Group Policy to Specify DNS Servers in DHCP Environment - Good or Bad?

windows domain-name-system active-directory dhcp group-policy

I just encountered several hours worth of work trying to untangle DNS problems in my domain after I demoted a DC/DNS server (illustrated here WinXP using old DNS server IP even though changed in DHCP and on the box ).

There's a stupid group policy (dunno why, but I'll leave it) that was forcing the DNS servers; changed it however the clients can't access the domain (since the primary DNS is down -- why the hell won't windows try the secondary one that is working fine?!?!?)... So how can I force either a group policy override (so that the desktops can find the domain again) or somehow get the group policy back on their computers? Ugh...

I see in there we have the IPs of both DNS servers and then two of our ISP's DNS servers.

The question is -- in an environment where DHCP is handling giving out DNS entries should one override that with DNS from the group policy? Although it burned me here after well-documenting it there shouldn't be a problem in the future -- but I'm left wondering if the policy should stay or go? Are the two IPs of the ISP DNS servers significant (the DNS servers on each DC are set up to forward to those IPs anyway)? Will the clients ever need them?


Best practices = no, do not apply via a GPO.

DHCP will forward requests to a handful of DNS servers of your choice. DNS will then forward requests out.

The use of GPO for defining DNS servers is usually if you want to apply special settings to particular workstations (based on GPO scope, machine/user memberships). An intranet test machine. An even better example is locking users out of the internet. If a user is a member of Deny_Internet security group, and you define this as a scope for a Set_Bogus_DNS GPO, then users that are a member of that group will not be able to surf the internet because they will not be able to resolve any addresses.

The drawback with the defining external DNS servers is that in the case of a major virus/worm outbreak, you have no way of locking out the offending domains. With DHCP pointing your machines to the internal DNS servers, if you needed to, you could lock www.malware-spreading-site.org by creating the DNS Primary Zone on your own DNS boxes, and point www to 127.0.0.1.

In summary, pointing internal machines to external DNS is bad. Bad bad bad. Naughty. Secondly, using DHCP is better than GPO in this case.


I see two real questions in your post:

Is assigning external DNS servers to domain clients a bad idea?

Yes. It is.

DNS is absolutely critical to Active Directory functioning correctly, and clients sending DNS requests out to external servers will cause problems sooner or later. It can help if your internal DNS is unstable, but if that's the case you have bigger problems than users unable to browse the web.

At most this should be used as a temporary bandaid while fixing your internal DNS. And bandaids should never be left on longer than they need to.

Is defining DNS servers via GPO a bad idea?

No. I'd actually recommend it.

There are a lot of reasons why defining DNS servers via GPO can be a very good idea:

  • It ensures consistency across your environment
  • It gives manageable granularity (manually modifying DNS per-server is not manageable, DHCP does not give proper granularity) for config differences
  • You can make environment-wide changes very quickly, without your users having to renew their DHCP leases
  • It allows you enforce policies/bandaids/hacks (like split-horizon DNS) without your users (un)intentionally bypassing them
  • It gives YOU control

In a simple environment this may be more trouble than it's worth. But if you have a domain, you're probably beyond that point already.


As you've already found, using Group Policies to assign DNS is generally a bad idea. There's just too much to go wrong and debugging can be a nightmare. Under normal circumstances it shouldn't be necessary. If it is necessary it's probably time to take a good hard look at the entire network configuration to determine why it's necessary and see if it may perhaps be more appropriate to make changes elsewhere.


I give you a simple good reason too use GPO to define DNS settings. In a multiple and dynamic server environment, all servers have a static IP settings. GPO overwrite these, DHCP does not.

Related

Backing up audit data with growisofs
Looking Glass script
Primary domain SSL not working, but wildcard subdomains are working
sudo to super-user after scp
Ubuntu 18.04 VM freezes and kills single ESXi when cloning disk
Where to put the web pages in /var/www/ or /var/www/html/ in apache?
Windows Server Backup fails before starting with message "The directory is not a subdirectory of the root directory."
Media wiki on windows server 2k3 backup/restore and upgrade
Own etcd cluster for Kubernetes
Xen network-bridge interface renaming
sshd refused key authentication
Does the Windows Server 2019 ReFS implementation support compression?