Ever had a domain controller just kind of stop replicating with everyone else? Ever had to move a domain controller to a new ip.addr and then spent hours trying to get AD happy again? Microsoft defines DNS Islanding in KB275278, which indicates that it is a problem with Windows 2000 based domain controllers using themselves for DNS. This is absolutely correct, but not necessarily totally correct. Islanding can occur (and often does) in 2003 and 2008 domains, though not in the same way as addressed in the KB. This post should help explain why, in a domain with multiple domain controllers, a domain controller should never point to itself for DNS, what can happen when it does, and how to fix it.
Setting a domain controller to point to itself for DNS is bad. What do I mean, ‘bad?" Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light. That’s what I mean by bad.
You’ve got a couple of problems that combine in a perfect storm scenario when a domain controller uses itself for DNS.
Which came first, the chicken or the egg?
At boot, Active Directory requires DNS to properly intialise. At boot, DNS requires AD to be up and running so any AD integrated zones can be read from AD and loaded into memory. You see the boggle? If they are co-dependent, and neither can properly start up without the other, how can either start up? Well eventually they will, but using yourself for DNS can lead to longer system boot up times, and an initial view of the world that is out of date. You’ll find much shorter system start-up times when the DNS client (configured in the NIC properties) is set to use DNS servers other than itself. If you only have two domain controllers, you really have no choice but to use yourself for DNS, but do that as the secondary DNS server, and use the other DC as the primary. As long as you do not reboot them both at the same time, you should be just fine. Here, think of it like this.
This is hella bad.
This is good (assuming you only have two DCs)…call it criss-cross.
This is better…think circular!
You’re talking to yourself; again.
It’s when you don’t answer yourself anymore that we start to worry. The DNS client on a domain controller is completely separate from AD. All operations that require a name to be resolved or registered use the primary DNS server configured in the properties of the NIC. Remember, no operation will ever use the secondary if the primary responds. If a domain controller only points to itself, or points to itself as the primary DNS server, then it will register its A, PTR, and SRV records to itself. If replication on this DC is having issues, those records may never replicate to another DC. Eventually this DC will age out of AD as far as the other domain controllers are concerned. They will know of him in AD, but not be able to resolve his GUID in DNS for replication, and bad things will result. Using DNS servers other than yourself, you’ll also find that if you have to change the ip.addr of a domain controller, AD will converge MUCH more quickly.
In short,
During normal operations…
Pointing a domain controller
at itself for DNS? 
Don’t be that guy.*
There are a couple of exceptions to this.
The first is that in a small domain with only one or two domain controllers, you of course have no choice. But see the criss-cross diagram above. Use the other domain controller as the primary DNS server.
The second is when DNS has melted down, and you’re in emergency mode. While outside the scope of this post, you can ‘rebuild’ DNS in your domain by pointing EVERY domain controller to a single one (including itself) to get a single point of truth. Then you restart netlogon and do an ipconfig /registerdns from each and every domain controller so they all register A, PTR, and SRV records to that one domain controller, and then use it for all queries. Let that cook until all domain controllers are properly registered and replicating again, and then go back to a distributed approach.
The screenshot up above, in case you don’t recognise it, is from PCU…one of the best movies I have ever seen. Jeremy Piven, Jon Favreau, Alex Desert, Jake Busey, and David Spade all before they were ‘big names,’ a great underdog story, and every conceivable college stereotype you can imagine combine to make a guilty pleasure. Oh, and George Clinton and the Parliament Funkadelic feature prominently. This movie is full of win, and so is the soundtrack. I was able to find most of them, so here they are for you! *trivia://this was the only improvised line in the whole movie
Music from the soundtrack to PCU
Questions, comments, concerns? Leave a reply. I’d love to hear from you.
You might also enjoy:
{ 2 comments… read them below or add one }
Figure 1 is really bad, because both servers have the same IP.
D’oh! Nice catch, thanks.
And fixed.