I've deployed AD with DNS on a Windows Server 2008 R2 running on VirtualBox on a Ubuntu server 10.04LTS. The server runs like a charm, the only thing giving me "trouble" is DNS. When I use the Best Practices Analyzer ("Scan This Role") I keep getting the below error although the DNS role seems to be working just fine:
Title: DNS: DNS servers on Local Area Connection should include the loopback address, but not as the first entry.
Issue: Tne network adapted Local Area Connection does not list the loopback IP address as
a DNS server, or it is configured as the first entry
I followed the instructions on this page which basically explain how to configure DNS servers for your interfaces and advise not to use the loopback IP as a primary DNS. However this error seems to occur regardless of the configuration as I tried the following and always get the same error (I "Scan this role" between every change):
primary: 127.0.0.1
secondary: 192.168.16.1 (server IP)
primary: 127.0.0.1
secondary: blank
primary: 192.168.16.1 (server IP)
secondary: 127.0.0.1
primary: 192.168.16.1 (server IP)
secondary: blank
If I use an external DNS such as google DNS as a secondary
primary: 127.0.0.1
secondary: 8.8.8.8 (Google's DNS ip)
I get the below error (expected) although once again DNS requests to external domains are resolved fine:
The DNS server 8.8.8.8 on Local Area Connection did not successfully resolve the name_ldap.tcp.gc._msdccs.mydomain.local.
The server is running with the latest windows update (updated about 1 hour ago). Everything (DNS, AD, DHCP) seems to be working fine.
Q1: Should I worry about the first error I mentioned?
Q2: How can I get rid of this error?
Best Answer
If you only have a single Domain Controller/DNS server, you can ignore this. If you have more than one, you should be setting the primary DNS server to the IP of the other Domain Controller and setting the secondary DNS server to the loopback interface and vice versa on the other DC.
You get this error with all of your configurations, because
192.168.16.1is the local interface, so it's effectively the same as 127.0.0.1 as far as DNS and the BPA are concerned.This is best practice so that a DNS server isn't reliant on itself for name resolution, which would affect replication in a multi-DC environment. If you only have a single Domain Controller (and thus a single ADI DNS server), you'll continue to get this error because, well, only having 1 DC isn't best practice.
Note that you should never set an AD joined computer or a domain controller to use an outside DNS server. They should always point only to Active Directory Integrated DNS servers. This is so that they can find the relevant SRV and RR records in the _msdcs zone for your domain. If you want to set up a global forwarder to 8.8.8.8 (still not the best idea), you can do that, but you should never made a DC or AD client use 8.8.8.8 directly.