Re: Question re: DNS forwarding best practices

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/18/04 

Date: Thu, 18 Nov 2004 01:19:11 -0700

One key piece of information missing here is the size and
change rate of the root DNS zone's content. Since all DCs
of the root domain are at the central site, I assume it is
relatively small, and also relatively static in content.
If this is so, I would suggest replicating it to all sites.
To do this, where possible leverage W2k3 replication
scopes, and otherwise secondary replication (recognizing
that child domain DCs will need to send there DNS updates
to a primary of the zone, so hopefully you have at least one
W2k3 DC in each site). Also, consider that you may only
need to replicate/transfer from the root DCs to selected DCs
in a site (preferrably two, perhaps bridgeheads) and that
others in the site could be secondaries mastering off of these.
In other words, I find your selection number 1 entirely
unsatisfying due to its constant funneling of resolutions
needlessly (? see later) back to the central site.

For other (child) domain zones, you should carefully
examine what needs to be resolvable where. If all zones
are small and relatively static, you have different considerations
than if one or more or all are large. What load is AD replication
already placing on your links? Etc. As a generality, I would
follow the option patterns outlined above for the root zone in
order to get copies of the child zones where they needed to be
with that "need" depending on your analysis of resource use
pattern. If site A frequently access site B machines, or rarely,
for example could guide you on whether it is better to have the
whole zone local to site A, or build in cache of the DNS servers
of A on demand (size of the zone is another consideration).

Conditional forwarding really does not come into play if you
recognize that you must have the root zone info available to all
DCs, whether copied there or just locatable. This itself allows
location of all the other delegated child zones.

I would also have all child zones copied (replicated or transferred
as the case might allow) to the DNS servers of the root.
If all zones are small and link capacity rich, I would lean toward
a fully replicated/transferred strategy (for example, one zone,
replicated where possible and transferred otherwise; or, if multiple
zones, all zones present on all DCs). Again, that was if all zones
are small and links capacious.

Keep in mind that as far as resolution goes it would be possible to
have all zones (or the one zone) on the DCs of the root domain, and
all DNS servers of the child domains be nothing more than caching
servers if the company.com were a public zone, or if not by use of a
stub or conditional forwarding to bootstrap locating the "private"
company.com This option however is unsatisfying relative to DNS
record updating if you have lots of client machine registration (DCs
are going to update that root zone anyway).

The bottom line is what resolutions will be occurring where, and
with what frequency, and then, how does the aggregate of these
compare in overhead when over the wire compared to site local?
The other part of the bottom line is keeping in mind what machines
are doing DNS record dynamic updating, and to where will this
be going (site local or over the wire). You know whether you
are having all clients register, or only DC and servers, etc. but
if you can keep a primary site local to where the registrations go
so much the better.

As to internet global resolution, since you have not mentioned any
requirements to restrain this there is not much reason to funnel these
to a central site as compared to letting the site-local DNS servers
work the resolutions, whether by root servers or forwarders to ISP.
You may however want to also consider security related exposures.
In a control-freak environment, the ability to examine sites built up
in the DNS server cache becomes diluted when you let a couple
DNS servers in each site work the outside queries, but you reduce
the network loading and latency from resolutions. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Jason" <jclishe@NOSPAM.nusoftsolutions.com> wrote in message
news:93301DE7-5DB1-4604-A161-EABDA0AE5A50@microsoft.com...
> Lets say you have a company with a root AD domain, and 3 child domains.
Call
> the domains domain.com, mi.domain.com, oh.domain.com, and pa.domain.com.
All
> DC's in all domains are DNS servers, and all zones are AD integrated. Some
> DC's are Win2K and some are Win2K3.
>
> The root domain is confined to 3 DC's at a single location, while the
child
> domains have DC's spread across many locations. Each child domain has one
> primary data center, and satellite offices branch out from it in a hub and
> spoke fashion. Each remote site has its own Internet connection. Some of
the
> remotes have an additional dedicated circuit back to its hub, while some
use
> a site to site vpn back to the hub. All child domains need to be able to
> resolve devices in the root domain, but not necessarily other child
domains.
>
> So here's the question. What would be the best way to forward DNS queries?
> The way I see it, my options are:
>
> 1) Configure forwarders on all DNS servers to point at the DNS servers in
> the root domain, and let the root forward to the Internet.
> 2) Use conditional forwarding on all DNS servers to forward the root
domain
> to the root DNS servers, and all other domains to the local ISP's DNS
> servers. (although this obviously wouldn't work for the Win2K boxes)
> 3) Configure the replication scope of the root domain to all DNS servers
in
> all domains, and each DNS server forwards directly to its local ISP's DNS
> servers (would this work for the Win2K boxes?)
> 4) Create a secondary zone for the root zone on all DNS servers, and let
> each DNS server forward directly to its local ISP's DNS server.
>
> Did I miss anything? Which of the options would be the most desirable? I'm
> thinking option number 3, although I don't know how that would impact the
> Win2K DNS servers, since replication scope was added in Win2K3.
>
> Jason

Relevant Pages

  • Re: Event ID 7062 in DNS logs
    ... you advice me to let the default Internet root ... > hints in place and to use forwarders from the child DNS (DNS server in ... > the root DNS (DNS server on the forest root domain hosting the ... > AD-integrated forestroot.com zone). ...
    (microsoft.public.windows.server.dns)
  • Re: Windows 2003 DNS Setup for Sub-Domain off of Root
    ... > dns in any other zone than the one that is assigned to them. ... > delegating each sub-domains zone from the root domain. ... they are not needed on the root domain DNS servers as the actual ... > the root zone from the sub-domains dns server. ...
    (microsoft.public.windows.server.dns)
  • Re: AD SRV records not shown in delegated child domain
    ... > Root hints work is totally incorrect. ... > unless the parent DNS has a root zone. ... > so on for each child domain pointing to the child DNS for each child ...
    (microsoft.public.win2000.dns)
  • Re: DNS signature failed to verify error
    ... In our last we discussed the need for there to be a NS record for each DNS ... Under the zone domain.local there is a delegation _msdcs which only has one ... _msdcs.domain.local is configured the "Replicate to all DNS servers in the AD ... Thanks for the DCDiag syntax suggestion. ...
    (microsoft.public.windows.server.dns)
  • Re: AD Login
    ... phyically in the root domain), logon to with their own AD credentials. ... DNS issues OR to firewall/routing issues. ... or perhaps the DNS servers for one domain cannot find the "other" ...
    (microsoft.public.windows.server.active_directory)