Correct DNS configuration

[rene.zimmermann]

Hello

Can anyone tell me the correct configuration of dns servers in a active
directory domain?
We have 3 domain controllers. My question is now, how to correctly
configure the forwarders and the root hints in dns?

Our current configuration looks like this:
DC1 has a forwarder and a root hint to DC3
DC2 has a forwarder and a root hint to DC3
DC3 has a forwarders to our own public dns servers and a root hint
pointing to itself

Is this correctly? DNS resolution is working fine, but I'm anyway not
sure, if this is really configured fine or if there is any better
solution. because if DC3 is down, then no dns resolution will work...

Thanks for your help...

 

[Kevin D. Goodknecht Sr. [MVP]]

Hello

Can anyone tell me the correct configuration of dns servers in a
active directory domain?
We have 3 domain controllers. My question is now, how to correctly
configure the forwarders and the root hints in dns?

Our current configuration looks like this:
DC1 has a forwarder and a root hint to DC3
DC2 has a forwarder and a root hint to DC3
DC3 has a forwarders to our own public dns servers and a root hint
pointing to itself

Is this correctly? DNS resolution is working fine, but I'm anyway not
sure, if this is really configured fine or if there is any better
solution. because if DC3 is down, then no dns resolution will work...

DNS servers should not forward to each other, and should not be root hint
servers. All DNS seerver using a forwarder should forward to the ISP DNS.
DNS servers using root hints should be using only the internet roots. If DNS
servers are not to be allowed to use Root Hints, should have "Do not use
recursion" checked on the forwarders tab.

You are setting yourself up for a DNS loop or for all DNS resolution to stop
should DNS on DC3 be unavailable.

You forward all DNS servers to your ISP, if you are going to use forwarding.
Regardless of if you use Forwarding or not, only internet roots should be
listed on the root hints tab. If the DNS servers are Win2k3, or being
managed from Windows XP, on the root hints tab, click the Copy from server
button and copy them from from an external DNS for the internet root you are
using, default is the ICANN root and can be copied from your ISp or any DNS
server you can trust as having a valid root.

If using Win2k, follow this KB to replace root hints with the cache.dns
file.
http://support.microsoft.com/kb/249868/en-us

 

[rene]

Great answer. I've searched for such an answer a lot of time but did
not find any. Or I did a search with wrong keywords...

Anyway, thanks for your help

 

[Herb Martin]

Hello

Can anyone tell me the correct configuration of dns servers in a active
directory domain?
We have 3 domain controllers. My question is now, how to correctly
configure the forwarders and the root hints in dns?

Our current configuration looks like this:
DC1 has a forwarder and a root hint to DC3
DC2 has a forwarder and a root hint to DC3
DC3 has a forwarders to our own public dns servers and a root hint
pointing to itself

[This last is wrong. It should NOT be forwarding and being
it's own Root server but chances are that isn't really what you
have SINCE IT WORKS. Setting up a root zone on a Microsoft
DNS server automatically DISABLES forwarding.]

Is this correctly? DNS resolution is working fine, but I'm anyway not
sure, if this is really configured fine or if there is any better
solution. because if DC3 is down, then no dns resolution will work...

If it works it is correct since there is nothing technically
wrong with it.

To be sure of a DNS configuration you must model (put
yourself in the position of the client making the) DNS request.

Client asks DC1 (or DC2) a question, what happens?

DC1-2 knows the answer, or forwards to DC3 and returns
the answer (what it knows or whatever answer DC3 gives.)

DC3 is asked a question (by DC1-2 or a regular client, doesn't
matter much which as LONG AS DC3 NEVER FORWARDS
to one of the servers forwarding to it -- this would setup a
nearly infinite loop -- it wouldn't BE infinite because it would
fail.)

DC3 either knows the answer or forwards to the ISP (we'll
ignore being it's "own Root hint" for now.)

What can wrong?

DC3 is asked a question that ONLY DC1 or DC2 knows.
There is no way (as set) for this to work and forwarding
to someone who forwards to you is NOT allowed.

Weird things where ISP fails but we'll ignore that.

What other choices are there (for what works above)?

DC1 and DC2 COULD just forward directly to the Internet
but what is the difference?

1) Then they don't use a consolidated cache on DC3

2) DC3 might have answers that DC1 and DC2 cannot
get from the Internet (in which case YOUR design
is THE correct one.)

3) DC3 might be "closer" to the Internet (more efficient)

4) BUT DC1 and DC2 could resolve the Internet when
DC3 is down

The following solves a design issue I don't believe AFFECTS
YOU:

What about the problem of DC1 or DC2 having zones not known
to DC3?

In such cases (especially with Windows 2000) you can have DC1
and/or DC2 hold a secondary copy of ANY OTHER zones
held by DC3. (I call these cross-secondaries because DNS
servers in separate trees usually hold these mutually, i.e.,
in a "cross" fashion.)

In Win2003 there are more choices: (cross) stubs, conditional
forwarding (limited to specific zones/domains), or even AD
Integrated replication across a forest if all of these are in a single
forest.