locked
Adding Internal DNS server in Host file RRS feed

  • Question

  • Hi Everybody,

    I have added Global DNS server ip address to one of my Desktop ( please see the Network configuration screenshot ).

    and after that i have added my both domain controller ip address in host file, and it is working fine.

    Can you please guide, what problem can i face if i kept my configuration in this way.

    After adding my domain configuration ip address to my host file, it's working fine.

    but i am wondering, can this setting can create a problem?

    because the computer will be able to reach corp.abc.com easily, with the help of host file.

    Thanks & Regards,

    Param


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com


    • Edited by Param022012 Friday, August 31, 2012 3:35 PM
    Friday, August 31, 2012 3:34 PM

Answers

  • HOSTS files do NOT support SRV records. SRV records is what's used by the AD CSEs (client side extensions) to "find" domain controllers and services they provide. Hosts files are useless in this respect.

    And using Google's DNS server, 8.8.8.8, is also useless in an AD environment. It's like I'm trying to find a beer in my fridge but the fridge is empty! Then I look outside and I ask the first guy I see walking in front of my house, who I don't even know, and yell out, "Hey, where did all the beer in my fridge go?" He will not have that answer (he'll probably look at my funny anyway). Same thing happens when your client is asking 8.8.8.8, I need the GcIpAddress and LdapIpAddress record of my domain so I can send a logon request. 8.8.8.8 does not have that answer.

    .

    .

    Here's an explanation of how AD relies on its own internal DNS:

    Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
    Published by Ace Fekay, MCT, MVP DS on Aug 17, 2009 at 7:35 PM  1058  2
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

    .

    .

    The main reason you CAN'T mix internal and an ISP's DNS (or such as Google's), or using your router as a DNS server (some people do that, too, thinking it's correct), is soley due to the way the operating system's client side resolver works. Basically, here's how it works:

    • AD uses DNS. DNS stores AD's resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain. If the ISP's DNS is configured in the any of the internal AD member machines' IP properties, (including all client machines and DCs), the machines will be asking the ISP's DNS 'where is the domain controller for my domain?", whenever it needs to perform a function, (such as a logon request, replication request, querying and applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info and they reply with an, "I dunno know" response, and things just fail.
    • If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP's DNS, or even using your router's IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorith when attempting to resolve DNS names:
    • If the server gets a response, even if it is a negative ('not found') response, it's a response and will not go to the alternate. If after the query to the first one times out (after 3 tries), it removes it from the 'eligible' resolvers list and then goes to the next one in the order listed. It will not go back to the first one until a specified timeout period (forget how long) unless one of three other things happen: restart the machine, restart the DNS Client Service or DHCP Client Service, or set a reg entry to force the TTL to reset the list after each query.
    • Therefore, the ISP's DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD machine (DC, member server or client) or any other machine that is part of the AD infrastructure that must find a domain controller in orrder to function.

    .

    .

    Therefore, the way it will work in your current scenario mixing Google and internal DNS:

    • If the first setting is 8.8.8.8, and your machine is asking for the GC in your AD, then 8.8.8.8 will respond with a NXDOMAIN, meaning it will respond with, "I don't have that answer."
    • So because it got an answer from 8.8.8.8, even though it;s the WRONG answer, the client got an answer and is now satisfied it got an answer, and it will NOT check 10.1.1.2.

    FUll explanation of the client side resolver service:

    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
    The DNS Client Side Resolver algorithm. Client side resolution process chart.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
    Client side resolution process chart
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    .

    .

    In Summary:

    • Only use your internal DNS servers. Nothing else.
    • Do not use HOSTS files. They do not support AD's SRV requirements.
    • Configure a Forwarder to 8.8.8.8. THis will make internet resolution more efficient. HOwever, there are pros and cons about forwarders, which is beyond the scope of this thread. To configure a forwarder, right-click your DNS server name in the DNS console, choose properties, click on the Forwarders tab, type in 8.8.8.8.

