I have a two-controllers AD domain, and all domain-joined PCs have their addresses as primary and secondary DNS servers.
I wonder if I should configure a tertiary public DNS. The reasoning is that many PCs are located in smaller remote networks and they reach both domain controllers via a central VPN tunnel. If the VPN tunnel goes down, both DCs would be unavailable and the remote PCs will be unable to resolve any addresses, preventing them for surfing the internet/checking email/etc.
Adding a DC in each network is out of question (they are of 5/10 PCs), and the same can be said about creating a direct VPN tunnel from the remote network to the secondary DC site (due to hardware capacity).
A tertiary, public DNS server would prevent this, but I wonder if it can cause problems (ie: if it is, for some reason, selected as the preferred DNS, the PC would be "disconnected" from the domain).
So: it is ok to use a tertiary public DNS on a domain-joined PC, or it will cause problems? Anything to be aware of?
Best Answer
For proper domain functionality Windows computers need to be able to perform lookups against the DNS zone being used for AD.
If clients are pointed at a server that doesn't provide correct answers for that AD zone, those systems will probably break at some point.
It is important to understand, that if a client made a DNS lookup for a record like
_gc._tcp.yourdomain.example.orgor some other internal-only record against that third external server, that server will respond with a not found error. Your client will not retry that query against your domain controllers. A not found answer is perfectly valid.If you want some more redundancy for DNS at your external sites, I would look at whatever device that is running that VPN, or the device acting as the router/firewall. See if one of those devices can act as a caching DNS server. Possibly you can get it to forward the internal DNS requests to the DCs, and non-internal requests out to the world. Or perhaps run a DNS server in the cloud somewhere that will forward all internal requests to your DCs, and use whatever method of recursion for other requests.