DNS configuration best practice on Domain Controllers, Clients and Member Servers

MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.

1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDC Role are automatically Domain Master Browser.

Master Browsers should not be multi-homed Active Directory communication fails on multihomed domain controllers. http://support.microsoft.com/kb/272294

Name resolution and connectivity issues occur on Windows 2000 domain controllers that have the Routing and Remote Access service and DNS installed. http://support.microsoft.com/kb/830063

Delay in NetBIOS connections from a multi-homed computer. http://support.microsoft.com/kb/166159
Symptoms of multihomed browsers.

DNS configuration on domain controller:

1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs). 3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
5. If loopback IP address ( is configured as primary dns setting then remove the same and add IP address of Server.If it is set as alternate DNS setting then no problems. See this:http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
6. Also make sure the IPv6 is configured to dynamic (Automatically) if it is Windows 2008/R2/2012 Server. Even remove ::1 from dns setting if configured. See below screenshot for the same.

7.DNS setting on RODC. Recommended setting for RODC that’s a DNS server, it should point to itself IP (not loopback address 127.0.01) as the primary DNS server.

Writable DNS server’s IP in a hub location should be the secondary/alternate DNS servers. http://technet.microsoft.com/en-us/library/cc742490(v=ws.10).aspx http://technet.microsoft.com/en-us/library/dd737255(v=ws.10).aspx

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns”, restart DNS server and NETLOGON service on each DC.


1. Don’t disable IPv6, let it be default as many of the services utilize in the newer OS like Direct access, exchange 2010 etc. Windows 2012/2008 R2/7 uses IPv6 and it should be configured to dynamic (Automatically).

It is not recommended from the MS to disable IPv6, take a look at below articles on IPv6.  http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Arguments against disabling IPv6. http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.asp

2. Why NIC Binding is Important: Any resource in the domain (Server, Workstation or Printer  etc.) will contact first NIC in Network Connections. If we have more than 1 NIC, the connectivity may fail by trying or will take longer time to connect.

Check NIC binding the NIC which is online and has IP details should be in first order. How to set/view the NIC bind order in Windows. http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

How to properly multihomed a Windows Server Domain Controller.  http://blogs.dirteam.com/blogs/acefekay/archive/2009/08/03/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest . http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

NedPyle from Microsoft – DNS recommendation and best practices. http://blogs.technet.com/b/askds/archive/2010/08/02/new-dns-and-ad-ds-bpa-s-released-or-the-most-accurate-list-of-dns-recommendations-you-will-ever-find-from-microsoft.aspx?PageIndex=2

DNS configuration on clients and member servers:
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of clients/member servers.

Leave a Reply

Your email address will not be published. Required fields are marked *