    .

    .

    Side Note: I don't recommend Google's DNS server because they do not support EDNS0. Some domain names may not be resolvable using Google's DNS servers due to this fact. I recommend 4.2.2.2 and 4.2.2.3. If you are curious about EDNS0, here's more info:

    What is EDNS0? (Extension mechanisms for DNS)
    Published by Ace Fekay, MCT, MVP DS on Oct 11, 2010 at 2:46 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Saturday, September 1, 2012 6:42 PM
    • Proposed as answer by Patris_70 Sunday, September 2, 2012 9:00 PM
    • Marked as answer by Rick Tan Thursday, September 6, 2012 2:28 AM
    Saturday, September 1, 2012 6:41 PM
  • Hi,

    First of all let me tell you one thing, if your system is connected to domain and using Active Directory, you should not use public DNS as Preffered DNS (8.8.8.8). Because whenever your workstation tries to contact AD, it will search in 8.8.8.8 for Active Directory. So, change it to 10.1.1.2 and 10.1.1.3 as these IPs belong to DCs and remove 8.8.8.8 completely.



    • Edited by VenkatSP Friday, August 31, 2012 3:42 PM
    • Proposed as answer by Ace Fekay [MCT] Saturday, September 1, 2012 6:23 PM
    • Marked as answer by Rick Tan Thursday, September 6, 2012 2:30 AM
    Friday, August 31, 2012 3:41 PM

All replies

  • Hi,

    First of all let me tell you one thing, if your system is connected to domain and using Active Directory, you should not use public DNS as Preffered DNS (8.8.8.8). Because whenever your workstation tries to contact AD, it will search in 8.8.8.8 for Active Directory. So, change it to 10.1.1.2 and 10.1.1.3 as these IPs belong to DCs and remove 8.8.8.8 completely.



    • Edited by VenkatSP Friday, August 31, 2012 3:42 PM
    • Proposed as answer by Ace Fekay [MCT] Saturday, September 1, 2012 6:23 PM
    • Marked as answer by Rick Tan Thursday, September 6, 2012 2:30 AM
    Friday, August 31, 2012 3:41 PM
  • you can use ur dns server as first and preferred dns server as your clients. If you want you can configure dns forwarder to public dns server.(8.8.8.8).Anyway Microsoft dns server has all the root dns server records.

    http://technet.microsoft.com/en-us/library/ff807391(v=ws.10).aspx


    Darshana Jayathilake

    Friday, August 31, 2012 3:49 PM

  • DNS configuration best practice on DC and clients/member servers:

    -->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
    ------------------------------------
    1. Domain Controllers should not be multi-homed
    2. Being a VPN Server and even simply running RRAS makes it multi-homed.
    3. DNS even just all by itself, is better on a single homed machine.
    4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

    272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    -->>DNS configuration on domain controller:
    ------------------------------------------
    1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
    3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
    4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.

    -->> DNS configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of client/member server.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, August 31, 2012 4:48 PM
  • Hi,

    If all machine are in domain environment and DCs/DNS servers are available then all should point to local DNS servers for queries. Public DNS IP has no idea about the resource records available on domain hence DNS query will fail. Host file modification and Public DNS server's IP on DC as well as on domain members is not recommended event that setting is not required. 

    Do not set public DNS server in TCP/IP settings of DC, please remove it from NIC and contact to your ISP and get valid DNS IPs from them and add it in to the DNS forwarders.

    See the below article in my blog:
    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, August 31, 2012 6:04 PM
  • Why are doing so much Exercise?...Why do you need 8.8.8.8 in Primary DNS Field of client?

