Right after introducing the first Windows Server 2012 R2 domain controller in Windows Server 2003 network, besides changes in DHCP server and transferring FSMO roles, it is also important to review and set correct values for DNS server addresses on both domain controllers. DNS is integral part of Active Directory Domain Services, therefore the proper functioning of the entire domain practically depends on proper functioning of the DNS servers.

What you will read in this post:

1. DNS settings of a single domain controller in Active Directory Site

2. Configure DNS server addresses on multiple Domain Controllers in Active Directory Site

3. General recommendations for configuring DNS on Domain Controllers

4. Configure DNS Forwarders on Domain Controller

Let’s begin.

1. DNS settings of a single Domain Controller in Active Directory Site

In my case, here is what I had for DNS on my Windows Server 2003 DC before introducing Windows Server 2012 R2:

DNS values on Windows Server 2003

NIC settings of Windows Server 2003

Since it was the only one DNS server in the domain, it was using its loopback IP address as preferred DNS server. There were no issues for resolving names within the domain itself, and for resolving external names I have had public DNS servers configured in DNS Forwarders. As I mentioned before, all DC and DNS tests were positive.

2. Configure DNS server addresses on multiple Domain Controllers in Active Directory Site

As I wrote in the post “Introducing Windows Server 2012 as second domain controller” – before installing Active Directory Domain Services and DNS on the Windows Server 2012 R2 (in this case study I call it also “Server D”), as DNS server for Server D was set the IP address of the Windows Server 2003 (as only one DNS in the domain, logically). However, after the successful promotion of Server D as domain controller, here is what have changed automatically:

DNS values on Windows Server 2012 R2

NIC settings of Windows Server 2012 R2

The value for Preferred DNS server remained the same (the IP address of the Windows Server 2003), but as Alternate DNS server was set the loopback IP address of the newly promoted domain controller (Windows Server 2012 R2) i.e. the configuration wizard has automatically configured the DNS settings according to the general recommendations from Microsoft.

3. General recommendations for configuring DNS on Domain Controllers

When I say general recommendations from Microsoft, I mean on general guidelines that Microsoft AD and Networking Support teams give to customers. Check this page on Ask the Directory Services Team blog and especially the question “What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?“. I hope you will find your answers.

There are many discussions what should be set as first and what as second DNS, especially when your DC’s are in different Active Directory sites.

However, for a single site with more than one domain controller, things seem to be relatively simple:

  • on each DC, always put the other DNS as its primary DNS server
  • each DC should include the loopback address 127.0.0.1 in the list of DNS servers, but not as first entry.

If you have more complex environment then consider this extensive library with resources as starting point for everything regarding Domain Name System.

Let’s get back to the story.

Having this logic in mind and following the above mentioned guidelines, I had to change the original DNS settings on the Windows Server 2003 (Server A) since now we have different situation. On the NIC adapter on Server A, I set the Server D as primary DNS server and its loopback IP address 127.0.0.1 as secondary DNS.

4. Configure DNS Forwarders on Domain Controller

What I have done until now:

  • set correct DNS settings on Server A after promotion of Server D – checked;
  • set correct DNS settings on Server D – checked (configured automatically during the configuration wizard);
  • configure DNS Forwarders on Server A – checked (previously configured);
  • configure DNS Forwarders on Server D – missing.

Although everything worked normally and all DNS requests have being resolved quickly, a single point of failure was existing because only Server A have DNS forwarders configured. This means if Server A goes down, communication chain to the public DNS servers is broken and resolving the names outside of the domain will become impossible. This is additionally confirmed in the results of the Best Practices Analyzer for the DNS role in Server D (Windows Server 2012 R2).

Contrary to Windows Server 2003, in Windows Server 2012 R2 when you configure DNS forwarders the system automatically tries to resolve their IP addresses into their FQDN and vice versa:

DNS Forwarder trying to resolve IP to FQDN

DNS Forwarder trying to resolve IP to FQDN

However, a problem with external name resolution appeared. The DNS server was not able to resolve the IP 8.8.8.8 (one of Google’s public DNS servers) into FQDN:

DNS Forwarder error resolving IP to FQDN

DNS Forwarder error resolving IP to FQDN

I open command prompt and tried with nslookup command, also without success:

DNS nslookup cmd error

It turned out that the corporate firewall was blocking this DNS requests from Server D (where I was trying to configure DNS Forwarders) to the external world. After modifying the DNS rule in the firewall, everything was back to the normal:

DNS Forwarder resolved IP to FQDN successfully

DNS Forwarder resolved IP to FQDN successfully

And nslookup command as well:

DNS nslookup cmd success

Well, now we have both servers with properly configured settings for internal DNS resolution as well as for external resolution.

Running a full dcdiag test at the end, also confirmed the correct DNS configuration of both servers for the domain.

The results after running Best Practices Analyzer have showed a warningDNS: The DNS Server should have scavenging enabled” which is a “mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time”. Read more about Aging and Scavenging.

After configuring the Scavenging on Server D (with default value of 7 days), everything was fine with BPA results. I didn’t configure scavenging on Server A simply because it was working fine and moreover it is going to be demoted soon.

Finally, the DNS part is over.