Best practices for DNS settings on DC and domain members.

Information:
The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain DNS server address automatically”
  • If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
  • Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP settings of DC.

How to set/view the NIC bind order in Windows
http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

IP configuration on domain member:

  • Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
  • Do not set public DNS server in TCP/IP setting of domain member.

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC.

Quick note: MULTIHOMED domain controller is not recommended, it always results in multiple problems.

  • Being a VPN Server and even simply running RRAS makes it multi-homed.
  • Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Reference: http://support.microsoft.com/kb/825036

19 thoughts on “Best practices for DNS settings on DC and domain members.

    1. abhijitw Post author

      Hi,

      AD and DNS (AD integrated) both are dependent on each other, when DC starts the DNS server is unable to open the Active Directory as it is configured to use directory service information and cannot operate without access to the directory. The DNS server will wait for the directory to start.

      If multiple or more than one DC/DNS servers are available in domain, you can set the DNS pointing to each other’s IP address as preferred DNS and its own private IP address as an alternate DNS in NIC to avoid the DNS race condition.

      Thanks.

      Reply
  1. linux

    We are a group of volunteers and starting a brand new scheme in our community.
    Your site provided us with useful info to work on. You
    have performed an impressive process and our
    whole community might be grateful to you.

    Reply
  2. Hans

    Hi,
    Under Ipv6 settings (Advanced TCP/IP Settings), do I need to specify DNS server addresses? Etc to ::1 ??

    Thanks

    Reply
    1. abhijitw Post author

      Hi,

      Do not set any IP (::1 etc..) in “Advanced TCP/IP Settings” under IPv6 settings.

      You just need to set “obtain IPv6 address automatically” and “obtain DNS server address automatically” in IPv6 property.

      Thanks.

      Reply
  3. Pingback: Best Practices for DNS client settings on DC and domain members | vladon

  4. Zack

    So what is the logic behind using the private IP rather than the loopback? I would think the loopback would be better because it will always be correct no matter what the local network adapter’s IP is or changes to.

    Reply
  5. Eloise

    I have learn a few excellent stuff here. Certainly worth bookmarking for revisiting.
    I surprise how a lot effort you set to create the sort of magnificent informative web site.

    Reply
  6. Pingback: Best practices for DNS settings on DC and domain members « Bart's Weblog

  7. Madonna

    Keep up the good piece of work, I read few articles
    on this web site and I believe that your website is rattling interesting and has got sets of great info.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s