    Please Note :- DNS is what Client use to resolve IP's from host and vice-versa

    If you ar configuering 8.8.8.8 in your client,All internal name request will also be sent to this DNS which will cause unwanted delay or failure in name resolution as you have configuered secondary DNS (Which is internal)

    As all other recommended Please do not use public DNS in client/Server except in forwarders  this will cause unwanted delay or Failure of Name Resolution


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Friday, August 31, 2012 9:18 PM
  • Hi VenkatSP,

    Thanks for your reply.

    well, i have added my DC ip address in host file, so whenever computer searches for corp.abc.com, it will go to 10.1.1.2, right?

    I am asking this awkward question because, i am wondering except dns resolution, what other services are depended on Preferred DNS server of NIC

    Thanks & Regards,

    Param


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

    Saturday, September 1, 2012 6:38 AM
  • Hi Sarang and all,

    Thank you so much for your reply,

    Well what i have understood, that if i kept my Preferred DNS Server ip address in NIC - as Global DNS ip address than the ip to name resolution of internal Host name will be slow.

    What other problem can i face?

    well, when client computer, searches for corp.abc.com for resource record, it will get proper ip address of DC, because of modification done on Host file in Client Computer.

    am i right?

    Sorry, for asking awkward question?

    Thanks & Regards,

    Param


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

    Saturday, September 1, 2012 6:53 AM
  • Hello,

    why are you doing this configuration mix that is NOT necessary NOR recommended?

    http://technet.microsoft.com/en-us/library/cc775637(v=ws.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Patris_70 Sunday, September 2, 2012 9:01 PM
    Saturday, September 1, 2012 5:28 PM
  • HOSTS files do NOT support SRV records. SRV records is what's used by the AD CSEs (client side extensions) to "find" domain controllers and services they provide. Hosts files are useless in this respect.

    And using Google's DNS server, 8.8.8.8, is also useless in an AD environment. It's like I'm trying to find a beer in my fridge but the fridge is empty! Then I look outside and I ask the first guy I see walking in front of my house, who I don't even know, and yell out, "Hey, where did all the beer in my fridge go?" He will not have that answer (he'll probably look at my funny anyway). Same thing happens when your client is asking 8.8.8.8, I need the GcIpAddress and LdapIpAddress record of my domain so I can send a logon request. 8.8.8.8 does not have that answer.

    .

    .

    Here's an explanation of how AD relies on its own internal DNS:

    Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
    Published by Ace Fekay, MCT, MVP DS on Aug 17, 2009 at 7:35 PM  1058  2
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

    .

    .

    The main reason you CAN'T mix internal and an ISP's DNS (or such as Google's), or using your router as a DNS server (some people do that, too, thinking it's correct), is soley due to the way the operating system's client side resolver works. Basically, here's how it works:

    • AD uses DNS. DNS stores AD's resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain. If the ISP's DNS is configured in the any of the internal AD member machines' IP properties, (including all client machines and DCs), the machines will be asking the ISP's DNS 'where is the domain controller for my domain?", whenever it needs to perform a function, (such as a logon request, replication request, querying and applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info and they reply with an, "I dunno know" response, and things just fail.
    • If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP's DNS, or even using your router's IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorith when attempting to resolve DNS names:
    • If the server gets a response, even if it is a negative ('not found') response, it's a response and will not go to the alternate. If after the query to the first one times out (after 3 tries), it removes it from the 'eligible' resolvers list and then goes to the next one in the order listed. It will not go back to the first one until a specified timeout period (forget how long) unless one of three other things happen: restart the machine, restart the DNS Client Service or DHCP Client Service, or set a reg entry to force the TTL to reset the list after each query.
    • Therefore, the ISP's DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD machine (DC, member server or client) or any other machine that is part of the AD infrastructure that must find a domain controller in orrder to function.

    .

    .

    Therefore, the way it will work in your current scenario mixing Google and internal DNS:

    • If the first setting is 8.8.8.8, and your machine is asking for the GC in your AD, then 8.8.8.8 will respond with a NXDOMAIN, meaning it will respond with, "I don't have that answer."
    • So because it got an answer from 8.8.8.8, even though it;s the WRONG answer, the client got an answer and is now satisfied it got an answer, and it will NOT check 10.1.1.2.

