DNS Best Practices

· If the server is the first domain controller that you installed in the domain, and the server runs DNS, configure the DNS client settings to point to that first server's IP address. Do not list any other DNS server.


· Configure additional domain controllers that have DNS installed to point to the first domain controller that was installed in the domain and that runs DNS. Configure these additional domain controllers to point to themselves as secondary.


· Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers . If you configure the DNS client settings to point to your ISP's DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory directory service . With these records, other domain controllers and computers can find Active Directory-related information . The domain controller must register its records with its own DNS server .


· To forward external DNS requests, add the ISP's DNS servers as DNS forwarders in the DNS management console. If you do not configure forwarders, use the default root hints servers. In both cases, if you want the internal DNS server to forward to an Internet DNS server, you also must delete the root "." (also known as "dot") zone in the DNS management console in the Forward Lookup Zones folder.


· ..For each additional server running DNS added to your domain, the preferred DNS IP address is the parent DNS IP address. The IP address of the added server running DNS is placed in the Alternate IP Address text box.

· ..During AD installation and setup, if you created a domain name with a (domain name).local extension, delete the ".(zone)" listed under Forward Lookup Zones. Otherwise, clients might have external name resolution problems on the Internet.

· If your DNS server is behind a proxy server or firewall, make sure to open UDP and TCP port 53 on the proxy server or firewall.

· If your DC is also a DNS server, make sure that your domain controller is pointing to itself for all DNS resolution. Otherwise, just make sure that it is pointing to an internal DNS server. Pointing to an ISP DNS server, for example, would result in inaccurate registered records in the Netlogon service. Your TCP/OldSite/ip network properties dialog box, in other 1 words, should list only your DNS server as the preferred DNS.

· ..If your internal and registered external domain names are the same, make sure to add a Host (A) record and an Mail Exchange (MX) record to your DNS server forward lookup zone. Otherwise, users will not be able to browse your company's Internet Web site home page and related links.

 

The most common mistakes are:
The domain controller is not pointing to itself for DNS resolution on all network interfaces.
The "." zone exists under forward lookup zones in DNS. As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.
Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS.

If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.

If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall