DNS vs. Hosts File

  • Thread starter Thread starter Dan DeStefano
  • Start date Start date
D

Dan DeStefano

Recently, one of my colleagues and I got into a discussion about DNS vs.
hosts files in AD. He has configured the hosts file on all of our domain
controllers (Windows 2000 AD in native mode) to point to other DCs. One of
our DCs was moved to another site and the hosts file on a DC was not changed
to point to the moved DC on its new subnet - this obviously resulted in
NTFRS errors.



Anyway, after this I got into a discussion with my boss about the need of
the hosts file in AD. It is my position that the hosts file is no longer
necessary and should not really be used in AD and is only included for
backward-compatibility, testing and for certain special instances. It is his
position that DNS is untrustworthy and that the hosts file should be
configured as a backup in case DNS goes down. My response to this was
twofold - 1. the hosts file is queried before DNS so it is not really a
backup, it is a primary method of name-resolution, plus, it does not support
SRV records; 2. DNS is the foundation of AD and if it goes down, AD will not
work correctly anyway. Plus, that is the reason for secondary DNS servers,
of which we have several.



Could anyone point to any documentation that discusses the role of the hosts
file in AD and also include your own opinions and comments.



Dan DeStefano
 
I thought we already told you what to do with your boss :)

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
Dan DeStefano said:
Recently, one of my colleagues and I got into a discussion about DNS vs.
hosts files in AD. He has configured the hosts file on all of our domain
controllers (Windows 2000 AD in native mode) to point to other DCs. One of
our DCs was moved to another site and the hosts file on a DC was not changed
to point to the moved DC on its new subnet - this obviously resulted in
NTFRS errors.
Click to expand...

Yes, and the "hosts" file cannot really be configured to
support a DC and AD since the hosts file has no support for
SRV records.

It also doesn't have true support for hierarchical names (subdomains)
although one can fake this to some extent by including names with
"." (dots). Those are not really subdomains however.
Anyway, after this I got into a discussion with my boss about the need of
the hosts file in AD. It is my position that the hosts file is no longer
necessary and should not really be used in AD and is only included for
backward-compatibility, testing and for certain special instances.
Click to expand...

You are correct.

And even in those cases where hosts files are used they are impractical
for more than a few dozen machines since they must be maintained
on each machine -- as you discovered when a DC was moved to a new
site.

This has been true of hosts file from day one (decades.)
It is his
position that DNS is untrustworthy and that the hosts file should be
configured as a backup in case DNS goes down.
Click to expand...

No, for many reasons.

1) Hosts files are not DYNAMIC and cannot maintain the day to
day changes needed by AD DCs.

2) Hosts files do not support SRV records needed by AD DCs

3) Hosts files are impractical for more than a few dozen machines
(certainly understood by anyone who has ever maintained a 100+
entry hosts file) even ignoring the lack of dynamic support.

4) DNS is not unreliable -- DNS is highly reliable.*
(Administrators may be unreliable, but not DNS. <grin>)

5) (My favorite): Hosts files are configured by default to be used
FIRST and given the problems above they will override the
CORRECT dynamic settings in the singly configured and usually
correct DNS server.

* Most DNS issues are mistakes by the admins.
My response to this was
twofold - 1. the hosts file is queried before DNS so it is not really a
backup,
Click to expand...

Yes. (this can be change but the moment someone does a new
install that machine will experience spooky behavior since it
doesn't follow the others OR it will be the only one that works.)
it is a primary method of name-resolution, plus, it does not support
SRV records;
Click to expand...

Correct. AD clients and other DCs must be able to find these SRV
records.
2. DNS is the foundation of AD and if it goes down, AD will not
work correctly anyway.
Click to expand...

Yes, but this is just a restatement of the above (not a criticism but
this isn't a separate reason): dynamic DNS and SRV records are
a practical requirement to support AD.
Plus, that is the reason for secondary DNS servers,
of which we have several.
Click to expand...

Yes, and with those Secondary DNS servers converted to
AD-Integrated DNS running on DCs it gets even better.
Could anyone point to any documentation that discusses the role of the hosts
file in AD and also include your own opinions and comments.
Click to expand...


The hosts file plays no real or direct role in AD.

Hosts files should not be used for this because it is nonsensical;
even were it to work it would be fragile and prone to errors.
 
Back
Top