    FUll explanation of the client side resolver service:

    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
    The DNS Client Side Resolver algorithm. Client side resolution process chart.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
    Client side resolution process chart
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    .

    .

    In Summary:

    • Only use your internal DNS servers. Nothing else.
    • Do not use HOSTS files. They do not support AD's SRV requirements.
    • Configure a Forwarder to 8.8.8.8. THis will make internet resolution more efficient. HOwever, there are pros and cons about forwarders, which is beyond the scope of this thread. To configure a forwarder, right-click your DNS server name in the DNS console, choose properties, click on the Forwarders tab, type in 8.8.8.8.

    .

    .

    Side Note: I don't recommend Google's DNS server because they do not support EDNS0. Some domain names may not be resolvable using Google's DNS servers due to this fact. I recommend 4.2.2.2 and 4.2.2.3. If you are curious about EDNS0, here's more info:

    What is EDNS0? (Extension mechanisms for DNS)
    Published by Ace Fekay, MCT, MVP DS on Oct 11, 2010 at 2:46 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Saturday, September 1, 2012 6:42 PM
    • Proposed as answer by Patris_70 Sunday, September 2, 2012 9:00 PM
    • Marked as answer by Rick Tan Thursday, September 6, 2012 2:28 AM
    Saturday, September 1, 2012 6:41 PM
  • Our company uses a VPN to connect with HQ.  All our remote sites are slow on the DNS response.  We would prefer to use External dns for this purpose.  So is there a way to get Internal Domain structure working with out DNS.  Even old WINS.  Latency on name resolution over VPN to different parts of the Country are about 100ms and their external resolution is happening in 10ms.  Slows down their internet apps.  That is worse then having a domain computer.  Almost ready to switch to workgroup and be done with it.   I understand that SRV records won't happen with hosts file.  Is there another way?
    Monday, August 1, 2016 4:57 PM
  • Our company uses a VPN to connect with HQ.  All our remote sites are slow on the DNS response.  We would prefer to use External dns for this purpose.  So is there a way to get Internal Domain structure working with out DNS.  Even old WINS.  Latency on name resolution over VPN to different parts of the Country are about 100ms and their external resolution is happening in 10ms.  Slows down their internet apps.  That is worse then having a domain computer.  Almost ready to switch to workgroup and be done with it.   I understand that SRV records won't happen with hosts file.  Is there another way?

    It's probably better to setup a DC with DNS & WINS locally. This will help AD auth & logon times, and DNS resolution.

    Otherwise, the only other course of action *in your scenario* as described, is switch back to a workgroup.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, August 1, 2016 5:35 PM
  • I cant see putting a server at 150 locations when each location only has 2-5 computers.  

    What about a script I can run at 12am to 5am that would allow the computer to communicate via dns internal then during business hours I switch it back to External DNS so the internet applications function normally.  Would that keep the computer accounts from expiring and me not having to rejoin the domain?

    Monday, August 1, 2016 6:05 PM
  • I cant see putting a server at 150 locations when each location only has 2-5 computers.  

    What about a script I can run at 12am to 5am that would allow the computer to communicate via dns internal then during business hours I switch it back to External DNS so the internet applications function normally.  Would that keep the computer accounts from expiring and me not having to rejoin the domain?

    I didn't know until just now that you have 150 locations with only a couple boxes. Sounds like a retail POS, or similar. Nonethless, if they are AD clients, and you want to use external DNS, you *will* have problems.

    Your script solution won't work for auth, but sure it will work for the computer accounts, but AD is more than just that, which I'm sure you already know.

    Maybe go with workgroup computers, which curtails AD auth and resource permissions, or use TS or RDS and won't need joined machines. If you have 150 locations, then you know the benefits of RDS is on your side.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, August 2, 2016 2:26 PM