none
DNS best practices?

    Question

  • Are there quides to MS Server DNS services that are easy to follow?

    I tried reading help files, MS step-by-step guides, and either I am dumb or they are pretty hard to follow and understand, or DNS configuration is cryptic in itself.  Or all of the above. :)

    Seemingly, there aren't too many scenarios for small businesses with a single server: DHCP from the router, DHCP from the server, static addresses.

    Most common scenario is DHCP at the server, I assume - and in that case, what should DNS look like?  What should IP configuration on the clients and on the server look like?  Probably something like this:

    Clients:
    - DHCP-issued address
    - gateway, DNS: server IP address

    Server:
    - static IP address
    - DNS servers:
      - its own IP address?
      - router's or ISP DNS addresses

    It shouldn't be too hard to say what the settings should be in this simplest of the configurations, and yet I am having a hard time finding this info!


    Scenario 2: DHCP at the router, with the server getting a static (reserved) IP address, e.g. 10.0.0.5.

    Router: 10.0.0.1
    WAN DNS/Gateway: pre-configured or DHCP from ISP
    LAN configuration: DHCP to clients with:
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5
     - DNS 2: 10.0.0.1

    Server IP: 10.0.0.5
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5
     - DNS 2: 10.0.0.1

    Does this sound right?

    If so, what should DNS configuration look like in this scenario?

    Thanks for any clues!
    Tuesday, April 14, 2009 5:24 PM

Answers

  • Alex,

    yes - you are correct (to be specific, they would be able to get out to the Internet, but not resolve DNS names - with a minor exception of records already present in the client's DNS resolver cache)...

    A "clean" way to handle this would be to set up another server in your site functioning as a DNS server (and, if possible, also an AD DC) - giving you level of redundancy - but it sounds like this is not the option you have available...

    In general, it is not recommended to point AD clients to external DNS servers. This is somewhat mitigated by setting up ISP DNS as secondary, but you would need to evaluate whether potential local name registration/resolution issues justify the ability to use Internet during server outage. However, this does NOT apply to DNS client settings on the DNS server - which should point only to itself (note that in this case, the same reasoning does not apply, since the assumption is that this server is down).

    One possible (although a bit cumbersome) alternative would be to take advantage of Alternate Configuration. More specifically, you could configure your domain members as DHCP clients to a DHCP server running on the DC, and set up static settings under Alternative Configuration for each, pointing to the external DNS server. In addition you would need to add your users to local Network Configuration Operators group. If the server fails (assuming hardware/OS level failure), users would need to perform DHCP release/renew...

    hth
    Marcin

    • Marked as answer by Kindz Marauli Wednesday, April 15, 2009 6:54 PM
    Tuesday, April 14, 2009 11:21 PM

All replies

  • Alex,

    Assuming that you are dealing with an AD environment, the server should have a static IP configuration and point to itself as the DNS server. As part of the DNS server settings (within DNS Management console), you would configure your ISP DNS server as the forwarder.

    Clients would typically receive their IP configuration via DHCP and point to the internal DNS server for name resolution.

    So in scenario 1:

    Clients:
    - DHCP-issued address
    - gateway, DNS: server IP address

    Server:
    - static IP address
    - DNS servers: itself
    - DNS forwarder (part of DNS server configuration) - pointing to the ISP DNS server

    So in your specific scenario 2:

    LAN configuration: DHCP to clients with:
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5

    Server IP: 10.0.0.5
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5
     - DNS forwarder (part of DNS server configuration ) - pointing to the ISP DNS server

    hth
    Marcin

    • Proposed as answer by Jens Ole Kragh Wednesday, April 15, 2009 9:52 AM
    Tuesday, April 14, 2009 7:08 PM
  • Assuming that you are dealing with an AD environment, the server should have a static IP configuration and point to itself as the DNS server. As part of the DNS server settings (within DNS Management console), you would configure your ISP DNS server as the forwarder.
    Great, thanks a lot for the response.

    Am I correct to think that in this scenario, if the server is down (and I don't have other AD/DNS servers in my subnet), nodes will not get name resolution, and will not be able to go out on the internet?

    Is there a clean way to avoid that?  We sometimes have the server down, client machines lose shared storage and Exchange connectivity but otherwise, keep on working, i.e. use webmail, IM, etc., and I'd prefer to keep it that way.

    E.g. currently, with the router's address being a 2nd DNS server, nodes can still go out on the Internet.  If the server is the only DNS server, I assume, they won't be able to.

