Loss of a DNS Server
Losing a DNS server impacts Active Directory in several ways. First and foremost, a domain controller must be able to resolve host names and service locator (SRV) records to communicate and replicate with its fellow domain controllers. If the DNS server used by a domain controller fails, the domain controller cannot maintain full functionality for long.
You should design your DNS infrastructure so that the loss of a single DNS server does not result in a service interruption. You should always have at least two DNS servers that are authoritative for a zone, and your clients should point at both servers, one as a primary and one as a secondary. A Windows client falls back on its secondary DNS server when it gets no response from its primary DNS server.
Avoid the "Island" Effect
If you point a domain controller that is a DNS server with Active Directory integrated zones at itself for name resolution, you can become the victim of a subtle Catch-22 that Microsoft terms the island effect.
With an Active Directory integrated DNS zone, a domain controller updates its DNS records by replicating from another domain controller. The domain controller finds its replication partner by doing a DNS lookup. If the IP addresses change, the domain controller cannot find its replication partner and it cannot update DNS because it cannot replicate.
You can avoid this island effect by configuring the TCP/IP properties of a domain controller so that another domain controller is the primary DNS server. The DNS settings in the TCP/IP properties of the domain controller can point at the domain controller itself as a secondary DNS server on the assumption that the secondary entry will only be needed for a short time during an outage.
Impact of DNS Loss on Windows Clients
Without DNS, Active Directory clients cannot find the SRV records needed for locating domain controllers. Without these records, the clients cannot authenticate and perform LDAP lookups.
Initially, following a loss of access to DNS servers, clients will continue to function for a while using cached DNS records. The Start of Authority (SOA) record for the DNS domain determines the default time-to-live for DNS records issued by the name servers hosting the zone. The default Time-To-Live (TTL) for Windows DNS is 1 hour (3600 seconds).
After the SRV records expire, if the DNS server is still not available, the clients will be unable to locate their domain controllers. This causes them to fail to renew their Kerberos session tickets, so they lose the capability to connect to member servers.
When planning your DNS infrastructure, you should always have a fallback DNS server available in each location. This could be a standard secondary name server or a domain controller configured with an AD-integrated zone.