What DNS Options Does Active Directory Offer in Windows Server 2008,2012,2016 ?

What Is Active Directory?

Active Directory is essentially an enhanced, centralized database with a set of objects that make user management, authorization, and data management simpler.  Active Directory is synonymous with "Domain Controllers" where a single "domain" often consists of multiple sites and members of the domain.  Multiple domains can also be joined to belong to a tree ( a collection of domains).  And the highest layer is the forest which is created from multiple trees.

Active Directory can help provide DNS service by enabling the "DNS Server Role" which will allow members of a Domain to process DNS requests and create a highly available,  fault-tolerant, redundant DNS design.

The first step is to ensure all relevant servers have the "Active Directory" role added and including the DNS portion.

The preferred method and setup is that the first DNS server should be set to the IP of another domain controller or DNS server that serves DNS and the secondary one should point to the localhost.  DNS forwarders should be configured on each server that is running DNS, as this allows DNS resolutons to the outside to continue working in the event that one server hosting DNS goes down.

 

Best Practices According To Microsoft:

Question

What is Microsoft’s best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?

Answer

It depends on who you ask. 🙂 We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

  1. If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.

  2. If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)

  3. When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.

  4. Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).

  5. DC’s should have at least two DNS client entries.

  6. Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.

  7. We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.

  8. (Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

 

Other Options

It should be noted that Active Directory Domain Controllers are not required to serve their own DNS and it is optional at the time of domain controller creation.

Another option that exists are the integration of Linux's NAMED or BIND DNS Server which is known to scale well and be extremely reliable.

Many cybersecurity experts believe this provides an enhanced level of performance and security, while still giving you the full features that Active Directory offers.

In general having a non-Microsoft DNS can offer you better performance and security.  Securing your DNS servers is especially important, not only for DOS attacks but DNS poisoning especially due to privilege escalation or a compromise of a domain controller.  This would allow an attacker to trick users into believing they were visiting a site they are not (eg. accounting may login to their online banking but unknowingly pass their details off to the hackers who have poisoned the DNS and sent them to a spoof site).

Here is a list of some of the value-added features offered by third-party DNS solutions available today:

  • Proactive automated adaptive behavior protection from DNS attacks, malware and data exfiltration through customized DNS firewall security
  • Utilize DNS and DHCP features that are unavailable from Microsoft in-box solutions such as Identity Mapping (linking IP addresses to users)
  • Intelligently resolve queries and direct traffic according to geographic location
  • Increased logging to help determine where issues and attacks are originating
  • Utilizing a single solution for external and internal DNS (aka "single view")
  • Operating system-agnostic way to manage DNS
  • Increased security by reducing admin privilege usage
  • Increased granularity for control of dynamic DNS updates via IP-based access-control, as opposed to the Microsoft's three-level approach of "none," "secure only" (i.e., AD-integrated clients (GSS-TSIG)) or "secure and insecure" (i.e., anyone, no TSIG or IP-based authentication required)

A good example is if you have 10 servers:


Server 1
Primary DNS: 172.16.254.2
Second DNS: 127.0.0.1
---------------------------------
Server 2
Primary DNS: 172.16.254.3
Second DNS: 127.0.0.1
---------------------------------
Server 3
Primary DNS: 172.16.254.4
Second DNS: 127.0.0.1
---------------------------------
Server 4
Primary DNS: 172.16.254.5
Second DNS: 127.0.0.1
---------------------------------
Server 5
Primary DNS: 172.16.254.6
Second DNS: 127.0.0.1
---------------------------------
Server 6
Primary DNS: 172.16.254.7
Second DNS: 127.0.0.1
---------------------------------
Server 7
Primary DNS: 172.16.254.8
Second DNS: 127.0.0.1
---------------------------------
Server 8
Primary DNS: 172.16.254.9
Second DNS: 127.0.0.1
---------------------------------
Server 9
Primary DNS: 172.16.254.10
Second DNS: 127.0.0.1
---------------------------------
Server 10
Primary DNS: 172.16.254.11
Second DNS: 127.0.0.1
---------------------------------

 


By setting up your DNS this way you are ensuring that should a domain member that provides DNS goes down that you have redundancy and the remaining servers will still function rather than if they were all relying on a single server as their secondary DNS source.


Tags:

dns, active, directory, server, ensure, relevant, servers, quot, portion, preferred, method, domain, secondary, primary, ensuring, provides, redundancy, remaining, relying,

Latest Articles

  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist