Sunday, April 5, 2009

DNS Basic Configuration and Common Mistakes DNS Setup

One of the most common  mistake administrators do when it comes to configure DNS is to point the DC/DNS servers to IPS DNS servers as their primary DNS server. I see everyday problems related to  mis-configured DNS and decided to post some of the best practices and basic DNS settings for domain controllers.

The misconception behind this mistake is to connect the DC/DNS servers to the internet and therefore the ISP DNS IP addresses are being added to DC/DNS servers and of course not understanding basic DNS concept.

if you your get on your DC/DNS and issue IPconfig /all and you are seeing similar output below, you need to keep reading, because your DG/DNS is not configured correctly.

if you like to download the video here it is

Video 1

Host Name . . . . . . . . . . . . : DC4
Primary Dns Suffix  . . . . . . . : smtp25.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : smtp25.org

Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.4(Preferred)
Subnet Mask . . . . . . . . . . . :255.255.255.0
Default Gateway . . . . . . . . . :10.10.10.1
DNS Servers . . . . . . . . . . . : 208.67.222.222 ( ISP DNS)
                                         208.67.220.220  (ISP DNS)
NetBIOS over Tcpip. . . . . . . . : Enabled

Here are the rules and Previous post I have donefingerscrossed

DNS configuration

1. Do not point your DC/DNS servers to your ISP DNS servers on their Preferred and alternate DNS configuration on the TCP/IP properties.

2.Make sure the server has configured correctly, the TCP/IP stack and DNS server is pointing to ***Existing DC/DNS***

3. One of the best practice ***most common*** configuration is point DC/DNS servers Preferred IP to ***Itself*** and alternate DNS to its closest neighbor who is also DC/DNS server

4. You should make all DC/DNS servers ***Active directory integrated DNS*** simple reason is Security, Redundancy, simplicity.

If you have one DC/DNS AD integrated server in your environment, the DNS data is being kept on the domain partition of active directly thus it is getting replicated to any other DC even they are not DNS servers and therefore make all of them AD/DNS servers and be done with good configuration.

5.Don't use more than 1 NIC card, DC's don't like multiple NIC cards, multi-homed DC’s are most likely going to cause ***Trouble*** if you do have multiple NIC on your DC, Disable the second NIC and take out the option “ Register this connection’s addresses in DNS” in case another admin enables this NIC Inadvertently, to prevent this interface to register in DNS.

image

6.Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work. ( watch the video to learn how to configure forwarders)

7.Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly

Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

http://smtp25.blogspot.com (Blog)
http://telnet25.wordpress.com/ (Blog

2 comments:

Patong Hotels said...

thanks, your article is very informative.

Oz Casey Dedeal said...

Thanks for reading my blog and leaving comments

--oz