Correct DNS configuration

10/04/2006, 18h30

Hello

Can anyone tell me the correct configuration of dns servers in a active
directory domain?
We have 3 domain controllers. My question is now, how to correctly
configure the forwarders and the root hints in dns?

Our current configuration looks like this:
DC1 has a forwarder and a root hint to DC3
DC2 has a forwarder and a root hint to DC3
DC3 has a forwarders to our own public dns servers and a root hint
pointing to itself

Is this correctly? DNS resolution is working fine, but I'm anyway not
sure, if this is really configured fine or if there is any better
solution. because if DC3 is down, then no dns resolution will work...

Thanks for your ...

10/04/2006, 19h11

rene.zimmermann@awd.ch wrote:
> Hello
>
> Can anyone tell me the correct configuration of dns servers in a
> active directory domain?
> We have 3 domain controllers. My question is now, how to correctly
> configure the forwarders and the root hints in dns?
>
> Our current configuration looks like this:
> DC1 has a forwarder and a root hint to DC3
> DC2 has a forwarder and a root hint to DC3
> DC3 has a forwarders to our own public dns servers and a root hint
> pointing to itself
>
> Is this correctly? DNS resolution is working fine, but I'm anyway not
> sure, if this is really configured fine or if there is any better
> solution. because if DC3 is down, then no dns resolution will work...

DNS servers should not forward to each other, and should not be root hint
servers. All DNS seerver using a forwarder should forward to the ISP DNS.
DNS servers using root hints should be using only the internet roots. If DNS
servers are not to be allowed to use Root Hints, should have "Do not use
recursion" checked on the forwarders tab.

You are setting yourself up for a DNS loop or for all DNS resolution to stop
should DNS on DC3 be unavailable.

You forward all DNS servers to your ISP, if you are going to use forwarding.
Regardless of if you use Forwarding or not, only internet roots should be
listed on the root hints tab. If the DNS servers are Win2k3, or being
managed from Windows XP, on the root hints tab, click the Copy from server
button and copy them from from an external DNS for the internet root you are
using, default is the ICANN root and can be copied from your ISp or any DNS
server you can trust as having a valid root.

If using Win2k, follow this KB to replace root hints with the cache.dns
file.
http://support.microsoft.com/kb/249868/en-us

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

10/04/2006, 19h27

Great answer. I've searched for such an answer a lot of time but did
not find any. Or I did a search with wrong keywords...

Anyway, thanks for your :-)

10/04/2006, 21h18

<rene.zimmermann@awd.ch> wrote in message
news:1144686620.868958.209690@j33g2000cwa.googlegr oups.com...
> Hello
>
> Can anyone tell me the correct configuration of dns servers in a active
> directory domain?
> We have 3 domain controllers. My question is now, how to correctly
> configure the forwarders and the root hints in dns?
>
> Our current configuration looks like this:
> DC1 has a forwarder and a root hint to DC3
> DC2 has a forwarder and a root hint to DC3
> DC3 has a forwarders to our own public dns servers and a root hint
> pointing to itself

[This last is wrong. It should NOT be forwarding and being
it's own Root server but chances are that isn't really what you
have SINCE IT WORKS. Setting up a root zone on a Microsoft
DNS server automatically DISABLES forwarding.]

> Is this correctly? DNS resolution is working fine, but I'm anyway not
> sure, if this is really configured fine or if there is any better
> solution. because if DC3 is down, then no dns resolution will work...

If it works it is correct since there is nothing technically
wrong with it.

To be sure of a DNS configuration you must model (put
yourself in the position of the client making the) DNS request.

Client asks DC1 (or DC2) a question, what happens?

DC1-2 knows the answer, or forwards to DC3 and returns
the answer (what it knows or whatever answer DC3 gives.)

DC3 is asked a question (by DC1-2 or a regular client, doesn't
matter much which as LONG AS DC3 NEVER FORWARDS
to one of the servers forwarding to it -- this would setup a
nearly infinite loop -- it wouldn't BE infinite because it would
fail.)

DC3 either knows the answer or forwards to the ISP (we'll
ignore being it's "own Root hint" for now.)

What can wrong?

DC3 is asked a question that ONLY DC1 or DC2 knows.
There is no way (as set) for this to work and forwarding
to someone who forwards to you is NOT allowed.

Weird things where ISP fails but we'll ignore that.

What other choices are there (for what works above)?

