What DNS Options Does Active Directory Offer in Windows Server 2008,2012,2016 ?

What Is Active Directory?

Active Directory is essentially an enhanced, centralized database with a set of objects that make user management, authorization, and data management simpler.  Active Directory is synonymous with "Domain Controllers" where a single "domain" often consists of multiple sites and members of the domain.  Multiple domains can also be joined to belong to a tree ( a collection of domains).  And the highest layer is the forest which is created from multiple trees.

Active Directory can help provide DNS service by enabling the "DNS Server Role" which will allow members of a Domain to process DNS requests and create a highly available,  fault-tolerant, redundant DNS design.

The first step is to ensure all relevant servers have the "Active Directory" role added and including the DNS portion.

The preferred method and setup is that the first DNS server should be set to the IP of another domain controller or DNS server that serves DNS and the secondary one should point to the localhost.  DNS forwarders should be configured on each server that is running DNS, as this allows DNS resolutons to the outside to continue working in the event that one server hosting DNS goes down.

 

Best Practices According To Microsoft:

Question

What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?

Answer

It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

  1. If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.

  2. If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)

  3. When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.

  4. Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).

  5. DC’s should have at least two DNS client entries.

  6. Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.

  7. We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.

  8. (Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

 

Other Options

It should be noted that Active Directory Domain Controllers are not required to serve their own DNS and it is optional at the time of domain controller creation.

Another option that exists are the integration of Linux's NAMED or BIND DNS Server which is known to scale well and be extremely reliable.

Many cybersecurity experts believe this provides an enhanced level of performance and security, while still giving you the full features that Active Directory offers.

In general having a non-Microsoft DNS can offer you better performance and security.  Securing your DNS servers is especially important, not only for DOS attacks but DNS poisoning especially due to privilege escalation or a compromise of a domain controller.  This would allow an attacker to trick users into believing they were visiting a site they are not (eg. accounting may login to their online banking but unknowingly pass their details off to the hackers who have poisoned the DNS and sent them to a spoof site).

Here is a list of some of the value-added features offered by third-party DNS solutions available today:

  • Proactive automated adaptive behavior protection from DNS attacks, malware and data exfiltration through customized DNS firewall security
  • Utilize DNS and DHCP features that are unavailable from Microsoft in-box solutions such as Identity Mapping (linking IP addresses to users)
  • Intelligently resolve queries and direct traffic according to geographic location
  • Increased logging to help determine where issues and attacks are originating
  • Utilizing a single solution for external and internal DNS (aka "single view")
  • Operating system-agnostic way to manage DNS
  • Increased security by reducing admin privilege usage
  • Increased granularity for control of dynamic DNS updates via IP-based access-control, as opposed to the Microsoft's three-level approach of "none," "secure only" (i.e., AD-integrated clients (GSS-TSIG)) or "secure and insecure" (i.e., anyone, no TSIG or IP-based authentication required)

A good example is if you have 10 servers:

Server 1
Primary DNS: 172.16.254.2
Second DNS: 127.0.0.1
---------------------------------
Server 2
Primary DNS: 172.16.254.3
Second DNS: 127.0.0.1
---------------------------------
Server 3
Primary DNS: 172.16.254.4
Second DNS: 127.0.0.1
---------------------------------
Server 4
Primary DNS: 172.16.254.5
Second DNS: 127.0.0.1
---------------------------------
Server 5
Primary DNS: 172.16.254.6
Second DNS: 127.0.0.1
---------------------------------
Server 6
Primary DNS: 172.16.254.7
Second DNS: 127.0.0.1
---------------------------------
Server 7
Primary DNS: 172.16.254.8
Second DNS: 127.0.0.1
---------------------------------
Server 8
Primary DNS: 172.16.254.9
Second DNS: 127.0.0.1
---------------------------------
Server 9
Primary DNS: 172.16.254.10
Second DNS: 127.0.0.1
---------------------------------
Server 10
Primary DNS: 172.16.254.11
Second DNS: 127.0.0.1
---------------------------------

 

By setting up your DNS this way you are ensuring that should a domain member that provides DNS goes down that you have redundancy and the remaining servers will still function rather than if they were all relying on a single server as their secondary DNS source.


Tags:

dns, active, directory, server, ensure, relevant, servers, quot, portion, preferred, method, domain, secondary, primary, ensuring, provides, redundancy, remaining, relying,

Latest Articles

  • How high can a Xeon CPU get?
  • bash fix PATH environment variable "command not found" solution
  • Ubuntu Linux Mint Debian Redhat Youtube Cannot Play HD or 4K videos, dropped frames or high CPU usage with Nvidia or AMD Driver
  • hostapd example configuration for high speed AC on 5GHz using WPA2
  • hostapd how to enable and use WPS to connect wireless devices like printers
  • Dell Server Workstation iDRAC Dead after Firmware Update Solution R720, R320, R730
  • Cloned VM/Server/Computer in Linux won't boot and goes to initramfs busybox Solution
  • How To Add Windows 7 8 10 11 to GRUB Boot List Dual Booting
  • How to configure OpenDKIM on Linux with Postfix and setup bind zonefile
  • Debian Ubuntu 10/11/12 Linux how to get tftpd-hpa server setup tutorial
  • efibootmgr: option requires an argument -- 'd' efibootmgr version 15 grub-install.real: error: efibootmgr failed to register the boot entry: Operation not permitted.
  • Apache Error Won't start SSL Cert Issue Solution Unable to configure verify locations for client authentication SSL Library Error: 151441510 error:0906D066:PEM routines:PEM_read_bio:bad end line SSL Library Error: 185090057 error:0B084009:x509 certif
  • Linux Debian Mint Ubuntu Bridge br0 gets random IP
  • redis requirements
  • How to kill a docker swarm
  • docker swarm silly issues
  • isc-dhcp-server dhcpd how to get longer lease
  • nvidia cannot resume from sleep Comm: nvidia-sleep.sh Tainted: Linux Ubuntu Mint Debian
  • zfs and LUKS how to recover in Linux
  • [error] (28)No space left on device: Cannot create SSLMutex Apache Solution Linux CentOS Ubuntu Debian Mint
    • Copyright © realtechtalk.com 2024