• Creator
  • #2135942

    Please help with dns question


    by rlynch2 ·

    Ive got an active directory environment as follows, Site A first dc to be brought up in forest, site B is new domain in same forest, and Site C is new domain in same forest. All is working well, but had a quick dns question. Each of these 3 domain controllers are the dns servers for theirs respected sites. I thought I read awhile back that the client machines should only have 1 dns server configured, and that being the domain controller/dns server at that location. So in my setup right now, if im at site B, and Site B’s domain controller/dns server goes down, they now have no dns server. Is it ok to add a secondary dns server to client machines, maybe assign site A’s server as the secondary to these Site B client machines? Does adding that secondary dns server to the client machine cause problems? Thanks in advance to the help???

All Answers

  • Author
    • #2432431


      by rlynch2 ·

      In reply to Please help with dns question


    • #2432428

      It’s normal to have multiple DNS servers for clients

      by naughtymonkey ·

      In reply to Please help with dns question

      Adding a secondary DNS server will allow your clients to use the second DNS server if the first is unavailable.

    • #2432427

      Yes client machines can have multiple DNS servers

      by markp24 ·

      In reply to Please help with dns question


      you can have a few DNS servers, i usually list out the followind DNS assignments in the dhcp server settings.
      1 – dns on same site
      2 – dns and hub data cneter
      3 – isp dns (if applicable)
      4 – open dns (if applicable)

    • #2432415

      As other have pointed out

      by charles bundy ·

      In reply to Please help with dns question

      That is the purpose of secondary and tertiary DNS settings on the client. Primary should be the on-site DC. Couple of thoughts –

      [b]1.[/b] What’s your mitigation strategy for DHCP as I suppose it’s running on the site DC w/DNS.
      [b]2.[/b] Pointing to a DNS server external to your domain could be both a security risk and confusing to users trying to resolve internal resources that sit beyond a NetBIOS broadcast.

      • #2432318

        Reponse To Answer

        by donbans_z ·

        In reply to As other have pointed out

        Hi Charles….
        1. Yes DNS/DHCP should be localized within the domain to improve the efficiency of the network system.
        2. Pointing to a DNS external to your domain (but within a AD Forest) I believe has zero security issues. Remember, in a Windows AD environment Windows DNS and DHCP servers have to be authorized within the AD Forest for the services to run… otherwise, these services would not run.
        Secondly, users??? Users should not even know what is going on in their ip settings… so no… they would not be confused.

        General, the placement of DNS/DHCP servers in a Windows AD environment should not be considered based on domains in an AD forest. It should be based on sites, network link / bandwidth and your overall company resources. A single DNS Server within a forest can serve all DNS needs. But one will be stupid to do so for redundancy purposes. So it is always good to have multiple… a second. If bandwidth and other resources (another server, energy consumption, memory and processing capability of the other server, etc.) is not an issue, then put a DNS server in every site (geographic location) and not domain. If you have multiple domains but just a single site, two DNS servers are just OK. Please do not misunderstand / get confused about the role of DNS/DHCP servers within your corporation. DNS servers are just pointers to resources within your forest/domains. It is an address resolution / service locator service…based on a client/server query/response model. It therefore is best located taking bandwidth and redundancy highly in to consideration. I hope this clarifies DNS/DHCP for you!

      • #2432312

        Reponse To Answer

        by charles bundy ·

        In reply to As other have pointed out


        Thanks, tho I’m often confused, this wasn’t one of those times 🙂

        wrt the second bullet item, it was addressed towards the suggestion of utilizing an open, non infrastructure DNS. You do that and it will confuse users who can’t access a server via UNC but hit [I][/i] just fine when their local DNS service goes belly up. This assumes the server is on the other side of a router as I’ve seen NetBIOS broadcasts resolve on the same subnet.

        Security-wise an external DNS resolve could return a bad address for external well known URLs (think Citibank, Amex, et-al.) Just depends on how secure that external DNS is and your trust in it.

    • #2432387

      Yes possible in couple of ways

      by jopatel ·

      In reply to Please help with dns question

      Have secondary DNS server on each site bear in mind it will be expensive depends on your company size. The best practice is to always have plan B.

      Try to go virtual. Have it all virtual, this way it will save lots of money and in matter of time your site will be up and running…

Viewing 4 reply threads