary DNS server. The secondary DNS server is of course not able to answer. I have no proof it was the issue but I suspect it. The clients are Windows 7 and the server is Windows Server 2012.

2) Another time, an user created a ticket cause he was not able to login on a LAN application (Terminal Server). The error message was related to a DNS resolution error. nslookup or ping gave well a DNS resolution. After a ipconfig/flushdns, the user was able to connect to the Terminal server. Conclusion: The cause of the problem was probably a negative DNS answer which has been cache on the pc.

Only filling in one primary DNS has a major drawback, if there is an issue with the AD, the users are totally blocked cannot surf internet, access emails,..

A solution which has been implemented to another group of users is to deploy a small DNS server (dnsmasq) with some rules to forward all the AD domain only to the AD server and the rest (public DNS) to AD + others as secondary. With that setup, the users can continue to surf in case of issue with AD and all the AD (local queries) are only sent to the AD DNS server.

On the AD server itself, what is the best practice ? By default, Windows Server configures his primary DNS as 127.0.0.1. Can we setup a secondary (public / ISP DNS) ?

So I'm looking what is the best practices and I hope to read your feedback cause I'm probably not the only one in this situation. Duplicate the AD would be of course better but it has a cost that not every client is willing to pay.

user221027
  • 13
  • 1
  • 4

2 Answers2

5

There's only one best practice solution here: you need an additional Domain Controller with the Active Directory DNS service installed. You should then configure a forwarder within DNS to use whatever your preferred provider is.

You then have full full redunancy for Active Directory and DNS.

You should then configure your clients (Through DHCP ideally) to use one as the primary and one as the secondary.

Dan
  • 15,280
  • 1
  • 35
  • 67
-2

Right.
As I see it you have a few options

  1. Leave all client machines with the DC at the primary DNS, leave the secondary empty but set-up DNS forwarding within the DNS server to use your public DNS server (ISP/Google/Etc.). This will give you local resolution and internet resolution, you have to remember if the DNS server doesn't respond within around 2 seconds it will try another source, which you have set as your secondary that will in turn effect local resolution. If you're DC isn't up to the job address that, don't sticky plaster the situation unless you are prepared to hack a fix in.
  2. I don't like this but it is an option, you can edit the local host file of ALL machines on the network giving them entries for all of your local devices. Then you can leave your primary as the DC and then the secondary as an external source. You must remember to update any IP addresses in the hostfile as and when they change. This will give you local resolution at all times, but at an high administration time cost.
  3. Get another DC, or Hyper visor to run multiple DC's. If your local DNS is failing to respond then you have a bigger issue you must resolve there. ADDS relies on DNS, no local DNS = issues. Just investigate the cause of DNS resolution failures and go from there.
0x0000001E
  • 147
  • 6
  • Best practice by the way is for the DNS server to point to itself (either loopback address or physical address) and then the secondary, etc. should be any other local DNS servers. The only place you should specify an external DNS source is on the DNS forwarding in the configuration of the DNS server itself. – 0x0000001E Apr 15 '15 at 10:37
  • 1
    Actually, best practice is the exact opposite: http://serverfault.com/questions/394804/what-should-the-order-of-dns-servers-be-for-an-ad-domain-controller-and-why – Dan Apr 15 '15 at 10:54
  • 1
    You should never have AD clients use non-AD DNS servers in their search list. – MDMarra Apr 15 '15 at 11:38