none
2K8 - Best practice for setting the DNS server list on a DC/DNS server for an interface

    問題

  • We have been referencing the article 
    "DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers" http://technet.microsoft.com/en-us/library/dd378900%28WS.10%29.aspx but there are some parts that are a bit confusing.  In particular is this statement
     
    "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.
      
    The paragraph switches from using the term "its own IP address" to "loopback" address.  This is confusing becasuse technically they are not the same.  Loppback addresses are 127.0.0.1 through 127.255.255.255. The resolution section then goes on and adds the "loopback address" 127.0.0.1 to the list of DNS servers for each interface.
    In the past we always setup DCs to use their own IP address as the primary DNS server, not 127.0.0.1.  Based on my experience and reading the article I am under the impression we could use the following setup.
    Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
    Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
    Tertiary DNS:  127.0.0.1
    I guess the secondary and tertiary addresses could be swapped based on the article.  Is there a document that provides clearer guidance on how to setup the DNS server list properly on Windows 2008 R2 DC/DNS servers?  I have seen some other discussions that talk about the pros and cons of using another DC/DNS as the Primary.  MS should have clear guidance on this somewhere.
      
    2011年10月26日 下午 02:15

解答

  • This has been discussed over the years with various opinions from engineers. Technically, you're right about the loopback being in that range, but 127.0.0.1 is what's used.

    However, in my opinion, and others may either chime in with other recommendations or agree, is I set the DC to use its own IP address, not the loopback, and then set a replica DC as the second entry. I would do the same for the other DC.

    If DCPROMO was ran on a 2008 or newer server, it more than likely put in the loopback in the DNS list. I would also remove that and follow the above settings.

    As for the DNS is an Island issue, that was an issue in the Windows 2000 days and was resolved with Windwos 2000 SP2. I haven't seen that issue appear since back then.

    As for definitive docs on this, that's a tough one. The link you posted is one link that I believe was designed to insure that there is no question that you want the server to point to itself whether in the first or second entry. As for more than two entries, I think it will never get to the third entry before the client side resolver service algorithm times out on the first two entries. Same applies with having more than two Forwarders, but that's another topic.

     

    So, the answer is .... actually based on who you ask. Even Microsoft engineers have been discussing this for over 11 years. Check out Ned Pyle's take on it:

    Friday Mail Sack: Saturday Edition, by Ned Pyle
    Scroll down to Question: Question:
    What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
    http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx

     

    As for the loopback, there are many opinions out there on this too, as you said, with pros and cons. Here is some info on the loopback and some of the reasons I don't use it:

    ======
    Others agree to not use 127.0.0.1:
    http://forums.techarena.in/active-directory/1019600.htm

    EventID 4015
    Scroll down to the fourth Anonymous posting regarding the loopback (127.0.0.1):
    http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

    Q172060 - NSLOOKUP Can't Find Server Name for Address 127.0.0.1 -
    (another good reason not to use the loopback):
    http://support.microsoft.com/kb/172060

    Q254715 - RAS Clients Receive 127.0.0.1 for DNS Server Address:
    http://support.microsoft.com/kb/254715


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • 已標示為解答 monoman67 2011年10月27日 上午 11:31
    2011年10月27日 上午 02:10

所有回覆

  • This has been discussed over the years with various opinions from engineers. Technically, you're right about the loopback being in that range, but 127.0.0.1 is what's used.

    However, in my opinion, and others may either chime in with other recommendations or agree, is I set the DC to use its own IP address, not the loopback, and then set a replica DC as the second entry. I would do the same for the other DC.

    If DCPROMO was ran on a 2008 or newer server, it more than likely put in the loopback in the DNS list. I would also remove that and follow the above settings.

    As for the DNS is an Island issue, that was an issue in the Windows 2000 days and was resolved with Windwos 2000 SP2. I haven't seen that issue appear since back then.

    As for definitive docs on this, that's a tough one. The link you posted is one link that I believe was designed to insure that there is no question that you want the server to point to itself whether in the first or second entry. As for more than two entries, I think it will never get to the third entry before the client side resolver service algorithm times out on the first two entries. Same applies with having more than two Forwarders, but that's another topic.

     

    So, the answer is .... actually based on who you ask. Even Microsoft engineers have been discussing this for over 11 years. Check out Ned Pyle's take on it:

    Friday Mail Sack: Saturday Edition, by Ned Pyle
    Scroll down to Question: Question:
    What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
    http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx

     

    As for the loopback, there are many opinions out there on this too, as you said, with pros and cons. Here is some info on the loopback and some of the reasons I don't use it:

    ======
    Others agree to not use 127.0.0.1:
    http://forums.techarena.in/active-directory/1019600.htm

    EventID 4015
    Scroll down to the fourth Anonymous posting regarding the loopback (127.0.0.1):
    http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

    Q172060 - NSLOOKUP Can't Find Server Name for Address 127.0.0.1 -
    (another good reason not to use the loopback):
    http://support.microsoft.com/kb/172060

    Q254715 - RAS Clients Receive 127.0.0.1 for DNS Server Address:
    http://support.microsoft.com/kb/254715


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • 已標示為解答 monoman67 2011年10月27日 上午 11:31
    2011年10月27日 上午 02:10
  • Ace,

    Thank you for the quick and detailed reply.  We have been discussing this for a few days around the office. 

