Best Practice of DNS Configuration in Active Directory Domain

For Active Directory to function as expected, it is important to configure DNS correctly. Improper DNS configuration can cause various problems, including login failures, group policy processing issues, and replication issues. The following list of good practices is not exhaustive, but will help ensure correct name resolution within the Active Directory domain.

Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.

In a small environment, at least one domain controller (DC) should be a DNS server. It is possible to install DNS on servers that are not DCs (including non-Windows servers), but installing DNS on a DC allows the use of AD integrated lookup zones (see below), which improves security and simplifies zone replication.
 
In larger environments, at least two domain controllers on each physical site should be DNS servers. This will provide redundancy if a DC goes offline unexpectedly. Please note that you must configure domain-joined computers to use multiple DNS servers to take advantage of this advantage.

If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first, and then use themselves. Each DC's DNS server list should include its own address, but it should not be the first server in the list. If a DC only uses itself for resolution, it may stop replicating with other DCs. This is obviously not a problem in a domain with only one DC.

All computers that have joined the domain must only use the internal DNS server. If a computer that has joined the domain is configured to use an external server as a backup DNS server, the temporary lack of connection with the internal DNS server will cause the computer to start using the external server for resolution. The external server will not be able to resolve queries for any content in the AD domain. When the connection is restored, the client computer will not automatically switch back to the internal DNS server. This usually manifests itself as an inability to access resources in the domain from the affected computer. Please note that if you use a small office/home office (SOHO) router to assign DHCP addresses to client computers, external DNS servers may also be assigned to these clients, unless manually configured in other ways.
 
In a multi-site environment, domain members should be configured to use the DNS server on their local site, and then the servers on other sites. This reduces DNS traffic across slower WAN links.

Use Active Directory integrated DNS zones to improve security and simplify DNS replication. AD integrated DNS zone is stored in the directory partition in Active Directory. These directory partitions are replicated with the rest of AD; therefore, DNS replication does not require additional configuration (ie zone transfer settings). In addition, the AD integration area allows the use of secure dynamic updates. This prevents updates to DNS records from computers that cannot pass domain verification.

Unless there is a compelling reason, DNS zones should only allow secure dynamic updates. Allowing insecure dynamic updates may cause computers that are not domain members to modify the records on the domain's DNS server, which is a security risk. On the other hand, completely disabling dynamic updates will protect DNS records but make it more difficult to manage the domain.
 
In an Internet-connected environment, configure a forwarder or root directory prompt for external name resolution. Forwarders can provide faster responses to external queries, but they have less redundancy than the 374 widely distributed root DNS servers that existed at the time of writing this article. By default, there is a root directory prompt on the Windows server, but the forwarder must be manually configured.

DNS servers in the domain should not act as forwarders to each other. The forwarder is the server to which the DNS server sends queries that it cannot answer (ie, queries for records in the zone that it does not register). DNS servers in a domain usually host the same zone, so if one of them fails to answer a given query, none of them can do it. Forwarding the query from one server to another will only cause delay.

Configure aging and scavenging to avoid stale DNS records. The correct configuration of aging and scavenging can ensure that stale records are automatically removed from DNS (the records older than a certain time limit can be configured).