    (The router is a dual WAN box, it will automatically resolve DNS queries to whatever WAN it's connected to at that moment, this is why I am talking about the router being a 2nd DNS server, not ISP-provided addresses.)

    Bottom line question: is it possible to add the router's address as a 2nd DNS server in my network?  If so, what do I need to do with the server's DNS configuration?

    Thanks!
    Tuesday, April 14, 2009 7:28 PM
  • Alex,

    yes - you are correct (to be specific, they would be able to get out to the Internet, but not resolve DNS names - with a minor exception of records already present in the client's DNS resolver cache)...

    A "clean" way to handle this would be to set up another server in your site functioning as a DNS server (and, if possible, also an AD DC) - giving you level of redundancy - but it sounds like this is not the option you have available...

    In general, it is not recommended to point AD clients to external DNS servers. This is somewhat mitigated by setting up ISP DNS as secondary, but you would need to evaluate whether potential local name registration/resolution issues justify the ability to use Internet during server outage. However, this does NOT apply to DNS client settings on the DNS server - which should point only to itself (note that in this case, the same reasoning does not apply, since the assumption is that this server is down).

    One possible (although a bit cumbersome) alternative would be to take advantage of Alternate Configuration. More specifically, you could configure your domain members as DHCP clients to a DHCP server running on the DC, and set up static settings under Alternative Configuration for each, pointing to the external DNS server. In addition you would need to add your users to local Network Configuration Operators group. If the server fails (assuming hardware/OS level failure), users would need to perform DHCP release/renew...

    hth
    Marcin

    • Marked as answer by Kindz Marauli Wednesday, April 15, 2009 6:54 PM
    Tuesday, April 14, 2009 11:21 PM
  • Hi Alex,

    i haven't read all the replies above but my approach is rather easy. DNS configurations arent hard to follow when you understand the simple concepts of forward and reverse lookup zone configuration. have a static IP for your server, which should also be the DNS. that means you put the same ip addr. in the dns section. you could also include the ip addr. of the router if you set forwading in the DNS properties, (i.e. use the ip addr. of the default gateway and make sure the router allows DNS forwardings).

    Generally speaking, configuring DHCP on the same server would save you alot of trouble. MS has a neat way of integrating DHCP and DNS to act together if the DNS is AD integrated. There are various precise articles on how to do that or you could contact me to describe it for you easily. setting the reservations, pool, scope and activation of DHCP is seemlessly easy.

    By the way, you can set forwarding in DNS properties with the public IPs.

    I hope you get some ideas on how to go about your configurations. dont hesitate to contact me in case of anything concerning DNS.

    bornix CCNA, CCAI, MCP, MCSA
    Wednesday, April 15, 2009 3:05 PM
  • In general, it is not recommended to point AD clients to external DNS servers.


    Got it!  Thanks Marcin!
    Wednesday, April 15, 2009 6:54 PM
  • DNS configurations arent hard to follow when you understand the simple concepts of forward and reverse lookup zone configuration.
    Oh man good for you! :)  I wish it was that simple for me.  I still have no idea what does "_msdcs" and all those folders under it (dc, domains, gc pdc) mean and what to do with them if at all.



    Here is what I am (sort of) looking for:

    Example:

    ---
    Microsoft recommends that the Small Business Server is configured as the only gateway to the internet on a small business network, even if the server sits behind a router with NAT like every other client computer.  This dramatically simplifies the configuration, and makes your life, as well as the lives of Microsoft Technical Support specialists and Partners, much easier. :-P

    To configure DNS in this scenario, do this (and don't do anything else):

    In server private (internal) network TCP/IP properties:
    - set a static IP address
    - set the DNS on a server to that static IP and no other DNS servers

    In clients' TCP/IP properties (or DHCP configuration):
    - set gateway and DNS addresses to the server IP address

    Check that you have access to the internet and to the server, from the client machines.

    You are done.  See how simple that is?  You don't even have to touch the advanced DNS configuration on the server and ponder the meanings of forward and reverse lookup zones, _msdcs, gc, pdc and other folders.

    However... if you have a router that is the gateway to the outside world (rather than the server itself), you will need to one more little step.  Don't worry!  It will take less than a minute!  You will not have to go into one of those pdc, gc or domains folders and do anything there.

    All you need to do is set a forwarder in the server DNS configuration to point to the router.  You can do that by going to Computer Management, Services and Applications, DNS, expanding it, right-clicking on the DNS server there, Properties, Forwarders tab, putting in the IP address of the router, ensure that under "DNS domain", there is a default setting of "All other DNS domains", save it, and you are all set.

