What should the order of DNS servers be for an AD Domain Controller and Why?

Solution 1:

According to this link and the Windows Server 2008 R2 Best Practices Analyzer, the loopback address should be in the list, but never as the primary DNS server. In certain situations like a topology change, this could break replication and cause a server to be "on an island" as far as replication is concerned.

Say that you have two servers: DC01 ( and DC02 ( that are both domain controllers in the same domain and both hold copies of the ADI zones for that domain. They should be configured as follows:

Primary DNS
Secondary DNS

Primary DNS
Secondary DNS

Solution 2:

From http://technet.microsoft.com/en-us/library/ff807362%28v=ws.10%29.aspx

If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself, or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.

I also want to share this snippet from the book Windows Server 2008 R2 Unleashed:

enter image description here

However, even if you are never affected by the "island" problem, your DC will still reboot much faster and with fewer errors if it uses another already up and running DC as its primary DNS resolver.

Solution 3:

Never, ever have a DC use itself as Primary DNS.

All sorts of havoc can (and Murphy dictates: will) happen if the AD services become online before the DNS service is live after a reboot. (Or DNS crashes, gets DOSsed, whatever.)
There is also interaction between DHCP (with dynamic DNS updates) and DNS which depends heavily upon DNS working properly.

Always put last. Also: Don't be tempted to use the real LAN ip-address of the server either.
Dynamic DNS updates from DHCP are very sensitive to this.
( always exist and can be accessed faster. The real ip-address might not always be available/be busy. In some scenarios the dynamic DNS updates can actually DOS the LAN adapter if there is a high amount of simultaneous DHCP requests combined with sub-par NIC/drivers.)