5

Both in my lab testing and on real installation I saw that, after a dcpromo (done via "Server Manager" on Windows 2016), a loopback IPv6 address is automatically added on the interface DNS settings (ie: ::1 as primary and sole DNS).

This IPv6 DNS address even take precedence over anything configured in the IPv4 DNS panel. This is confirmed both by ipconfig /all (which lists the IPV6 ::1 address as the first one) and by nslookup (which asks the ::1 server to resolve).

It is my understanding that, when having multiple domain controllers, it is never advised to use the loopback address as the primary DNS address.

So, my question is: is it correct to remove the IPv6 DNS loopback address from the interface DNS settings?

shodanshok
  • 52,255

2 Answers2

3

When a server is promoted to Domain Controller (and it's also running a DNS server, which is the standard setup), it will automatically configure itself as its DNS server, both in IPv4 and IPv6; for IPv4 it will use 127.0.0.1, for IPv6 it will use ::1. This will always happen automatically upon DC promotion of your first Domain Controller.

From the second DC onwards, the server will need to be able to talk with the existing domain, so you will need to configure it to use an already-existing DC as its DNS server; after promotion, the server will still add localhost to its list of DNS servers, but it will honour the existing IPv4 settings and add 127.0.0.1 at the end of the list.

The gotcha is with IPv6, which more often than not will not have a configured DNS server: in this case, adding ::1 to the list will make it the one and only IPv6 DNS server; and this will take precedence over IPv4.

Bottom line: unless you are actually using IPv6 DNS, you should always remove ::1 from the list of IPv6 DNS servers on your DCs.

Regarding IPv4: if you have more than one Domain Controller (which you really should), it's recommended that each DC uses a different one as its primary DNS server, and itself as the secondary one; this will achieve two results:

  • It will greatly decrease server startup time (because DNS depends on Active Directory, which depends on DNS, which depends on AD, and so on... starting UP a DC from scratch can take a very long time if it tries to use itself as its DNS server).
  • It will avoid the so-called "island" problem, where a DC using itself as its DNS server can not get up-to-date information about AD topology changes.
Massimo
  • 72,827
1

Very old, but never got answered and thought it might help.

Agree, IPv6 as primary DNS is a no no.

Agree, loopback as primary is a no no.

Agree, IPv6 ::1 wedges itself into pole position after promoting to a dc.

Change IPv6 DNS to "Obtain DNS server address automatically" is a safe bet. Or reg key //hkey_local_machine/SYSTEM/CurrentControlSet/Services/Tcpip6/Parameters/ if you have to.

It's wise to keep your IPv6 NIC running and not just remove it/disable it. There is likely v6 traffic in the environment that you don't know about. Run wireshark and filter by IPv6. Over half hour you'll probably see something.

And who knows, maybe by year 3084 IPv6 will be a thing and you'll save yourself an extra change.

  • Always worth using Windows Server BPA to pick up on these things that try to slip through the cracks.
Monro
  • 11