What DNS Options Does Active Directory Offer in Windows Server 2008,2012,2016 ?

What Is Active Directory?

Active Directory is essentially an enhanced, centralized database with a set of objects that make user management, authorization, and data management simpler.  Active Directory is synonymous with "Domain Controllers" where a single "domain" often consists of multiple sites and members of the domain.  Multiple domains can also be joined to belong to a tree ( a collection of domains).  And the highest layer is the forest which is created from multiple trees.

Active Directory can help provide DNS service by enabling the "DNS Server Role" which will allow members of a Domain to process DNS requests and create a highly available,  fault-tolerant, redundant DNS design.

The first step is to ensure all relevant servers have the "Active Directory" role added and including the DNS portion.

The preferred method and setup is that the first DNS server should be set to the IP of another domain controller or DNS server that serves DNS and the secondary one should point to the localhost.  DNS forwarders should be configured on each server that is running DNS, as this allows DNS resolutons to the outside to continue working in the event that one server hosting DNS goes down.

 

Best Practices According To Microsoft:

Question

What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?

Answer

It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

  1. If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.

  2. If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)

  3. When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.

  4. Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).

  5. DC’s should have at least two DNS client entries.

  6. Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.

  7. We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.

  8. (Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

 

Other Options

It should be noted that Active Directory Domain Controllers are not required to serve their own DNS and it is optional at the time of domain controller creation.

Another option that exists are the integration of Linux's NAMED or BIND DNS Server which is known to scale well and be extremely reliable.

Many cybersecurity experts believe this provides an enhanced level of performance and security, while still giving you the full features that Active Directory offers.

In general having a non-Microsoft DNS can offer you better performance and security.  Securing your DNS servers is especially important, not only for DOS attacks but DNS poisoning especially due to privilege escalation or a compromise of a domain controller.  This would allow an attacker to trick users into believing they were visiting a site they are not (eg. accounting may login to their online banking but unknowingly pass their details off to the hackers who have poisoned the DNS and sent them to a spoof site).

Here is a list of some of the value-added features offered by third-party DNS solutions available today:

  • Proactive automated adaptive behavior protection from DNS attacks, malware and data exfiltration through customized DNS firewall security
  • Utilize DNS and DHCP features that are unavailable from Microsoft in-box solutions such as Identity Mapping (linking IP addresses to users)
  • Intelligently resolve queries and direct traffic according to geographic location
  • Increased logging to help determine where issues and attacks are originating
  • Utilizing a single solution for external and internal DNS (aka "single view")
  • Operating system-agnostic way to manage DNS
  • Increased security by reducing admin privilege usage
  • Increased granularity for control of dynamic DNS updates via IP-based access-control, as opposed to the Microsoft's three-level approach of "none," "secure only" (i.e., AD-integrated clients (GSS-TSIG)) or "secure and insecure" (i.e., anyone, no TSIG or IP-based authentication required)

A good example is if you have 10 servers:


Server 1
Primary DNS: 172.16.254.2
Second DNS: 127.0.0.1
---------------------------------
Server 2
Primary DNS: 172.16.254.3
Second DNS: 127.0.0.1
---------------------------------
Server 3
Primary DNS: 172.16.254.4
Second DNS: 127.0.0.1
---------------------------------
Server 4
Primary DNS: 172.16.254.5
Second DNS: 127.0.0.1
---------------------------------
Server 5
Primary DNS: 172.16.254.6
Second DNS: 127.0.0.1
---------------------------------
Server 6
Primary DNS: 172.16.254.7
Second DNS: 127.0.0.1
---------------------------------
Server 7
Primary DNS: 172.16.254.8
Second DNS: 127.0.0.1
---------------------------------
Server 8
Primary DNS: 172.16.254.9
Second DNS: 127.0.0.1
---------------------------------
Server 9
Primary DNS: 172.16.254.10
Second DNS: 127.0.0.1
---------------------------------
Server 10
Primary DNS: 172.16.254.11
Second DNS: 127.0.0.1
---------------------------------

 


By setting up your DNS this way you are ensuring that should a domain member that provides DNS goes down that you have redundancy and the remaining servers will still function rather than if they were all relying on a single server as their secondary DNS source.


Tags:

dns, active, directory, server, ensure, relevant, servers, quot, portion, preferred, method, domain, secondary, primary, ensuring, provides, redundancy, remaining, relying,

Latest Articles

  • ImageMagick Convert PDF Not Authorized
  • ImageMagick Converted PDF to JPEG some files have a black background solution
  • Linux Mint Mate Customize the Lock screen messages and hide username and real name
  • Ubuntu/Gnome/Mint/Centos How To Take a partial screenshot
  • ssh how to verify your host key / avoid MIM attacks
  • Cisco IP Phone CP-8845 8800/8900 Series How To Reset To Factory Settings Instructions
  • ls how to list ONLY directories
  • How to encrypt your SSH private key file id_rsa
  • Linux Mint 18 Disable User Name List from showing on Login Screen
  • Firefox Cannot Hit Enter Key In Address Bar and Location History Not Working
  • Cisco Unified Communications Manager / CUCM IP 8.6,10,12 Install Error Solution
  • Ubuntu Debian Mint Linux SSHD OpenSSH Server Not Starting After Reboot Solution
  • nmap how to scan for all ports and not just the 1000 most common ports
  • Windows 7,8,10 and Server 2008, 2012, 2016, 2019 Read Only Attribute Won't Go Away
  • bind / named how to make a wildcard record and retain defined A records
  • Cisco Unified Communications Manager 12 Install Errors on Proxmox/KVM
  • Local Vs Universally Administered MAC Address NIC Refuses to come up
  • Cisco Unified Communications Manager 12 CUCM 12 - How To Enable Video Calling
  • Windows 7, 8, 10, Windows Server 2008, 2012, 2016, 2019 How To AC97 Audio Drivers and Other Unsigned Drivers
  • Cisco Unified Communications Manager / CUCM IP Telephony Definitions