AD-Integrated DNS - Root Hints, Forwarders, Confused!

Discussion in 'DNS Server' started by Tony, Aug 3, 2006.

  1. Tony

    Tony Guest

    Hello everybody.

    I am a little confused about AD-integrated DNS and root hints, & forwarders
    and the best configuration for our environment.

    The Internet firewall administrators want to restrict outbound access for
    DNS (TCP/UDP port 53) down to the two root domain controllers at HQ only -
    in other words, they only want the two root domain controllers at HQ to be
    allowed to talk to any servers in the world regarding DNS - no other

    Here is our current setup:

    - Two W2K3 root domain controllers running AD-integrated DNS located at HQ
    - These two root DCs DNS are configured with four forwarders (to the local
    ISP DNS servers) and the default root hints
    - Eighteen branch offices each with single W2K3 DC with AD-integrated DNS
    - The branch office DCs DNS is configured with default root hints only - no
    - The workstations at HQ point to both local DCs for all DNS resolution
    - The workstations at branch offices point to a) local DC and b) one HQ DC
    for DNS resolution

    So, I believe we have the two root DC DNSs configured properly with both
    forwarders and root hints. However, I'm confused about the DNS configuration
    settings of the branch DCs. Will I need to setup forwarders on them to point
    back to the two root DCs DNS servers at HQ? Will I also need to remove the
    default root hint settings? Should I do anything else?

    Thank you in advance.

    Tony, Aug 3, 2006
    1. Advertisements

  2. Tony

    Anthony Guest

    Root hints are simply a default list of external dns servers. In other
    words, if you forget to configure anything, your DNS server will still
    resolve external names. Root hints should be replaced by your intended
    forwarders. There is a technique for removing the root hints, but as long as
    you configure a forwarder I don't think you really need to bother.
    If your administrators want only to allow the two central DC's to forward
    externally, then you should configure your branch DC's to forward to the two
    central ones. The root hints will be redundant. This is good because it also
    allows the central DCs to host other DNS zones without having to copy them
    out to all the branches.
    Anthony, Aug 3, 2006
    1. Advertisements

  3. Tony

    Tony Guest

    Thank you. I will need to configure forwarders at all the branches to go to
    the two HQ DNS servers and remove the root hints from the branch DNS
    settings. Thanks again.
    Tony, Aug 3, 2006
  4. Tony

    Jorge Silva Guest


    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Aug 4, 2006
  5. Tony

    Tony Scarola Guest


    What is wrong?

    Tony Scarola, Aug 6, 2006
  6. Tony

    Jorge Silva Guest

    ops I'm sorry, wrong post...

    any away...
    to add something...
    if you want that servers ony try to resolve all names in HQ servers make
    sure that you select the option "do not use recursion for this domain", with
    this option enabled the servers won't try to use Root Hints if the HQ
    servers don't reply.

    once again I'm sorry for the wrong post...

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Aug 6, 2006
  7. I don't particularly agree with the firewall admins, but if this is what
    they want it is easy to do, on the forwarders tab, add the root Dcs as
    forwarders and check the box "Do not use recursion"...(for this domain under
    Win2k3) Root hints will not be used. Keep in mind, if the root DCs fail or
    the cache gets corrupted on them, all DNS resolution will fail.

    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Aug 8, 2006
  8. Tony

    Tony Guest

    Thank you. But if the root DCs fail, everything is doomed anyhow. Also, if
    the cache gets corrupted on the root DCs, wouldn't the branch DNS servers
    still pull from this corrupt cache if the root DCs were setup as
    forwarders - which they must be anyway?
    Tony, Aug 9, 2006
  9. Tony

    Jorge Silva Guest

    Thank you. But if the root DCs fail, everything is doomed anyhow.

    doomed? what do you mean? if the root servers fail to respond or if they
    can't resolve any particular name que query will fail as expected. But
    things don't crash because of that.

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Aug 9, 2006
  10. Tony

    Tony Guest

    What I meant was that since they are also DCs, file servers, wins servers,
    etc. (too many things going on with them), then the network is shot.
    Tony, Aug 11, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.