Friday, September 18, 2015

domain name system - Best practices for secondary DNS in case of a single Active Directory



I have a setup with only one Active Directory (not redundant).
What should be configured on the client pc's to ensure the best DNS resolution ?
Currently somebody configured the IP address of the AD as primary DNS and a public DNS as secondary (not the google one but the DNS of the provider).



Although it seems running fine in most of the use cases, I don't think it's a good practice and I already have seen 2 problems:



1) One time a GPO was not applied on a PC. Probably the pc tried to resolve SRV record and for wathever reason, the DNS request has probably been sent to the secondary DNS server. The secondary DNS server is of course not able to answer.

I have no proof it was the issue but I suspect it.
The clients are Windows 7 and the server is Windows Server 2012.



2) Another time, an user created a ticket cause he was not able to login on a LAN application (Terminal Server). The error message was related to a DNS resolution error. nslookup or ping gave well a DNS resolution. After a ipconfig/flushdns, the user was able to connect to the Terminal server. Conclusion: The cause of the problem was probably a negative DNS answer which has been cache on the pc.



Only filling in one primary DNS has a major drawback, if there is an issue with the AD, the users are totally blocked cannot surf internet, access emails,..



A solution which has been implemented to another group of users is to deploy a small DNS server (dnsmasq) with some rules to forward all the AD domain only to the AD server and the rest (public DNS) to AD + others as secondary.
With that setup, the users can continue to surf in case of issue with AD and all the AD (local queries) are only sent to the AD DNS server.




On the AD server itself, what is the best practice ? By default, Windows Server configures his primary DNS as 127.0.0.1. Can we setup a secondary (public / ISP DNS) ?



So I'm looking what is the best practices and I hope to read your feedback cause I'm probably not the only one in this situation. Duplicate the AD would be of course better but it has a cost that not every client is willing to pay.


Answer



There's only one best practice solution here: you need an additional Domain Controller with the Active Directory DNS service installed. You should then configure a forwarder within DNS to use whatever your preferred provider is.



You then have full full redunancy for Active Directory and DNS.



You should then configure your clients (Through DHCP ideally) to use one as the primary and one as the secondary.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...