Correct way to setup domain controller IP settings?

Discussion in 'Networking & Security' started by a_kraker99, Aug 24, 2013.

  1. a_kraker99

    a_kraker99 [H]Lite

    Messages:
    85
    Joined:
    Aug 12, 2008
    Here is my scenario. My router is set as a DHCP server and I have Server 2012 setup as a domain controller doing name resolution for my local network.

    I want network clients to access local resources using my domain name and access the internet so how do I setup DNS? Do I set up a forwarder on my server to a public DNS? Or should I set up my router to give out the domain controller address as a primary DNS and a public DNS as a secondary?

    In either situation the IP settings for the domain controller should obviously be static. What should I set the DNS server to on it? 127.0.0.1?

    Sorry if that makes no sense. I am just playing around with this as a learning experience. I just want to know what standard practice is for setting up a network that resolves local hosts using the DC and internet hosts using a public DNS.
     
  2. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,164
    Joined:
    Mar 18, 2008
    Set dhcp to hand out DC IP as primary and your ISP as secondary.

    Create a forwarder on the DNS server to your ISP DNS server.

    Set the DNS on the server to ONLY its own IP. Ie:192.168.100.5. Dont add the ISP server here.
     
  3. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    In my experience, Server 2012 does not need a forwarder like previous versions. I recommend using Windows Server DHCP for simplicity when setting up a Domain if you don't have much experience. Yes, you can easily run a non-windows DHCP server; most of the documentation for Domain controllers assumes Windows DHCP.
    What I recommend (assume gateway at 192.168.1.1, /24 subnet, Domain/DHCP/DNS at 192.168.1.16)
    Server IP Configuration:
    192.168.1.16
    255.255.255.0
    127.0.0.1 (DNS 1)
    192.168.1.1 (DNS 2)

    Workstations:
    192.168.1.1xx
    255.255.255.0
    192.168.1.16 (DNS 1)

    Only use a DNS 2 for domain Workstations if it is synchronized with the domain. For non-domain joined computers, use the Domain DNS as #1, and a non-domain DNS as #2.

    With this setup DNS may initially be slow, speed will increase quickly. It's also the easiest to maintain.
     
  4. cyr0n_k0r

    cyr0n_k0r [H]ardness Supreme

    Messages:
    5,358
    Joined:
    Mar 30, 2001
    Don't set the domain controller's DNS to 127.0.0.1
    Set it to the actual IP it's going to use. IE 192.168.x.x
     
  5. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    In the IP settings for the relevant NIC, it works either way. Matter of personal preference.
     
  6. REDYOUCH

    REDYOUCH [H]ardness Supreme

    Messages:
    4,523
    Joined:
    Mar 17, 2001
    Best suggestion is to let the DC handle DHCP and AD-integrated DNS.

    As others have said, you will most likely be fine with the default settings. Otherwise, you would want to create a conditional forwarder for all domains except *.local.net (or whatever you have chosen). This should go to either your router or ISP DNS server. The local.net zone would be handled by the server.
     
  7. cyr0n_k0r

    cyr0n_k0r [H]ardness Supreme

    Messages:
    5,358
    Joined:
    Mar 30, 2001
  8. squishy

    squishy [H]ard|Gawd

    Messages:
    1,207
    Joined:
    May 25, 2006
    I would not hand out (DHCP) one DNS server as internal and one as external.

    If a client asks for an internal name and the resolver happens to ask the external DNS, it'll fail. You'll want to just hand out the internal DNS server ip and then add public DNS addresses as forwarders.
     
  9. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    If you read the article, it explains it is not best practice, but a resolution to a specific issue:
    Microsoft themselves does it both ways, I've done it both ways and have never seen a difference. I can assure you from many years of experience, it does work either way.

    As for Domain DNS, setting up the way I suggested will work well out-of-the-box. Exceptions, forwards, etc. can be added as needed after you are up and running. The DNS service in Server 2012 is vastly improved over previous versions, including Server 2k8r2.

    From http://social.technet.microsoft.com...erver-list-on-a-dcdns-server-for-an-interface
     
  10. cyr0n_k0r

    cyr0n_k0r [H]ardness Supreme

    Messages:
    5,358
    Joined:
    Mar 30, 2001
    @RocketTech

    I'm not sure how you don't understand it's best practice.
    The article is identifying an error run by the BEST PRACTICES ANALYZER that says you shouldn't have the loopback as the primary address if you are running DNS on a domain controller. It's not really a "specific issue". Unless of course you aren't following best practices in which case, go nuts.

    I've already said it might "work", and it might work well. Or it might not depending on the environment. But good luck troubleshooting things when you don't setup your enterprise according to best practice.

    I also find it odd that in your quote the entire last half of the quote is from Ace Fekay an MS MVP on Directory services in which he gives you 4 specific examples on why NOT to use the loopback.
     
  11. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    To be clear, I did quote the article you linked where the article itself explains it is not Best Practice- if you don't understand that, I'm afraid I can't help. Here's a clue though- some organizations do not deploy AD and conform 100% to Microsoft's Best Practices- for instance, those organizations which use a non-integrated DNS Solution, or are unable to conform to Best Practice because of Business Needs. Not everyone runs BPA either.

    At no point did I say using the actual IP address instead of the loopback was wrong- I said it works either way. The post by Ace Fekay supports that it works either way, gives a short history of the issue, and describes a preference, along with supporting his view. I hope you noticed that before stating his view, he provided a link to a counter-argument where, <gasp> the author states explicitly a computer hosting DNS should use the loopback address first.

    If you would prefer I spoon-feed you only articles with an extremely narrow viewpoint and in no way reflective of deployed scenarios or common practice, I can do that. I just figured most would appreciate a very broad viewpoint.

    Either way works. Pick one.

    I've answered the OP's question.
    I've provided good information with proof AND information on alternatives

    We're still arguing why?