Plan DNS Servers for Branch Office Environments

Applies To: Windows Server 2008

This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments.

As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice.

In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory–integrated DNS zones. For more information about using Dnscmd.exe, see Enlist a DNS Server in a DNS Application Directory Partition (https://go.microsoft.com/fwlink/?LinkId=151963).

To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone.

By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because the updates replicate back to the RODCs in their respective branch offices by means of a replicate-single-object (RSO) operation, rather than waiting for the next scheduled replication cycle.

For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address.

If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server.

For more information about how DNS dynamic updates are performed in locations that have an RODC, see the section “DNS updates for clients that are located in an RODC site” in Appendix A: Technical Reference Topics (https://go.microsoft.com/fwlink/?LinkID=128273).

Review the current DNS client settings

Review the DNS server and DNS client settings for your existing domain controllers. The Windows Server 2003 Branch Office Guide recommends that all your domain controllers be DNS servers. If you have followed those guidelines, the DNS client settings for each domain controller will be configured so that the domain controller points to itself as the preferred DNS server and points to another domain controller as the alternate DNS server.

You can also run DNS tests using the Dcdiag.exe tool to ensure that name resolution is working correctly in your environment before you begin to add Windows Server 2008 domain controllers to it.

It is a best practice to always to make RODCs DNS servers that host Active Directory–integrated DNS zones and to configure DNS clients in the site to use the DNS server on the RODC as their preferred DNS server for DNS queries. RODCs do not register name server (NS) resource records for the DNS zones that they host.

During installation of AD DS in Windows Server 2008, the Dcpromo tool does not make any changes to the preferred DNS server setting. However, it adds the IP version 4 (IPv4) loopback address 127.0.0.1 to the end of the list of alternate DNS servers, and it configures DNS forwarders to help resolve DNS names that are not included in the DNS zone that the domain controller hosts. If IP version 6 (IPv6) is enabled, Dcpromo adds the IPv6 loopback address ::1 to the list of Alternate DNS servers and the IPv6 addresses appear before IPv4 addresses in the list.

After each RODC installation in a branch office, change the IP address of the Preferred DNS server on each RODC (if this is not already done by means of a Group Policy setting) so that the RODC points to itself as the Preferred DNS server instead of the Alternate DNS server.

Windows Server 2008 includes a Group Policy setting that provides improvements in the DC Locator process. The improvements can help client computers that run Windows Vista or Windows Server 2008 locate domain controllers more efficiently on a network than was possible in previous versions of Windows Server. For a procedure that explains the steps to set this Group Policy setting, see Enable Clients to Locate a Domain Controller in the Next Closest Site (https://go.microsoft.com/fwlink/?LinkID=147362).