Home / server / Questions / 394804
Accepted
MDMarra
Asked: 2012-06-02 09:14:48 +0800 CST

What should the order of DNS servers be for an AD Domain Controller and Why?

  • 772

This is a Canonical Question about Active Directory DNS Settings.

Related:

Assuming an environment with multiple domain controllers (assume that they all run DNS as well):

  • in what order should the DNS servers be listed in the network adapters for each domain controller?
  • Should 127.0.0.1 be used as the primary DNS server for each domain controller?
  • Does it make any difference, if so what versions are affected and how?
windows domain-name-system domain-controller active-directory

3 Answers

  1. Best Answer

    According to this link and the Windows Server 2008 R2 Best Practices Analyzer, the loopback address should be in the list, but never as the primary DNS server. In certain situations like a topology change, this could break replication and cause a server to be "on an island" as far as replication is concerned.

    Say that you have two servers: DC01 (10.1.1.1) and DC02 (10.1.1.2) that are both domain controllers in the same domain and both hold copies of the ADI zones for that domain. They should be configured as follows:

    DC01
Primary DNS   10.1.1.2
Secondary DNS 127.0.0.1

DC02
Primary DNS   10.1.1.1
Secondary DNS 127.0.0.1
    • 40

  2. From http://technet.microsoft.com/en-us/library/ff807362%28v=ws.10%29.aspx

    If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

    The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself, or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

    I also want to share this snippet from the book Windows Server 2008 R2 Unleashed:

    enter image description here

    However, even if you are never affected by the "island" problem, your DC will still reboot much faster and with fewer errors if it uses another already up and running DC as its primary DNS resolver.

    • 18

  3. Never, ever have a DC use itself as Primary DNS.

    All sorts of havoc can (and Murphy dictates: will) happen if the AD services become online before the DNS service is live after a reboot. (Or DNS crashes, gets DOSsed, whatever.)
    There is also interaction between DHCP (with dynamic DNS updates) and DNS which depends heavily upon DNS working properly.

    Always put 127.0.0.1 last. Also: Don't be tempted to use the real LAN ip-address of the server either.
    Dynamic DNS updates from DHCP are very sensitive to this.
    (127.0.0.1 always exist and can be accessed faster. The real ip-address might not always be available/be busy. In some scenarios the dynamic DNS updates can actually DOS the LAN adapter if there is a high amount of simultaneous DHCP requests combined with sub-par NIC/drivers.)

    • 5