Web Development

Five tips to prevent DNS issues on Windows systems

DNS is one of the most sensitive areas of IT and is where many configuration issues originate. IT pro Rick Vanover shares a few more tips to prevent issues with DNS for Windows systems.
I love DNS, but hate it when things go wrong. So, I’ve taken a few steps to reduce the frequency of when it goes wrong. In my tip last year, I enumerated a few things that may be oversights in DNS configuration. That tip had a lot of positive feedback, and now I’ve lined up a few more tips to help prevent DNS issues. This time, I’ve specifically targeted DNS issues for Windows systems; as that is where I spend most of my time and have most of my issues.

#1 Limit the number of zones

Nothing is more irritating to me than carryover things from the past. This could be a test project that had a separate area within DNS, or possibly another company that was acquired and was simply left as is for what seems to be a very long time. It may be worth taking the time to fully integrate, fully retire, or simply perform some housekeeping on these areas of DNS. This can include cleaning up any forwarders, removing stale zones, and limiting the amount of DNS servers active in the organization.

#2 Consolidate to Windows DNS and DHCP

If effectively every system in an environment is Windows, it doesn’t seem to make much sense in having another operating system provide the DNS and DHCP services. Windows DNS is really straightforward to use, and is supported to communicate to other operating systems. Windows DHCP as well is an easy-to-use tool, and DHCP scope options can easily be deployed to Windows clients.

#3 Use Group Policy for every setting possible

One of the best aspects of Windows technologies is the ability to perform centrally managed Group Policy tasks. There are a number of settings available for deployment through Group Policy such as setting the DNS suffixes. But sometimes the network settings need a little scripted intervention. One example is setting the DNS Servers through Group Policy. There is no direct way of doing this, but if a computer account is configured to run a script (very easy to do) through Group Policy; the script can configure the DNS servers for the computer account. See this TechNet page for deploying DNS server configuration through the netsh command.

#4 Take the time to remove all WINS dependencies

The fact is, we don’t need WINS anymore. Further, only Windows systems truly take advantage of WINS. If only Windows systems are in use; DNS is fully capable of providing all long and short name resolution services. If the DNS suffixes, search order, and server list are all correct; all client systems should resolve as provided by the DNS servers.

#5 Make sure DNS is highly available

One of the good things about Windows networking services like DNS is that it can be inherently made highly available. This is effectively done by using more than two DNS servers. The advanced tab of the networking configuration panel for Windows systems allows a tertiary or quaternary or higher DNS server to be entered. This can ensure that systems are able to resolve to all eligible systems if one is offline. Further, make sure that all systems use the same DNS servers where possible. The script resource above may help with that through Group Policy.

There are so many ways to prevent DNS issues in an environment, and these are just a few. What tips do you employ to avoid DNS issues in your Windows networking environments? Share your tips below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

26 comments
allan.clapp
allan.clapp

On every system I have configured over the years... I always added the Primary and Secondary DNS server of the Internet itself. The addresses I use are: 4.2.2.1 and 4.2.2.2. Since the U.S. Government pays for those to always be available... It makes life easier. After all... If you place those addresses at the bottom of the DNS server list you will always get a usable answer.

elibarikikilewo
elibarikikilewo

with a large network like mine i find DHCP Server extremely lucrative and restless IP resource to my usual and nuw network users who most are high rollers and they don't like wizards to mess around with their laptops evry time they switch to a different network

Neelakanth
Neelakanth

Please mention in this DNS troulshoot points (like critcal prod environments)

link470
link470

I'd skip group policies for basic DNS settings when those can be applied via DHCP options. Group Policy is fantastic, that's for sure, and I use it for network settings as a whole sometimes, but DNS servers and other network location options I usually have set via DHCP options to keep things simple.

Deathvalley122
Deathvalley122

why not build your own dns server with a DHCP server from Linux and have your own network to mess with rather then rely on your isp's or windows

hmayorga
hmayorga

I recommend you use a purpose built appliance and system to manage DNS. Infoblox is probably the best choice. It provides a highly available grid for both DNS and DHCP, dynamic dns registration and a very secure platform.

breckw69
breckw69

#1 is stating to "limit the number of zones" which is completely different. It's referring to limiting the number of different DNS servers. If two companies merged with five DNS servers each, ten may be overkill and they can reduce down to five total. Depending on the size of an organization, it may not be necessary to have 10 DNS servers, however you still leave enough to handle all the requests and be redundant. Using Windows for DHCP is not unusual at all in larger deployments. Windows DHCP is much more configurable than those built into routers and switches, not to mention more tightly integrated with Active Directory. #2 states to use Windows for both DNS and DHCP rather than Linux or routers and switches. It doesn't imply that you put them on the same box which can be a security vulnerability.

