Question re: DNS forwarding best practices

Lets say you have a company with a root AD domain, and 3 child domains. Call
the domains domain.com, mi.domain.com, oh.domain.com, and pa.domain.com. All
DC's in all domains are DNS servers, and all zones are AD integrated. Some
DC's are Win2K and some are Win2K3.

The root domain is confined to 3 DC's at a single location, while the child
domains have DC's spread across many locations. Each child domain has one
primary data center, and satellite offices branch out from it in a hub and
spoke fashion. Each remote site has its own Internet connection. Some of the
remotes have an additional dedicated circuit back to its hub, while some use
a site to site vpn back to the hub. All child domains need to be able to
resolve devices in the root domain, but not necessarily other child domains.

So here's the question. What would be the best way to forward DNS queries?
The way I see it, my options are:

1) Configure forwarders on all DNS servers to point at the DNS servers in
the root domain, and let the root forward to the Internet.
2) Use conditional forwarding on all DNS servers to forward the root domain
to the root DNS servers, and all other domains to the local ISP's DNS
servers. (although this obviously wouldn't work for the Win2K boxes)
3) Configure the replication scope of the root domain to all DNS servers in
all domains, and each DNS server forwards directly to its local ISP's DNS
servers (would this work for the Win2K boxes?)
4) Create a secondary zone for the root zone on all DNS servers, and let
each DNS server forward directly to its local ISP's DNS server.

Did I miss anything? Which of the options would be the most desirable? I'm
thinking option number 3, although I don't know how that would impact the
Win2K DNS servers, since replication scope was added in Win2K3.

Jason

 

In

This would work, but it would mean that the root domain DNS would be
resolving all external queries and would create a single point of failure,
because on the child DNS servers forwarders tab you would need to select "Do
not use recursion" to keep the child DNS server from trying to use Root
Hints if the parent DNS responds a bit too slow.


2) Use conditional forwarding on

Correct it won't work for the Win2k boxes

3) Configure the replication scope of the

No this won't work for the Win2k boxes.

4) Create

This would be the best way on the Win2k child boxes.

Since you don't state what servers are Win2k and which are Win2k3 it would
be difficult to advise you which to use.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

One key piece of information missing here is the size and
change rate of the root DNS zone's content. Since all DCs
of the root domain are at the central site, I assume it is
relatively small, and also relatively static in content.
If this is so, I would suggest replicating it to all sites.
To do this, where possible leverage W2k3 replication
scopes, and otherwise secondary replication (recognizing
that child domain DCs will need to send there DNS updates
to a primary of the zone, so hopefully you have at least one
W2k3 DC in each site). Also, consider that you may only
need to replicate/transfer from the root DCs to selected DCs
in a site (preferrably two, perhaps bridgeheads) and that
others in the site could be secondaries mastering off of these.
In other words, I find your selection number 1 entirely
unsatisfying due to its constant funneling of resolutions
needlessly (? see later) back to the central site.

For other (child) domain zones, you should carefully
examine what needs to be resolvable where. If all zones
are small and relatively static, you have different considerations
than if one or more or all are large. What load is AD replication
already placing on your links? Etc. As a generality, I would
follow the option patterns outlined above for the root zone in
order to get copies of the child zones where they needed to be
with that "need" depending on your analysis of resource use
pattern. If site A frequently access site B machines, or rarely,
for example could guide you on whether it is better to have the
whole zone local to site A, or build in cache of the DNS servers
of A on demand (size of the zone is another consideration).

Conditional forwarding really does not come into play if you
recognize that you must have the root zone info available to all
DCs, whether copied there or just locatable. This itself allows
location of all the other delegated child zones.

I would also have all child zones copied (replicated or transferred
as the case might allow) to the DNS servers of the root.
If all zones are small and link capacity rich, I would lean toward
a fully replicated/transferred strategy (for example, one zone,
replicated where possible and transferred otherwise; or, if multiple
zones, all zones present on all DCs). Again, that was if all zones
are small and links capacious.

Keep in mind that as far as resolution goes it would be possible to
have all zones (or the one zone) on the DCs of the root domain, and
all DNS servers of the child domains be nothing more than caching
servers if the company.com were a public zone, or if not by use of a
stub or conditional forwarding to bootstrap locating the "private"
company.com This option however is unsatisfying relative to DNS
record updating if you have lots of client machine registration (DCs
are going to update that root zone anyway).

The bottom line is what resolutions will be occurring where, and
with what frequency, and then, how does the aggregate of these
compare in overhead when over the wire compared to site local?
The other part of the bottom line is keeping in mind what machines
are doing DNS record dynamic updating, and to where will this
be going (site local or over the wire). You know whether you
are having all clients register, or only DC and servers, etc. but
if you can keep a primary site local to where the registrations go
so much the better.

As to internet global resolution, since you have not mentioned any
requirements to restrain this there is not much reason to funnel these
to a central site as compared to letting the site-local DNS servers
work the resolutions, whether by root servers or forwarders to ISP.
You may however want to also consider security related exposures.
In a control-freak environment, the ability to examine sites built up
in the DNS server cache becomes diluted when you let a couple
DNS servers in each site work the outside queries, but you reduce
the network loading and latency from resolutions.