    Important!  Do not ponder the meaning of the zones or any of the settings in the advanced DNS configuration.  You will sleep better if you don't. :)


    ---
    There probably are errors in the above, but still, how was that? :)
    Wednesday, April 15, 2009 8:45 PM
  • Alex,

    Sorry if my explanation wasnt fair enough. Getting back to your scenario
    :::::::::
    LAN configuration: DHCP to clients with:
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5
     - DNS 2: 10.0.0.1

    Server IP: 10.0.0.5
     - Gateway - 10.0.0.1
     - DNS 1: 10.0.0.5
     - DNS 2: 10.0.0.1

    Does this sound right?

    If so, what should DNS configuration look like in this scenario?
    ::::::::::

    You are right in your thinking and configuration. and please dont bother with _msdc, gc,pdc and the like coz you dont need it for now.
    However, there is a little trick to add to you scenario. right click your DNS server. (i hope its on server 2003 or 2008 coz am basing on any of them). and go to Properties, then Forwarders. this is the section where you should type in the DNS IP addresses of your ISP. dont forget to

    Keep in mind that just like Marcin says, keep the configs of your local server static with the same ip for the DNS (being local). i.e.  > DNS 1: 10.0.0.5 > DNS 2: 10.0.0.1. i also hope that this DNS is AD integrated coz its easier to manage that way!

    Also, even if your question is centered around DNS, there is an issue to consider with DHCP services. if DHCP is on the same machine or network, its easier to authorise it in AD and have DNS proxy settings and updates.

    i hope this is somewhat precise unlike before.
    Thursday, April 16, 2009 8:44 AM
  • You are right in your thinking and configuration. and please dont bother with _msdc, gc,pdc and the like coz you dont need it for now.
    Thanks Bornix. :)


    Also, even if your question is centered around DNS, there is an issue to consider with DHCP services. if DHCP is on the same machine or network, its easier to authorise it in AD and have DNS proxy settings and updates.
    Is it possible to keep a specific MAC address bound to a specific IP, in Server 2003 or 2008 DHCP configuration?  Routers allow that type of binding, and I like that - lots of devices on the network have their own web pages these days (like VoIP phones), and I like assigning specific IPs to them.  If it's possible and not too clanky, I'll consider switching DHCP service to the SBS server, from the router.

    Oh, before I really run out of questions... :)  Is it possible to set up a "backup" DHCP server - sort of like with a backup DC?

    (Thanks again)
    Friday, April 17, 2009 3:24 AM
  • Alex,

    Keeping a specific MAC address is possible when you are making reservations. Expand your DHCP and right-click >Reservations, then >New Reservation... By the way, Reservations are the best way to keep IP addresses that you dont want the DHCP to lease. Such IP Addrs should be for specific devices like VOiP phones, servers, network printers and the like.

    BACKING UP DHCP SERVER
    In backing up DHCP servers we use the 80:20 rule. This is essential for both redundancy and availability. Otherwise client PCs wud get APIPA addresses (169.254.0.0 - 169.254.255.255) and this voids the communication with the rest of the network.

    Backup also means that you have to divide the scope addresses between two DHCP servers. Take this scenario on my VM with server 2003.
    With an address range of 192.168.0.1 thru 192.168.0.254. I have 10 reservations for devices like servers, routers and the like. (These are reserved with the Reservation feature). That leaves me with 192.168.0.11 thru 192.168.0.254 range. In 80:20 rule, Server1 will lease 80% i.e. 192.168.0.11 thru 192.168.0.199. so i add an exclusion range of 192.168.0.250 thru 192.168.0.254. (right-click >Address Pool and select >New Exclusion Range).
    I did the same on Server2 with the same range and reservation but changed the exclusion to have the other 80% i.e. 192.168.0.11 to 192.168.0.199.

    For local backup
    Right-click your DHCP server and select >Backup... it automatically takes you to your DHCP backup location usually, C:/Windows/System32/dhcp/backup.  To restore, right-click the DHCP server and select >Restore...  The DHPC is restored and restarted.
    Dont forget to authorise your DHCP after configuring it. If it is the first in the Domain, it has to be authorised by right-clicking and select >Authorise or else it wont work. For non Domain DHCP servers, authorization is not necessary.

    i hope this meets your question Alex.
    Friday, April 17, 2009 7:49 AM