One of the most common mistake administrators do when it comes to configure DNS is to point the DC/DNS servers to IPS DNS servers as their primary DNS server. I see everyday problems related to mis-configured DNS and decided to post some of the best practices and basic DNS settings for domain controllers.
The misconception behind this mistake is to connect the DC/DNS servers to the internet and therefore the ISP DNS IP addresses are being added to DC/DNS servers and of course not understanding basic DNS concept.
if you your get on your DC/DNS and issue IPconfig /all and you are seeing similar output below, you need to keep reading, because your DG/DNS is not configured correctly.
if you like to download the video here it is
Host Name . . . . . . . . . . . . : DC4
Primary Dns Suffix . . . . . . . : smtp25.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : smtp25.org
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.4(Preferred)
Subnet Mask . . . . . . . . . . . :255.255.255.0
Default Gateway . . . . . . . . . :10.10.10.1
DNS Servers . . . . . . . . . . . : 184.108.40.206 ( ISP DNS)
220.127.116.11 (ISP DNS)
NetBIOS over Tcpip. . . . . . . . : Enabled
1. Do not point your DC/DNS servers to your ISP DNS servers on their Preferred and alternate DNS configuration on the TCP/IP properties.
2.Make sure the server has configured correctly, the TCP/IP stack and DNS server is pointing to ***Existing DC/DNS***
3. One of the best practice ***most common*** configuration is point DC/DNS servers Preferred IP to ***Itself*** and alternate DNS to its closest neighbor who is also DC/DNS server
4. You should make all DC/DNS servers ***Active directory integrated DNS*** simple reason is Security, Redundancy, simplicity.
If you have one DC/DNS AD integrated server in your environment, the DNS data is being kept on the domain partition of active directly thus it is getting replicated to any other DC even they are not DNS servers and therefore make all of them AD/DNS servers and be done with good configuration.
5.Don't use more than 1 NIC card, DC's don't like multiple NIC cards, multi-homed DC’s are most likely going to cause ***Trouble*** if you do have multiple NIC on your DC, Disable the second NIC and take out the option “ Register this connection’s addresses in DNS” in case another admin enables this NIC Inadvertently, to prevent this interface to register in DNS.
6.Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work. ( watch the video to learn how to configure forwarders)
7.Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly
Oz Casey Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +