Primary/Secondary DNS in single server environment

[DocGreen]

Hi guys, quick DNS question for you all:

In an environment with a single DNS server, what should clients use as the secondary DNS? Let me give you the scenario:

My home network has a single Windows 2k12 server running Active Directory, DNS, and File Services. DNS server is configured with forwarders (Cloudfare, OpenDNS, GoogleDNS). My Linksys LRT214 router handles DHCP, and instructs clients what to use for Primary/Secondary DNS (considering putting DHCP on the server as well). Less than 50 clients incl: Windows PCs, phones, tablets, TV, media streamers, surveillance cameras, Unifi AP, etc.


My instinct is to have clients look to a public DNS for the secondary. That way if the server goes down, clients can still reach the internet. What say you?

 

[SAFCasper]

If the device is domain joined it must use the Windows server as DNS. Never set an external DNS server for domain joined computers, not even as a secondary. It can cause all sorts of authentication and trust issues.

For anything else - don't matter too much. You can go ahead and set an external DNS server as secondary without an worries.

 

[YeOldeStonecat]

None..leave it blank. Here's why! When clients make DNS requests and the primary DNS server does not respond fast enough, they move onto the secondary DNS server. In a network where there is a single server...it's more likely to be bogged down doing many things, and chances are good that the server will not respond right away..so clients will move onto the secondary DNS server if there is one.

Thus...registration in active directory fails, things like group policy and other important AD functions/services fail, and in scenarios where this incorrect approach is done, you see much higher rates of workstations losing their workstation account in active directory (causing you to unjoin/rejoin the domain). Since network browsing/drive mapping still works due to broadcasts, nobody ever notices things have started breaking down.

When I see people say "But what about when the server is down, people still need to surf the web". Well...if you're worried about the server being down often...you're doing the server wrong. Start using proper real server grade hardware, not glorified desktops, redundant power supplies, RAID that is monitored, and on a battery UPS. Servers should not go down.

On the rare chance that server goes down, very simply takes two or three minutes and fire up DHCP on their gateway! Thinking across our clients, at the most less than 20% of our small clients with a single server have had a server issue in the daytime perhaps once in 10 years. It really should be a very rare event. Doing the improper setup of setting an external public DNS server is not the way to try to plug that hole with your finger, and it causes way more problems that costs you time, and the client more money for you to fix (or you to have a less profitable client if they're an MSP client).

 

[Mick]

I am a bit surprised that your router is set as the DHCP server. This will work, but I reckon letting Windows handle both (DNS and DHCP) is a better call.

 

[YeOldeStonecat]

Agreed....things run tighter with active directory if your DC also runs DHCP.
Let the server "serve"..that's its job.

 

[DocGreen]

Thanks for all the good info, guys. I should note that this is my home network, which kind of ends up being a sandbox for me to experiment with and practice things I've not encountered yet. Realistically there wouldn't normally be a server on a network like this, but like I said... sandbox. I'm actually thinking about nuking the current server and replacing it with a hypervisor so I can get more experience playing around with that, since I just recommended we transition to VM's at work rather than replacing 10-ish outdated physical servers.

 

[Sky-Knight]

DHCP/DNS/and AD all belong together.

If there is no secondary DC, do not have a second DNS server.... UNLESS... you've got an Untangle at the edge of your network.

Then, you can configure Untangle to forward domain lookups to the DC, which you have to do anyway to get Untangle's DNS to resolve domain records. Untangle itself uses something out the world to resolve otherwise. In these conditions, you can use Untangle as a secondary DNS, to maintain internet connectivity while the DC is down / rebooting. This also allows for Untnagle to handle DNS for the domain when it's on the far side of a VPN tunnel, caching and aggregating domain DNS traffic, which reduces DNS traffic on the relatively slow VPN link.

 

[YeOldeStonecat]

Thanks for all the good info, guys. I should note that this is my home network, which kind of ends up being a sandbox for me to experiment with and practice things I've not encountered yet. Realistically there wouldn't normally be a server on a network like this, but like I said... sandbox. I'm actually thinking about nuking the current server and replacing it with a hypervisor so I can get more experience playing around with that, since I just recommended we transition to VM's at work rather than replacing 10-ish outdated physical servers.

Best way to learn! That's how I used Microsoft Action Pack and other NFR licenses....I did much of my learning by playing with my network at home. Build, play, break, fix, nuke/rebuild, over..and over..and over. From NT 4 server...to 2K server, SBS2K, with and without ISA server..and on up from there. Not to mention tons and tons of various linux based firewalls...I'd try out some new one every couple of months.