Best Practices for DNS Configuration in an Active Directory Domain

Summary: Best-practice recommendations for configuring DNS in an Active Director

Article Content


Symptoms

Article Summary: This article provides best-practice recommendations for configuring DNS in an Active Directory domain.


 

For Active Directory to function as intended, proper configuration of DNS is essential. Improperly configured DNS can cause a variety of issues, including logon failures, Group Policy processing problems, and replication issues. The following list of best practices is not all-inclusive but will help ensure proper name resolution within an Active Directory domain.

  • In a small environment, at least one domain controller (DC) should be a DNS server. It is possible to install DNS on servers which are not DCs, including non-Windows servers, but installing DNS on DCs allows the use of AD-integrated lookup zones (see below), which improve security and simplify zone replication.
     
  • In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.

     
  • If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. Each DC's list of DNS servers should include its own address, but not as the first server in the list. If a DC uses only itself for resolution, it may stop replicating with other DCs. This is obviously not an issue in a domain with only one DC.

     
  • All domain-joined computers must use only internal DNS servers. If a domain-joined computer is configured to use an external server as an alternate DNS server, a temporary lack of connectivity to an internal DNS server will cause that machine to begin using the external server for resolution. That external server will be unable to resolve queries for anything inside the AD domain, and the client machine will not automatically revert to the internal DNS server when connectivity is restored. This generally manifests itself as an inability to access resources in the domain from the affected machine. Be advised that if you are using a small-office/home-office (SOHO) router to assign DHCP addresses to client machines, it will likely also assign external DNS servers to those clients unless it has been manually configured to do otherwise.

     
  • In a multi-site environment, domain members should be configured to use the DNS servers at their local site before those at a different site. This minimizes the amount of DNS traffic crossing slower WAN links.

     
  • Use Active Directory-integrated DNS zones to improve security and simplify DNS replication. AD-integrated DNS zones are stored in directory partitions within Active Directory. These directory partitions replicate along with the rest of AD; therefore, no extra configuration (i.e., zone transfer setup) is required for DNS replication. Further, AD-integrated zones allow the use of secure dynamic updates. This prevents updates to DNS records from machines which are unable to authenticate with the domain.

     
  • Unless there is a compelling reason to do otherwise, DNS zones should allow only secure dynamic updates. Allowing unsecure dynamic updates can enable machines which aren't part of the domain to modify records on the domain's DNS servers, which is a security risk. Disabling dynamic updates altogether, on the other hand, secures the DNS records but makes management of the domain more difficult.

     
  • Configure forwarders or root hints for external name resolution in an Internet-connected environment. Forwarders can provide a faster response to external queries, but they are less redundant than the 374 widely distributed root DNS servers that exist as of this writing. Root hints are present by default on Windows servers, but forwarders must be configured manually. 

     
  • DNS servers within a domain should not use each other as forwarders. Forwarders are servers to which a DNS server will send queries that it can't answer (i.e., queries for records in zones that it doesn't host). DNS servers within a domain will typically all host the same zones, so if one of them is unable to answer a given query, they all will be unable to do so, and forwarding that query from one server to another will simply cause delays.

     
  • Configure aging and scavenging to avoid stale DNS records. Properly configuring aging and scavenging ensures that stale records (those older than a certain age, which is configurable) will be purged from DNS automatically. 

     
  • Use the DNS Best Practice Analyzer. The DNS BPA checks for more items than are documented here and provides guidelines for resolving any issues it finds.  More information about the DNS BPA is available at Best Practices Analyzer for Domain Name System.
 

 

SLN155801_en_US__1icon Note: For further and detailed information regarding DNS Best Practices, refer to Microsoft official documentation accordingly to your operating system version/edition.

 


