Correct way to setup domain controller IP settings?

A

a_kraker99

Weaksauce
Joined
Aug 12, 2008
Messages
85
Here is my scenario. My router is set as a DHCP server and I have Server 2012 setup as a domain controller doing name resolution for my local network.

I want network clients to access local resources using my domain name and access the internet so how do I setup DNS? Do I set up a forwarder on my server to a public DNS? Or should I set up my router to give out the domain controller address as a primary DNS and a public DNS as a secondary?

In either situation the IP settings for the domain controller should obviously be static. What should I set the DNS server to on it? 127.0.0.1?

Sorry if that makes no sense. I am just playing around with this as a learning experience. I just want to know what standard practice is for setting up a network that resolves local hosts using the DC and internet hosts using a public DNS.
 
Set dhcp to hand out DC IP as primary and your ISP as secondary.

Create a forwarder on the DNS server to your ISP DNS server.

Set the DNS on the server to ONLY its own IP. Ie:192.168.100.5. Dont add the ISP server here.
 
In my experience, Server 2012 does not need a forwarder like previous versions. I recommend using Windows Server DHCP for simplicity when setting up a Domain if you don't have much experience. Yes, you can easily run a non-windows DHCP server; most of the documentation for Domain controllers assumes Windows DHCP.
What I recommend (assume gateway at 192.168.1.1, /24 subnet, Domain/DHCP/DNS at 192.168.1.16)
Server IP Configuration:
192.168.1.16
255.255.255.0
127.0.0.1 (DNS 1)
192.168.1.1 (DNS 2)

Workstations:
192.168.1.1xx
255.255.255.0
192.168.1.16 (DNS 1)

Only use a DNS 2 for domain Workstations if it is synchronized with the domain. For non-domain joined computers, use the Domain DNS as #1, and a non-domain DNS as #2.

With this setup DNS may initially be slow, speed will increase quickly. It's also the easiest to maintain.
 
Don't set the domain controller's DNS to 127.0.0.1
Set it to the actual IP it's going to use. IE 192.168.x.x
 
Best suggestion is to let the DC handle DHCP and AD-integrated DNS.

As others have said, you will most likely be fine with the default settings. Otherwise, you would want to create a conditional forwarder for all domains except *.local.net (or whatever you have chosen). This should go to either your router or ISP DNS server. The local.net zone would be handled by the server.
 
I would not hand out (DHCP) one DNS server as internal and one as external.

If a client asks for an internal name and the resolver happens to ask the external DNS, it'll fail. You'll want to just hand out the internal DNS server ip and then add public DNS addresses as forwarders.
 
cyr0n_k0r said:
nope. best practice.
http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx

It might "work", but it's not personal preference.
Click to expand...

If you read the article, it explains it is not best practice, but a resolution to a specific issue:
This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic
Click to expand...
Microsoft themselves does it both ways, I've done it both ways and have never seen a difference. I can assure you from many years of experience, it does work either way.

As for Domain DNS, setting up the way I suggested will work well out-of-the-box. Exceptions, forwards, etc. can be added as needed after you are up and running. The DNS service in Server 2012 is vastly improved over previous versions, including Server 2k8r2.

From http://social.technet.microsoft.com...erver-list-on-a-dcdns-server-for-an-interface
This has been discussed over the years with various opinions from engineers. Technically, you're right about the loopback being in that range, but 127.0.0.1 is what's used.

However, in my opinion, and others may either chime in with other recommendations or agree, is I set the DC to use its own IP address, not the loopback, and then set a replica DC as the second entry. I would do the same for the other DC.

If DCPROMO was ran on a 2008 or newer server, it more than likely put in the loopback in the DNS list. I would also remove that and follow the above settings.

As for the DNS is an Island issue, that was an issue in the Windows 2000 days and was resolved with Windwos 2000 SP2. I haven't seen that issue appear since back then.

As for definitive docs on this, that's a tough one. The link you posted is one link that I believe was designed to insure that there is no question that you want the server to point to itself whether in the first or second entry. As for more than two entries, I think it will never get to the third entry before the client side resolver service algorithm times out on the first two entries. Same applies with having more than two Forwarders, but that's another topic.



So, the answer is .... actually based on who you ask. Even Microsoft engineers have been discussing this for over 11 years. Check out Ned Pyle's take on it:

Friday Mail Sack: Saturday Edition, by Ned Pyle
Scroll down to Question: Question:
What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx



As for the loopback, there are many opinions out there on this too, as you said, with pros and cons. Here is some info on the loopback and some of the reasons I don't use it:

======
Others agree to not use 127.0.0.1:
http://forums.techarena.in/active-directory/1019600.htm

EventID 4015
Scroll down to the fourth Anonymous posting regarding the loopback (127.0.0.1):
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

Q172060 - NSLOOKUP Can't Find Server Name for Address 127.0.0.1 -
(another good reason not to use the loopback):
http://support.microsoft.com/kb/172060

Q254715 - RAS Clients Receive 127.0.0.1 for DNS Server Address:
http://support.microsoft.com/kb/254715

--------------------------------------------------------------------------------

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Click to expand...
 
@RocketTech

I'm not sure how you don't understand it's best practice.
The article is identifying an error run by the BEST PRACTICES ANALYZER that says you shouldn't have the loopback as the primary address if you are running DNS on a domain controller. It's not really a "specific issue". Unless of course you aren't following best practices in which case, go nuts.

I've already said it might "work", and it might work well. Or it might not depending on the environment. But good luck troubleshooting things when you don't setup your enterprise according to best practice.

I also find it odd that in your quote the entire last half of the quote is from Ace Fekay an MS MVP on Directory services in which he gives you 4 specific examples on why NOT to use the loopback.
 
cyr0n_k0r said:
@RocketTech

I'm not sure how you don't understand it's best practice.
The article is identifying an error run by the BEST PRACTICES ANALYZER that says you shouldn't have the loopback as the primary address if you are running DNS on a domain controller. It's not really a "specific issue". Unless of course you aren't following best practices in which case, go nuts.

I've already said it might "work", and it might work well. Or it might not depending on the environment. But good luck troubleshooting things when you don't setup your enterprise according to best practice.

I also find it odd that in your quote the entire last half of the quote is from Ace Fekay an MS MVP on Directory services in which he gives you 4 specific examples on why NOT to use the loopback.
Click to expand...

To be clear, I did quote the article you linked where the article itself explains it is not Best Practice- if you don't understand that, I'm afraid I can't help. Here's a clue though- some organizations do not deploy AD and conform 100% to Microsoft's Best Practices- for instance, those organizations which use a non-integrated DNS Solution, or are unable to conform to Best Practice because of Business Needs. Not everyone runs BPA either.

At no point did I say using the actual IP address instead of the loopback was wrong- I said it works either way. The post by Ace Fekay supports that it works either way, gives a short history of the issue, and describes a preference, along with supporting his view. I hope you noticed that before stating his view, he provided a link to a counter-argument where, <gasp> the author states explicitly a computer hosting DNS should use the loopback address first.

If you would prefer I spoon-feed you only articles with an extremely narrow viewpoint and in no way reflective of deployed scenarios or common practice, I can do that. I just figured most would appreciate a very broad viewpoint.

Either way works. Pick one.

I've answered the OP's question.
I've provided good information with proof AND information on alternatives

We're still arguing why?
 
You must log in or register to reply here.
Back
Top