There are generally a few designs regarding DNS client settings for Active Directory Domain Controllers. The preferred DNS client configuration depends on the design of your Active Directory infrastructure.
Only One Domain Controller Running DNS
If you have only one server that functions as the Domain Controller (DC) and the server runs the DNS server service, you should configure the DNS client settings to point to that server’s IP address, or the loopback address (127.0.0.1
).
Do not list any other DNS servers until you have another domain controller hosting the AD DNS zone in that domain. Additionally, do not list any other external DNS servers such as your ISP’s name servers.
New Domain Controller in an Existing Domain
Configure the DNS client settings on the server that will be promoted as a Domain Controller to point to another existing DNS server that hosts the AD zone for the domain.
Once you have installed the DNS service on this new Domain Controller and verified that replication of the DNS zone has occurred, you can modify the DNS client settings for that new server if needed.
The DC should not point to itself for DNS until you have verified that replication occurred. This will prevent the server from becoming an “island” (DNS Server becomes an island when a domain controller points to itself for the _msdcs.ForestDnsName domain).
Setting the DNS Client Settings to Point to Itself
The main advantage of setting the client settings to point to itself is to ensure that DNS queries will be resolved locally and not depend on other DNS servers for name resolution. If there are issues or routine failures with replication, this design is not optimal for the infrastructure.
Another problem that is not of critical nature is that you will see events related to the Active Directory service not being able to find the zone’s DNS records. This occurs when the AD service completes the start-up process before the DNS service.
Setting the DNS Client Settings to Point to Another DNS Server
If the Domain Controller is configured to use another DNS server as its primary, it is best to have at least two dedicated DNS servers in the domain that service all Domain Controllers. This design reduces any possible DNS replication issues and ensures that all Domain Controllers have access to the most up-to-date DNS records.
The disadvantage to this design is that there will be an increase in the utilization of the dedicated DNS servers. In addition, loss of connectivity to the centralized server(s) will result in name resolution failures for the Domain Controllers which can impact servicing of clients.
A combination of the two strategies is recommended. Domain Controllers should be configured to point to themselves and an alternate DNS server if possible.
Setting the DNS Client Settings to Point to Your ISP’s DNS Servers
Under no circumstances, should you configure the DNS client settings on the domain controllers to point to your ISP’s DNS servers. If you configure the DNS client settings to point to your ISP’s DNS servers, the Netlogon service on the domain controllers will not register the required records for the AD.
Without these records registered in the AD authoritative zone, other domain members will not locate Active Directory-related information. You can, however, configure the DNS server to forward DNS queries to an external DNS server, such as your ISP’s DNS servers. Otherwise, you can continue to use the DNS server’s root hints.