Re: Replicating the Forest Root DNS Zone
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Wed, 12 Sep 2007 20:09:14 +0100
Hi
The design could be correct, actually depends on many other things, so this
isn't a question that could be answered with the information provided.
If the root zone is being transferred with delegations (it should be) then
the DNS doesn't do any extra loop because it haves the NS for these DNS
servers in these Child domains.
Another aspect to consider is the administrative time and complexity
depending how big your infrastructure is, if you decide not to replicate the
root to other child domains and instead use conditional forwarding, that
means more configurations in more servers and more complexity and a
possibility to make more mistakes, that configuration can also mean less
speed in resolution for other domain names assuming that you may have slow
links or a complex infrastructure, by having a zone locally the resolution
for that zone is fastest then doing a query in a remote server.
Note: I'm not defending your existing design, but I think you should talk
with the people that decided to implement that design and the reasons that
made them to do it that way.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
<servernet1997@xxxxxxxxxxx> wrote in message
news:1189614750.382086.145040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm undertaking a review of an Active Directory infrastructure for a
customer.
It is a Windows Server 2003 forest with several child domains. All
domain controllers act as DNS servers. One of the first things that
struck me as I looked into DNS is that the whole of the DNS zone for
the forest root is replicated to every DC in the forest, not just the
_msdcs zone.
I've not got to the bottom of whether this is by accident or by
design, but after considering the DNS service as a whole for a while,
it occured to me that this configuration might have some benefits.
In a multi-domain forest with a root and several child domains
immediately below it, I would normally expect to see forwarders
configured on DNS servers in the child domains to forward all
unresolved requests up to the DNS servers in the forest root as it
contains the delegations for the child domain. Conditional forwarding
could also be used to "shortcut" the name resolution process directly
to a DNS server in a child domain and pass all "external" queries up
to the forest root and thence on to DNS servers at an ISP.
By replicating the whole of the DNS zone for forest root to every DC
in the forest, the delegation information for the child domains is
also replicated which means that knowledge about how to resolve any
name internal to the forest is available on every DNS server. The
presence of this information would then remove one "hop" in the name
resolution process: queries would be forwarded directly to an
authoritative server in the child domain instead of being forwarded up
to the forest root domain where the delegation would then send the
resolution request on to the child domain.
So my question is: Is replicating the whole of the DNS zone for the
forest root to derive this benefit a good thing (provided the forest
root zone stays fairly inactive)?
Servernet
.
- References:
- Replicating the Forest Root DNS Zone
- From: servernet1997
- Replicating the Forest Root DNS Zone
- Prev by Date: Re: Good Visual Management Tool
- Next by Date: Re: No home directory
- Previous by thread: Replicating the Forest Root DNS Zone
- Next by thread: Re: DR Server site in AD
- Index(es):
Relevant Pages
|