tcruse
tcruse

I have seen several articles from ms and other sources that seem to indicate wins is required for outlook prior to 2003 and exchange prior to 2010. Something to look out for if wins is removed. Tried to turn off wins last year and numerous problem reports started coming from users.

jrevier
jrevier

Seems that the 2nd dimension of this should be IPv6 DNS practices. DNS and v6 seem like they should be stuck together with Glue.

sam
sam

#2 and #5 are contradictory. Sam

Jeff Adams
Jeff Adams

We were running Exchange 2007 from 2008-2010 in a multi-domain environment (six domains, to be exact), and we were completely WINSless the whole time and had no problems. And in 2005-2006, at a different company, we also upgraded Windows 2000 AD, WINS, & Exchange 2000 to Windows 2003 AD & Exchange 2003, dropping WINS, in a multi-domain environment. I don't recall that we had any problems in that configuration, either, even though at the time, everyone was telling us it couldn't be done.

Jeff Adams
Jeff Adams

It can be done, but it's usually not advisable. I'd much rather assign static addresses to servers and control TCP/IP configurations via GPO, where appropriate.

seanferd
seanferd

Why not BSD instead of Linux? And why would Windows or any other DNS server limit you to using your ISP's resolver? There are other public resolvers, and root hints go just as far in a Windows DNS server role as any other.

davids
davids

If you know what you are doing Windows is the ONLY DNS that you can use for Active Directory environments. To use anything else is ridiculous.

seanferd
seanferd

This can come in handy. It can also be a source of difficulty in troubleshooting if they were configured and then forgotten.

pgit
pgit

It's #1 and #5 that conflict. 1 says limit the number of DNS servers in the system, 5 says have more than three... #2 only suggests having DNS and DHCP on the same machine, which implies using windows DHCP, which isn't too common. Most people use their router for DHCP, or a Linux system that provides other services like files, printers or backups. I disagree with the suggestion to use windows for DHCP. But that's really just a matter of taste, there's not much operational difference between windows and Linux services. I just don't like having to pay for a license in order to have a server.

sid351
sid351

Is that a "Windows != high availablity" statement? If not, how do #2 and #5 contradict each other?

aspaeth
aspaeth

Can you explain why you thing #2 & #5 are contradictory?

tcruse
tcruse

A year or so ago we turned off our WINS servers. There are about 2% of the systems that either could not function or tooks minutes to connect to resources (like exchange 2003) and SQL Server 2000. We have a dispersed network with slow WAN links between the sites. So, maybe not time to give up WINS

Jeff Adams
Jeff Adams

If you really know Windows and Active Directory, then you know Microsoft absolutely supports the use third-party DNS for AD, such as BIND and Infoblox, and there are valid reasons why some choose to go that route.

sam
sam

How can something be thought of as high availability that has to be rebooted every month? Our (2200) Linux servers routinely run two - three years between reboots. And we have NetWare servers with >1000 people a day logging into them that have been up seven years since last reboot. DNS/DHCP runs fine on both of these platforms (Comments bashing NetWare/eDirectory will be directed to /dev/null). I know the CIO of a fortune 200 company who told his staff if anyone puts mission-critical applications on a Windows server, he wanted their name, employee ID number, and termination paperwork brought to his desk. That's somewhat extreme, but yeah, I see from where he comes with that.

davids
davids

I never said that BIND or the use of other 3rd party DNS servers wasnt a "supported" configuration. Maybe I should have said that it is a moronic configuration! People just love to trash MS. I support Red Hat and HPUX in my AD environment and often have to keep the *nix L0s3rs in check.

andewpaj
andewpaj

You guys don't full maintenance on your system at all... I feel some cold air blowing around.

sid351
sid351

You don't have to reboot all of the servers in a cluster at the same time.

Jeff Adams
Jeff Adams

If you've got NetWare and Linux/SUSE+OES servers that haven't been rebooted for years, then you've got systems that have not had ciritical driver/kernel/CDM/HAM/NLM/security updates applied, else the systems would have been restarted. I'm much happier keeping my servers updated with currently available hotfixes and patches than worrying if I'll have to explain to the CIO how his servers got hacked and/or exploited.

Editor's Picks