Highly Reliable Systems: Removable Disk Backup & Recovery


Never use ISP’s DNS for a Windows machine in a Domain environment

By Darren McBride

Some customers have problems with a Netswap joining a domain, or with drive shares not coming back online after a drive swap.  We believe some of these problems may indicate Windows “Name resolution problems” which classically are either DNS or WINS related.  Both the Windows domain controller and the windows PC in a domain should have ALL  DNS records point to the Windows domain controller only.  Also if WINS is configured it should ONLY point to the domain controller.

There is a tendency to want to point DNS2 to the ISP’s DNS or to the local router, or to Google or another authoritative DNS server on the Internet.  We highly recommend you do not do this as it can produce strange name resolution problems, authentication issues, or disappearing shares.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff807362(v=ws.10)
In the article linked above Microsoft seems to say best practice is use native IP address then loopback like this:
DNS1: 192.168.254.200    (for example if your server network card is 192.168.254.200)
DNS2: 127.0.0.1  (Just a way of pointing to yourself again – optional )

 Now for the next question. But can you or Should you point DNS2 to ISP as a “fallback” position?  We believe this is a no no.  Look about halfway down in this article for the txt below
https://support.microsoft.com/en-us/help/825036/best-practices-for-dns-client-settings-in-windows-2000-server-and-in-w

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider’s (ISP’s) DNS servers. If you configure the DNS client settings to point to your ISP’s DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory directory service. With these records, other domain controllers and computers can find Active Directory-related information. The domain controller must register its records with its own DNS server.

To forward external DNS requests, add the ISP’s DNS servers as DNS forwarders in the DNS management console. If you do not configure forwarders, use the default root hints servers. In both cases, if you want the internal DNS server to forward to an Internet DNS server, you also must delete the root “.” (also known as “dot”) zone in the DNS management console in the Forward Lookup Zones folder.

Also see this article https://serverfault.com/questions/682819/best-practices-for-secondary-dns-in-case-of-a-single-active-directory   Note the last line
https://serverfault.com/questions/394804/what-should-the-order-of-dns-servers-be-for-an-ad-domain-controller-and-why

 

 

Finally if you’re not convinced refer to this article.  The first DNS error re-iterates never to point Windows machines to public DNS servers

https://mcpmag.com/Articles/2004/05/01/10-DNS-Errors-That-Will-Kill-Your-Network.aspx?Page=1

 

 

Darren McBride

About Darren McBride

CEO, Highly Reliable Systems, Inc. View all posts by Darren McBride →


What do you think?

Your email address will not be published. Required fields are marked *