Since we are on the topic of DNS as it relates to Windows and Active Directory, I thought I’d bring up another issue that I have regularly encountered at customer sites. This has to do with the configuration of the DNS client settings on DNS-enabled Domain Controllers.
In Windows 2000, there were cases where if a server were configured to register to itself and only itself, it could in certain cases become a replication island. This means that the only DCs it knows about is itself and any changes made on that DC do not propagate outward, nor do changes made elsewhere propagate back. (For more information, see http://support.microsoft.com/kb/275278)
The resolution to this was simple: point the DNS client on the server to a different DC and allow replication to continue. For this reason, many clients I have worked with have configured their DCs to point to other servers as primary (and itself as secondary, usually). The problem with this was that it quickly became chaotic and replication islands would appear for groups of DCs instead of single servers.
This questionable practice has carried over into Windows 2003 AD as well. However, there is good news. Most users/administrators do not know this, but the DNS registration process in Windows Server 2003 was changed to eliminate (or at least reduce to the point of statistical improbability) the possibility of the replication islands mentioned above.
Windows Server 2003 domain controllers now not only register themselves with their primary DNS server (usually themselves), but they also register their addresses with several other DNS servers throughout the domain, thereby ensuring that their record stays fresh and is fully replicated across the domain and/or forest. What this means for administrators is that they do not need to create a chaotic hierarchical DNS registration topology to ensure that no islands form. They can instead set the primary DNS server of the DC to itself and leave it at that. For added emotional security, though, the secondary DNS server can be set to another server in the domain. It is usually expected to be the first server or PDC emulator role holder.
When the domain and forest are configured in Native 2003 mode, you can even store all forest DNS domains on all DNS servers in all domains in the forest. This new configuration adds a new application partition in Active Directory called ForestDnsZones.DnsForestName and stores the DNS records for all AD Integrated zones there. Using this setting can help alleviate complex forwarding configurations in a multi-domain forest situation since it would bring all DNS names to all DNS servers and speed name resolution to the client. There is some additional replication overhead cost, but in my opinion, the benefits greatly outweigh the costs.
So, in summary, a highlight of the best DNS practices with respect to Windows Server 2003 DC/DNS client settings is:
- Make sure that the domain and forest are in Native 2003 mode.
- Configure the domain zones to replicate to all DNS servers in the forest.
- Point the DC to itself (127.0.0.1) as its own primary DNS server. (NOTE: make sure that this is done on new domain controllers only after replication of the domain is complete.)
- For added peace of mind, point the secondary DNS server to the “root” server in the domain. I prefer to use the PDC emulator role holder for this purpose. Or, in a multi-domain forest, point it to the PDC emulator in the root domain.
Whatever you decide to do, be sure your configuration is fully documented and consistent. This will help greatly in troublshooting name resolution issues and anything that depends on DNS.