Home > Active Directory > Best practices for DNS settings on DC and domain members.

Best practices for DNS settings on DC and domain members.

Information:
The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain DNS server address automatically”
  • If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
  • Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP settings of DC.

How to set/view the NIC bind order in Windows
http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

IP configuration on domain member:

  • Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
  • Do not set public DNS server in TCP/IP setting of domain member.

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC.

Quick note: MULTIHOMED domain controller is not recommended, it always results in multiple problems.

  • Being a VPN Server and even simply running RRAS makes it multi-homed.
  • Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Reference: http://support.microsoft.com/kb/825036

About these ads
Categories: Active Directory
  1. Greg
    November 18, 2012 at 12:13 AM | #1

    “If multiple DC that’s the DNS servers are in environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.”

    Microsoft appears to recommend differently based on the following link:
    http://technet.microsoft.com/en-us/library/ff807362%28v=ws.10%29.aspx

    What difference does it make between the two?

    • January 23, 2013 at 6:24 PM | #2

      Hi,

      AD and DNS (AD integrated) both are dependent on each other, when DC starts the DNS server is unable to open the Active Directory as it is configured to use directory service information and cannot operate without access to the directory. The DNS server will wait for the directory to start.

      If multiple or more than one DC/DNS servers are available in domain, you can set the DNS pointing to each other’s IP address as preferred DNS and its own private IP address as an alternate DNS in NIC to avoid the DNS race condition.

      Thanks.

  2. November 29, 2012 at 7:33 PM | #3

    Thanks for the post, linked on my blog. mplifetime.blogspot.com

  3. December 31, 2012 at 2:14 AM | #4

    We are a group of volunteers and starting a brand new scheme in our community.
    Your site provided us with useful info to work on. You
    have performed an impressive process and our
    whole community might be grateful to you.

  4. Hans
    January 15, 2013 at 7:17 PM | #5

    Hi,
    Under Ipv6 settings (Advanced TCP/IP Settings), do I need to specify DNS server addresses? Etc to ::1 ??

    Thanks

    • January 23, 2013 at 6:17 PM | #6

      Hi,

      Do not set any IP (::1 etc..) in “Advanced TCP/IP Settings” under IPv6 settings.

      You just need to set “obtain IPv6 address automatically” and “obtain DNS server address automatically” in IPv6 property.

      Thanks.

  5. January 31, 2013 at 9:22 PM | #7

    Why do you recommend not disabling ipv6 on a domain controller?

  6. February 1, 2013 at 11:20 AM | #9

    What about best practices for DNS settings on multi-tree AD forest domain controllers?
    Should DC of one tree use DNS from another tree or not?

    • May 6, 2013 at 10:34 AM | #10

      Instead of DC of one tree use DNS from another tree set the configuration within domain.

  7. April 5, 2013 at 8:41 PM | #11

    WOW just what I was looking for. Came here by searching for not enough sex

  8. Zack
    April 26, 2013 at 7:14 AM | #12

    So what is the logic behind using the private IP rather than the loopback? I would think the loopback would be better because it will always be correct no matter what the local network adapter’s IP is or changes to.

  9. May 2, 2013 at 2:25 AM | #13

    I have learn a few excellent stuff here. Certainly worth bookmarking for revisiting.
    I surprise how a lot effort you set to create the sort of magnificent informative web site.

  10. July 13, 2013 at 6:54 AM | #14

    Hello, every time i used to check blog posts here early in the morning,
    for the reason that i like to learn more and more.

  11. July 15, 2013 at 12:06 PM | #15

    Why users still use to read news papers when in
    this technological world the whole thing is available on web?

  12. July 21, 2013 at 3:24 AM | #16

    Keep up the good piece of work, I read few articles
    on this web site and I believe that your website is rattling interesting and has got sets of great info.

  13. August 1, 2013 at 7:44 AM | #17

    This is my first time pay a visit at here and i am in fact impressed to read everthing at alone place.

  1. February 1, 2013 at 11:17 AM | #1
  2. July 17, 2013 at 3:43 PM | #2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: