Questions

Please help with dns question

+
0 Votes

Please help with dns question

Ive got an active directory environment as follows, Site A first dc to be brought up in forest, site B is new domain in same forest, and Site C is new domain in same forest. All is working well, but had a quick dns question. Each of these 3 domain controllers are the dns servers for theirs respected sites. I thought I read awhile back that the client machines should only have 1 dns server configured, and that being the domain controller/dns server at that location. So in my setup right now, if im at site B, and Site B’s domain controller/dns server goes down, they now have no dns server. Is it ok to add a secondary dns server to client machines, maybe assign site A’s server as the secondary to these Site B client machines? Does adding that secondary dns server to the client machine cause problems? Thanks in advance to the help???

Member Answers

    • +
      0 Votes
      NaughtyMonkey

      Adding a secondary DNS server will allow your clients to use the second DNS server if the first is unavailable.

      +
      0 Votes
      markp24

      Hi,

      you can have a few DNS servers, i usually list out the followind DNS assignments in the dhcp server settings.
      1 - dns on same site
      2 - dns and hub data cneter
      3 - isp dns (if applicable)
      4 - open dns (if applicable)

      +
      0 Votes

      Thank you guys for quick response, have a great day.

      +
      0 Votes
      gechurch

      I agree with the first two. 3 and 4 are wrong though - your clients should never be using an ISP or public DNS server in an active directory environment. They don't know about the machines on your network.

      +
      0 Votes
      markp24

      Hi I agree with GEChurch, 3 and 4 were meant for a home personal connection from a router , not corporate (that's why I put if applicable)

      +
      0 Votes
      Charles Bundy

      That is the purpose of secondary and tertiary DNS settings on the client. Primary should be the on-site DC. Couple of thoughts -

      [ul]
      1. What's your mitigation strategy for DHCP as I suppose it's running on the site DC w/DNS.
      2. Pointing to a DNS server external to your domain could be both a security risk and confusing to users trying to resolve internal resources that sit beyond a NetBIOS broadcast.
      [/ul]

      +
      0 Votes
      Donbans_z

      Hi Charles....
      1. Yes DNS/DHCP should be localized within the domain to improve the efficiency of the network system.
      2. Pointing to a DNS external to your domain (but within a AD Forest) I believe has zero security issues. Remember, in a Windows AD environment Windows DNS and DHCP servers have to be authorized within the AD Forest for the services to run... otherwise, these services would not run.
      Secondly, users??? Users should not even know what is going on in their ip settings... so no... they would not be confused.

      General, the placement of DNS/DHCP servers in a Windows AD environment should not be considered based on domains in an AD forest. It should be based on sites, network link / bandwidth and your overall company resources. A single DNS Server within a forest can serve all DNS needs. But one will be stupid to do so for redundancy purposes. So it is always good to have multiple... a second. If bandwidth and other resources (another server, energy consumption, memory and processing capability of the other server, etc.) is not an issue, then put a DNS server in every site (geographic location) and not domain. If you have multiple domains but just a single site, two DNS servers are just OK. Please do not misunderstand / get confused about the role of DNS/DHCP servers within your corporation. DNS servers are just pointers to resources within your forest/domains. It is an address resolution / service locator service...based on a client/server query/response model. It therefore is best located taking bandwidth and redundancy highly in to consideration. I hope this clarifies DNS/DHCP for you!

      +
      0 Votes
      Charles Bundy

      [Donbans_z]

      Thanks, tho I'm often confused, this wasn't one of those times :)

      wrt the second bullet item, it was addressed towards the suggestion of utilizing an open, non infrastructure DNS. You do that and it will confuse users who can't access a server via UNC but hit www.google.com just fine when their local DNS service goes belly up. This assumes the server is on the other side of a router as I've seen NetBIOS broadcasts resolve on the same subnet.

      Security-wise an external DNS resolve could return a bad address for external well known URLs (think Citibank, Amex, et-al.) Just depends on how secure that external DNS is and your trust in it.

      +
      0 Votes
      jopatel

      Have secondary DNS server on each site bear in mind it will be expensive depends on your company size. The best practice is to always have plan B.

      Try to go virtual. Have it all virtual, this way it will save lots of money and in matter of time your site will be up and running...

    • +
      0 Votes
      NaughtyMonkey

      Adding a secondary DNS server will allow your clients to use the second DNS server if the first is unavailable.

      +
      0 Votes
      markp24

      Hi,

      you can have a few DNS servers, i usually list out the followind DNS assignments in the dhcp server settings.
      1 - dns on same site
      2 - dns and hub data cneter
      3 - isp dns (if applicable)
      4 - open dns (if applicable)

      +
      0 Votes

      Thank you guys for quick response, have a great day.

      +
      0 Votes
      gechurch

      I agree with the first two. 3 and 4 are wrong though - your clients should never be using an ISP or public DNS server in an active directory environment. They don't know about the machines on your network.

      +
      0 Votes
      markp24

      Hi I agree with GEChurch, 3 and 4 were meant for a home personal connection from a router , not corporate (that's why I put if applicable)

      +
      0 Votes
      Charles Bundy

      That is the purpose of secondary and tertiary DNS settings on the client. Primary should be the on-site DC. Couple of thoughts -

      [ul]
      1. What's your mitigation strategy for DHCP as I suppose it's running on the site DC w/DNS.
      2. Pointing to a DNS server external to your domain could be both a security risk and confusing to users trying to resolve internal resources that sit beyond a NetBIOS broadcast.
      [/ul]

      +
      0 Votes
      Donbans_z

      Hi Charles....
      1. Yes DNS/DHCP should be localized within the domain to improve the efficiency of the network system.
      2. Pointing to a DNS external to your domain (but within a AD Forest) I believe has zero security issues. Remember, in a Windows AD environment Windows DNS and DHCP servers have to be authorized within the AD Forest for the services to run... otherwise, these services would not run.
      Secondly, users??? Users should not even know what is going on in their ip settings... so no... they would not be confused.

      General, the placement of DNS/DHCP servers in a Windows AD environment should not be considered based on domains in an AD forest. It should be based on sites, network link / bandwidth and your overall company resources. A single DNS Server within a forest can serve all DNS needs. But one will be stupid to do so for redundancy purposes. So it is always good to have multiple... a second. If bandwidth and other resources (another server, energy consumption, memory and processing capability of the other server, etc.) is not an issue, then put a DNS server in every site (geographic location) and not domain. If you have multiple domains but just a single site, two DNS servers are just OK. Please do not misunderstand / get confused about the role of DNS/DHCP servers within your corporation. DNS servers are just pointers to resources within your forest/domains. It is an address resolution / service locator service...based on a client/server query/response model. It therefore is best located taking bandwidth and redundancy highly in to consideration. I hope this clarifies DNS/DHCP for you!

      +
      0 Votes
      Charles Bundy

      [Donbans_z]

      Thanks, tho I'm often confused, this wasn't one of those times :)

      wrt the second bullet item, it was addressed towards the suggestion of utilizing an open, non infrastructure DNS. You do that and it will confuse users who can't access a server via UNC but hit www.google.com just fine when their local DNS service goes belly up. This assumes the server is on the other side of a router as I've seen NetBIOS broadcasts resolve on the same subnet.

      Security-wise an external DNS resolve could return a bad address for external well known URLs (think Citibank, Amex, et-al.) Just depends on how secure that external DNS is and your trust in it.

      +
      0 Votes
      jopatel

      Have secondary DNS server on each site bear in mind it will be expensive depends on your company size. The best practice is to always have plan B.

      Try to go virtual. Have it all virtual, this way it will save lots of money and in matter of time your site will be up and running...