Article Properties


Affected Product

DSS 2500, DSS 7500, DSS 8440, DSS 9000J, DSS 9000R, DSS 9600, DSS 9620, DSS 9630, DSS 1500, DSS 1510, DSS 7000, PowerApp 100, PowerApp 110, PowerApp 120, PowerApp 200, PowerApp 220, PowerApp w100 web, Dell vStart 50, Dell vStart v1000, Dell vStart v200, PowerEdge XR2, PowerEdge 1300, PowerEdge 1400SC, PowerEdge SC1420, PowerEdge SC1425, PowerEdge SC1430, PowerEdge SC1435, PowerEdge 1500SC, PowerEdge 1550, PowerEdge 1600SC, PowerEdge 1650, PowerEdge 1655MC, PowerEdge 1750, PowerEdge 1800, PowerEdge 1850, PowerEdge 1855, PowerEdge 1900, PowerEdge 1950, PowerEdge 1955, PowerEdge 2100, PowerEdge 2200, PowerEdge 2300, PowerEdge 2400, PowerEdge 2450, PowerEdge 2500, PowerEdge 2500SC, PowerEdge 2550, PowerEdge 2800, PowerEdge 2850, PowerEdge 2900, PowerEdge 2950, PowerEdge 2970, PowerEdge 300, PowerEdge 300SC, PowerEdge 3250, PowerEdge 350, PowerEdge 400SC, PowerEdge 4100, PowerEdge 4300, PowerEdge 4350, PowerEdge 4400, PowerEdge SP 4__, PowerEdge XE 4__, PowerEdge 500SC, PowerEdge XL 5133-4, PowerEdge 600SC, PowerEdge 6300, PowerEdge 6350, PowerEdge 6400, PowerEdge 6450, PowerEdge 650, PowerEdge 6800, PowerEdge 6850, PowerEdge 6950, PowerEdge 700, PowerEdge 7150, PowerEdge 7250, PowerEdge 750, PowerEdge 800, PowerEdge 830, PowerEdge 840, PowerEdge 8450, PowerEdge 850, PowerEdge 860, PowerEdge C1100, PowerEdge C2100, PowerEdge C410X, PowerEdge C4130, PowerEdge C4140, PowerEdge C5000, PowerEdge C5125, PowerEdge C5220, PowerEdge C5230, PowerEdge C6100, PowerEdge C6105, PowerEdge C6145, PowerEdge C6220, PowerEdge C6220 II, PowerEdge C6300, PowerEdge C6320, PowerEdge C6320p, PowerEdge C6400, PowerEdge C6420, PowerEdge C6525, PowerEdge C8000, PowerEdge EL, PowerEdge External Media System 1434, PowerEdge External Media System 1634, PowerEdge External Media System 753, PowerEdge FC430, PowerEdge FC630, PowerEdge FC640, PowerEdge FC830, PowerEdge FD332, PowerEdge FM120x4 (for PE FX2/FX2s), PowerEdge FX2/FX2s, PowerEdge M1000E, PowerEdge M420, PowerEdge M520, PowerEdge M520 (for PE VRTX), PowerEdge M600, PowerEdge M605, PowerEdge M610, PowerEdge M610x, PowerEdge M620, PowerEdge M620 (for PE VRTX), PowerEdge M630, PowerEdge M630 (for PE VRTX), PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge M710, PowerEdge M710HD, PowerEdge M805, PowerEdge M820, PowerEdge M820 (for PE VRTX), PowerEdge M830, PowerEdge M830 (for PE VRTX), PowerEdge M905, PowerEdge M910, PowerEdge M915, PowerEdge MX5016s, PowerEdge MX7000, PowerEdge MX740c, PowerEdge MX840c, PowerEdge R200, PowerEdge R210, PowerEdge R210 II, PowerEdge R220, PowerEdge R230, PowerEdge R240, PowerEdge R300, PowerEdge R310, PowerEdge R320, PowerEdge R330, PowerEdge R340, PowerEdge R410, PowerEdge R415, PowerEdge R420, PowerEdge R420xr, PowerEdge R430, PowerEdge R440, PowerEdge R510, PowerEdge R515, PowerEdge R520, PowerEdge R530, PowerEdge R530xd, PowerEdge R540, PowerEdge R610, PowerEdge R620, PowerEdge R630, PowerEdge R640, PowerEdge R6415, PowerEdge R6515, PowerEdge R6525, PowerEdge R710, PowerEdge R715, PowerEdge R720, PowerEdge R720xd, PowerEdge R730, PowerEdge R730xd, PowerEdge R740, PowerEdge R740xd, PowerEdge R740xd2, PowerEdge R7415, PowerEdge R7425, PowerEdge R7515, PowerEdge R7525, PowerEdge R805, PowerEdge R810, PowerEdge R815, PowerEdge R820, PowerEdge R830, PowerEdge R840, PowerEdge R900, PowerEdge R905, PowerEdge R910, PowerEdge R920, PowerEdge R930, PowerEdge R940, PowerEdge R940xa, PowerEdge SDS 100 (Storage System), PowerEdge SP 5__, PowerEdge SP 5__-2, PowerEdge SP 51__-2 (ATI Mach64), PowerEdge SP 575-2, PowerEdge T100, PowerEdge T105, PowerEdge T110, PowerEdge T110 II, PowerEdge T130, PowerEdge T140, PowerEdge T20, PowerEdge T30, PowerEdge T300, PowerEdge T310, PowerEdge T320, PowerEdge T330, PowerEdge T340, PowerEdge T40, PowerEdge T410, PowerEdge T420, PowerEdge T430, PowerEdge T440, PowerEdge T605, PowerEdge T610, PowerEdge T620, PowerEdge T630, PowerEdge T640, PowerEdge T710, PowerEdge VRTX, PowerEdge Web Server, PowerEdge XE2420, PowerEdge XE 5__, PowerEdge XE 5__-2, PowerEdge XE 51__-2 (ATI Mach64), PowerEdge XE7100, PowerEdge XE7420, PowerEdge XE7440, PowerEdge 2600, PowerEdge 2650, PowerEdge 6600, PowerEdge 6650, PowerEdge 4600, PowerEdge SC 420, PowerEdge SC 430, PowerEdge SC 440

Last Published Date

20 Nov 2020

Version

2

Article Type

Solution

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters