Configure DNS: “should include the loopback address…” explained

I’ve seen a lot of confusion around the net regarding to the “DNS servers on Ethernet x should include the loopback address, but not as the first entry” error message, and decided to make a post about it.

The number of requests has risen dramatically as people start moving to server 2012 and are being shown the Best Practice Analyzer (BPA) error very clearly.

This post goes for all versions of Windows Server, but lets get one thing clear before starting: “If you have only ONE dns server configured you will continue to get BPA errors. You cant make these go away.”

Contents of this post:

  1. The problem is really due to two main issues
  2. Correct DNS settings with 1 DNS server
  3. Correct DNS settings with 2 DNS servers
  4. Correct IPv6 DNS settings for DNS servers.
  5. Test DNS using nslookup
  6. Error messages details
    • Initial BPA Results window with the error message
    • DNS BPA results listing is made up out of two issues
  7. Error descriptions
    • DNS: Ethernet 2 should be configure to use both a preferred and an alternate DNS server
    • DNS: DNS servers on Ethernet 2 should include the loopback address, but not as the first entry
1) The problem is really due to two main issues:
  1. Microsoft chose a very bad wording for the description of this error message: They chose to use the term “loopback” to refer to the DNS servers’ local configured IP.
    Contrary to what people automatically would belive, they do not refer to a need to specify “127.0.01” in an Ethernets´ DNS settings.
  2. Microsoft goes with the assumption that there is at least 2 DNS servers deployed.

2) Corret DNS setting with 1 DNS server
06-1
You must not specify any external DNS server as the “Alternate DNS server”. Any additional DNS sertings should be configured in the DNS server and not on the adapter.
Be sure to look at #4 for IPv6 configuration as well – you need this.

3) Corrct DNS settings with 2 DNS servers
08

4) Correct IPv6 DNS settings for DNS servers.
Many sysadmins of old tends to turn off IPv6 as a force of habbit, but this has turned into a big no no. Many applications simply just refuses to work, if you disable IPv6. This includes Exchange 2010 and 2013 among others! That is the best case. Worst case is when applications still works, but you start getting errors you cant identify.

Unless you have configured an IPv6 DNS server, you need to set IPv6 to “Obtain DNS server address automatically” instead of having specified “Preferred DNS server” with loopback (::1).

If you skip this step, internal nslookup just don’t work as it should, as it will look at the IPv6 stack first and IPv4 later, and fail.
09

5) Test DNS using nslookup
It should all Work now, but lets get one thing clear:
10

Error messages details:

Lets drill down the chain of error messages and see what kind of information we get here:

Initial BPA Results window with the error message:
DNS: DNS servers on Ethernet should include the loopback address, but not as the first entry
02

DNS BPA results listing is made up out of two issues:
Warning: DNS: Ethernet 2 should be configure to use both a preferred and an alternate DNS server
Error: DNS: DNS servers on Ethernet 2 should include the loopback address, but not as the first entry
03

Error descriptions:

  1. DNS: Ethernet 2 should be configure to use both a preferred and an alternate DNS server
    • Problem:
      Ethernet 2 has only the preferred DNS server configured.Impact:
      The use of a single DNS server per interface does not allow for redundancy and failover. If the configured DNS server becomes unavailable, the computer cannot resolve names and will not connect to other resources.Resolution:
      Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure at least two DNS servers per interface.Scan time: 17-06-2014 19:02:28BPA model version: 2.0
      More information about this best practice and detailed resolution procedures
      04
  2. DNS: DNS servers on Ethernet 2 should include the loopback address, but not as the first entry
    • Problem:
      The network adapter Ethernet 2 does not list the local server as a DNS server; or it is configured as the first DNS server on this adapter.Impact:
      If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.Resolution:
      Configure adapter settings to add the loopback IP address to the list of DNS servers on all active interfaces, but not as the first server in the list.Scan time: 17-06-2014 19:02:28BPA model version: 2.0
      More information about this best practice and detailed resolution procedures
      05
What’s next?

You might want to take a look at some posts on DNS I have written: http://www.itnotes.eu/?cat=8

Posted in DNS

Leave a Reply