New to DNS Admin - Root-hints & IMCP packets

[tjadmsn]

We have just migrated our DC's to 2003. We have our 2 internal DC's
running DNS and forwarding to our third DC in the DMZ, that is also a
DNS server, forwarding to our ISP. The internal DC's are pinging the
living mess out of the servers on the root hints page, and nothing is
getting through due to rules on our firewall. DNS is active directory
integrated and setup for secure transfers amongst themselves.

Is there anyway to keep the root hints on the DNS server in the DMZ
without having them replicate to the two internal DNS servers? Such as
"Do Not use Recursion" on the internal DNS servers? Deleting the
cache.dns did not work.

Also what constitutes the primary and secondary DNS servers? The
largest SOA? Our clients will be getting their configurations through
DHCP. For load balancing reasons we have DHCP configured to point the
clients to a primary DNS server that doesn't have the FSMO roles, and
the one that holds the roles as secondary DNS. My understanding is,
that if DNS is integrated, all the DNS servers can be considered
primary dns servers?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We have just migrated our DC's to 2003. We have our 2
internal DC's running DNS and forwarding to our third DC
in the DMZ, that is also a DNS server, forwarding to our
ISP. The internal DC's are pinging the living mess out
of the servers on the root hints page, and nothing is
getting through due to rules on our firewall. DNS is
active directory integrated and setup for secure
transfers amongst themselves.

Is there anyway to keep the root hints on the DNS server
in the DMZ without having them replicate to the two
internal DNS servers? Such as "Do Not use Recursion" on
the internal DNS servers? Deleting the cache.dns did not
work.

On the Forwarders tab check this box: "Do not use recursion"
This basically disables the root hints without having to remove them.

Also what constitutes the primary and secondary DNS
servers?

There are not Primary and Secondary DNS servers. You have DNS servers with
Primary or Secondary zones on them. A primary is a writable master zone, a
Secondary is a read only copy.

The largest SOA? Our clients will be getting

their configurations through DHCP. For load balancing
reasons we have DHCP configured to point the clients to a
primary DNS server that doesn't have the FSMO roles, and
the one that holds the roles as secondary DNS. My
understanding is, that if DNS is integrated, all the DNS
servers can be considered primary dns servers?

If the zones are Active Directory integrated, they are all writable masters,
each will list themselves as the Primary master on the SOA record.
DNS being for the most part a read only service, uses very little system
resources. Unless you have several thousand clients the machines are
unlikely to notice the load. If they are properly configured, not forwarding
to each other and you are not using any type of advanced logging. If a DNS
server has to write a log file you can expect it to put a lot more load on
the machine.

 

[tjadmsn]

Thanks...Enableing "Do not use recursion" on the internal DNS servers
worked. Ping packets have disappeared, and I have a better
understanding of DNS.