Domain Controllers Cross-Site DNS IP Configuration Best Practice

Question

Dears,

Currently, we have the below setup for DNS/DC IP configurations in our environment. I feel that something is not right/missing.

HO-DC1 IP: 10.10.10.11 Primary DNS: 10.10.10.12 Secondary DNS: 127.0.0.1

HO-DC2 IP: 10.10.10.12 Primary DNS: 10.10.10.11 Secondary DNS: 127.0.0.1

HO-DC3 IP: 10.10.10.13 Primary DNS: 10.10.10.12 Secondary DNS: 127.0.0.1

DR-DC1 IP: 10.10.20.11 Primary DNS: 10.10.20.12 Secondary DNS: 127.0.0.1

DR-DC2 IP: 10.10.20.12 Primary DNS: 10.10.20.11 Secondary DNS: 127.0.0.1

A server in HO IP: 10.10.100.101 Primary DNS: 10.10.10.11 Secondary DNS: 10.10.10.12 Tertiary DNS: 10.10.10.13

A server in DR IP: 10.10.200.101 Primary DNS: 10.10.20.11 Secondary DNS: 10.10.20.12

I followed this design from the below website but my concerns are:

1. how do HO DCs and DR DCs will be in sync if they are not pointing to each other?
2. What will happen to HO servers if all HO DCs are down? Shouldn't I at least add one DR DC IP to the HO servers DNS list?

https://activedirectorypro.com/dns-best-practices/

Thanks, Abdullah,

Answer 1

As you are referencing a Microsoft Windows Active Directory help site I am assuming you are talking about Active Directory Domain Controllers (AD DCs). My answers are based on that assumption.

Ad 1. If you followed Microsoft best practice recommendations then your DNS zones are configured as AD integrated zones, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones. In that case the Active Directory replication mechanism will take care of synchronizing them between DCs.

If you didn't configure your DNS zones as AD integrated then you'll have to configure one of your DCs as the master and the others as slaves pointing to the master, and synchronisation will happen by way of zone transfers.

In no event will a name server synchronize to another one just because you configured it as primary DNS for name resolution.

Ad 2. If all HO DCs are down then the HO server whose configuration you gave will not have name resolution available. Whether this is a scenario you need to cover depends on your redundancy planning. Often when you have three DCs it is deemed reasonably improbable that all three will fail at the same time. Also, if all three DCs of the HO site fail you'll typically have bigger problems than just loss of name resolution. So more likely than not, adding a DNS server from DR to the list won't actually buy you much.