    Years ago when running Win 2K3 we had to shut our datacenter down and the restart took a lot longer than expected.  DCs took 20-30 minutes each because they couldn't locate one another.  It took a few restarts for us to figure out what was going on . That experience makes me want to set the primary IP in the DNS client on DCs to use its' own IP address.  However, how often do you shut down entire domains?

    Yes there is a range for loopback addresses and 127.0.0.1 is what is widely used. In fact I don't recall ever seeing another 127 address used ever.  However,  MS should be clear on the differences between what a loopback address is and an address configured manually or via DHCP. While the difference may seem insignificant to some, to others the difference could help them determine where a problem lies in reference to the network stack.

    I do agree that a tertiary server would probably never get called upon. Heck, I'm pretty sure alot of client side systems dont' have the patience to wait for the second server if the primary isn't responding.  However, the 3rd field is a good place holder so you can quickly change the order.

    After reading through the information you posted, it probably makes the MOST sense to use

    Primary DNS:  The assigned IP of another DC (i.e. 192.168.1.6)
    Secondary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
    Tertiary DNS:  127.0.0.1

    If errr when) we do a datacenter shutdown again we may investigate leaving a few options like

    1. Change the DCs to point to themselves
    2. Leave single DC online somehow and before the shutdown configure the others to use it as the primary DNS. 

    Thanks again!


    This space intentionally left blank
    2011年10月27日 下午 12:03
  • Actually, my suggestion, which seems to be the mostly agreed method, is:

    Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
    Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
    Tertiary DNS:  empty
    The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how it works and why:
    This article discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
    Client side resolution process chart
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
    logon-to-another-dc-and-dns-forwarders-algorithm.aspx
    The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
    http://support.microsoft.com/kb/320760

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    2011年10月27日 下午 04:28
  • Actually, my suggestion, which seems to be the mostly agreed method, is:

    Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
    Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
    Tertiary DNS:  empty
    The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how it works and why:
    This article discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
    Client side resolution process chart
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
    logon-to-another-dc-and-dns-forwarders-algorithm.aspx
    The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
    http://support.microsoft.com/kb/320760

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    I agree with this proposed solution as well:

    Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
    Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
    Tertiary DNS:  empty

    One thing to note, in this configuration the Best Practice Analyzer will throw the error: The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.

    Even if you add the loopback address as a Tertiary DNS address the error will still appear. The only way I've seen this error eliminated is to add the loopback address as the second entry in DNS, so:

    Primary DNS:  The assigned IP of another DC (i.e. 192.168.1.6)
    Secondary DNS: 127.0.0.1
    Tertiary DNS:  empty

    I'm not comfortable not having the local DC/DNS address listed so I'm going with the solution Ace offers.

    Opinion?

    2012年2月22日 下午 02:27
  • The DNS "who's on first," and "what's on second" question has been argued for the past 12 years among even the Microsoft engineers (read Ned's link below). I wouldn't worry about the BPA  loopback message. It's trying to make sure that you have itself referenced in the DNS list. More on this:

    .

    Quoted from Ned Pyle's post in the following link:
    "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller."

    .

    Friday Mail Sack: Saturday Edition, by Ned Pyle, MSFT, 17 Jul 2010 11:06 AM
    Scroll down to Question: Question: What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
    Answer: It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now.
    http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx

    .

    DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
    http://technet.microsoft.com/en-us/library/dd378900(WS.10).aspx


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    2012年2月24日 上午 04:05
  • Hi all,

    I have been thinking about this same subject lately and wish to be clear.

    I will use an example....

    PDC = 192.168.1.23

    Replica1 = 192.168.1.24

    Are we saying that as of now the best pratice is as follows?

    PDC DNS List

    ---------------

    192.168.1.23

    192.168.1.24

    Replica_1 DNS List

    -------------------

    192.168.1.24

    192.168.1.23

    i.e when ever setting up a new DC the primary DNS is always itself and the secondary is some other DC/DNS in the domain?

    Thanks.

    2012年3月31日 下午 12:36
  • Pretty much, that's one way. Ned's blog says, " However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate...  The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller."

    So in light of that, he suggests to point to the replica as first, and itself (whether loopback or its own IP), as the second.

     

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年3月31日 下午 02:15
  • Pretty much, that's one way. Ned's blog says, " However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate...  The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller."

    So in light of that, he suggests to point to the replica as first, and itself (whether loopback or its own IP), as the second.

    Thanks for your reply

    So what you are saying then a better way would be

    PDC DNS List

    ---------------

    192.168.1.24

    192.168.1.23

    Replica_1 DNS List

    -------------------

    192.168.1.23

    192.168.1.24

    That is in any domain with a PDC and one/more backup controller its best to have the primary dns as one of the other DC's which have DNS installed, and the secondary dns as itself.

    correct me if I misunderstood you.

    2012年3月31日 下午 04:51
  • This link seems to be relevant http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx

    "The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller."

    2013年9月16日 上午 03:31