Domain Controllers Cross-Site DNS IP Configuration Best Practice

Aboodnet

11/22/22, 6:45 AM

Dears,

Currently, we have the below setup for DNS/DC IP configurations in our environment. I feel that something is not right/missing.

HO-DC1 IP: 10.10.10.11 Primary DNS: 10.10.10.12 Secondary DNS: 127.0.0.1

HO-DC2 IP: 10.10.10.12 Primary DNS: 10.10.10.11 Secondary DNS: 127.0.0.1

HO-DC3 IP: 10.10.10.13 Primary DNS: 10.10.10.12 Secondary DNS: 127.0.0.1

DR-DC1 IP: 10.10.20.11 Primary DNS: 10.10.20.12 Secondary DNS: 127.0.0.1

DR-DC2 IP: 10.10.20.12 Primary DNS: 10.10.20.11 Secondary DNS: 127.0.0.1

A server in HO IP: 10.10.100.101 Primary DNS: 10.10.10.11 Secondary DNS: 10.10.10.12 Tertiary DNS: 10.10.10.13

A server in DR IP: 10.10.200.101 Primary DNS: 10.10.20.11 Secondary DNS: 10.10.20.12

I followed this design from the below website but my concerns are:

how do HO DCs and DR DCs will be in sync if they are not pointing to each other?
What will happen to HO servers if all HO DCs are down? Shouldn't I at least add one DR DC IP to the HO servers DNS list?

https://activedirectorypro.com/dns-best-practices/

Thanks, Abdullah,

1 + 0

domain-name-system

domain

domain-controller

Score:0

Server

Tilman Schmidt

11/22/22, 7:11 PM

As you are referencing a Microsoft Windows Active Directory help site I am assuming you are talking about Active Directory Domain Controllers (AD DCs). My answers are based on that assumption.

Ad 1. If you followed Microsoft best practice recommendations then your DNS zones are configured as AD integrated zones, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones. In that case the Active Directory replication mechanism will take care of synchronizing them between DCs.

If you didn't configure your DNS zones as AD integrated then you'll have to configure one of your DCs as the master and the others as slaves pointing to the master, and synchronisation will happen by way of zone transfers.

In no event will a name server synchronize to another one just because you configured it as primary DNS for name resolution.

Ad 2. If all HO DCs are down then the HO server whose configuration you gave will not have name resolution available. Whether this is a scenario you need to cover depends on your redundancy planning. Often when you have three DCs it is deemed reasonably improbable that all three will fail at the same time. Also, if all three DCs of the HO site fail you'll typically have bigger problems than just loss of name resolution. So more likely than not, adding a DNS server from DR to the list won't actually buy you much.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Domain Controllers Cross-Site DNS IP Configuration Best Practice

TH: แนวทางปฏิบัติที่ดีที่สุดสำหรับการกำหนดค่า DNS IP ข้ามไซต์สำหรับตัวควบคุมโดเมน

RO: Cele mai bune practici de configurare IP DNS pentru controlere de domeniu

RU: Контроллеры домена Рекомендации по межсайтовой IP-конфигурации DNS

VI: Bộ điều khiển miền Phương pháp hay nhất Cấu hình IP DNS trên nhiều trang web

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.