DC1 and DC2 COULD just forward directly to the Internet
but what is the difference?

1) Then they don't use a consolidated cache on DC3

2) DC3 might have answers that DC1 and DC2 cannot
get from the Internet (in which case YOUR design
is THE correct one.)

3) DC3 might be "closer" to the Internet (more efficient)

4) BUT DC1 and DC2 could resolve the Internet when
DC3 is down

The following solves a design issue I don't believe AFFECTS
YOU:

What about the problem of DC1 or DC2 having zones not known
to DC3?

In such cases (especially with Windows 2000) you can have DC1
and/or DC2 hold a secondary copy of ANY OTHER zones
held by DC3. (I call these cross-secondaries because DNS
servers in separate trees usually hold these mutually, i.e.,
in a "cross" fashion.)

In Win2003 there are more choices: (cross) stubs, conditional
forwarding (limited to specific zones/domains), or even AD
Integrated replication across a forest if all of these are in a single
forest.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

10/04/2006, 18h30	#1
rene.zimmermann@awd.ch Messages: n/a Hébergeur:	Correct DNS configuration Hello Can anyone tell me the correct configuration of dns servers in a active directory domain? We have 3 domain controllers. My question is now, how to correctly configure the forwarders and the root hints in dns? Our current configuration looks like this: DC1 has a forwarder and a root hint to DC3 DC2 has a forwarder and a root hint to DC3 DC3 has a forwarders to our own public dns servers and a root hint pointing to itself Is this correctly? DNS resolution is working fine, but I'm anyway not sure, if this is really configured fine or if there is any better solution. because if DC3 is down, then no dns resolution will work... Thanks for your ...

10/04/2006, 19h11	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Correct DNS configuration rene.zimmermann@awd.ch wrote: > Hello > > Can anyone tell me the correct configuration of dns servers in a > active directory domain? > We have 3 domain controllers. My question is now, how to correctly > configure the forwarders and the root hints in dns? > > Our current configuration looks like this: > DC1 has a forwarder and a root hint to DC3 > DC2 has a forwarder and a root hint to DC3 > DC3 has a forwarders to our own public dns servers and a root hint > pointing to itself > > Is this correctly? DNS resolution is working fine, but I'm anyway not > sure, if this is really configured fine or if there is any better > solution. because if DC3 is down, then no dns resolution will work... DNS servers should not forward to each other, and should not be root hint servers. All DNS seerver using a forwarder should forward to the ISP DNS. DNS servers using root hints should be using only the internet roots. If DNS servers are not to be allowed to use Root Hints, should have "Do not use recursion" checked on the forwarders tab. You are setting yourself up for a DNS loop or for all DNS resolution to stop should DNS on DC3 be unavailable. You forward all DNS servers to your ISP, if you are going to use forwarding. Regardless of if you use Forwarding or not, only internet roots should be listed on the root hints tab. If the DNS servers are Win2k3, or being managed from Windows XP, on the root hints tab, click the Copy from server button and copy them from from an external DNS for the internet root you are using, default is the ICANN root and can be copied from your ISp or any DNS server you can trust as having a valid root. If using Win2k, follow this KB to replace root hints with the cache.dns file. http://support.microsoft.com/kb/249868/en-us -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ https://secure.lsaol.com/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

10/04/2006, 19h27	#3
rene Messages: n/a Hébergeur:	Re: Correct DNS configuration Great answer. I've searched for such an answer a lot of time but did not find any. Or I did a search with wrong keywords... Anyway, thanks for your :-)

10/04/2006, 21h18	#4
Herb Martin Messages: n/a Hébergeur:	Re: Correct DNS configuration <rene.zimmermann@awd.ch> wrote in message news:1144686620.868958.209690@j33g2000cwa.googlegr oups.com... > Hello > > Can anyone tell me the correct configuration of dns servers in a active > directory domain? > We have 3 domain controllers. My question is now, how to correctly > configure the forwarders and the root hints in dns? > > Our current configuration looks like this: > DC1 has a forwarder and a root hint to DC3 > DC2 has a forwarder and a root hint to DC3 > DC3 has a forwarders to our own public dns servers and a root hint > pointing to itself [This last is wrong. It should NOT be forwarding and being it's own Root server but chances are that isn't really what you have SINCE IT WORKS. Setting up a root zone on a Microsoft DNS server automatically DISABLES forwarding.] > Is this correctly? DNS resolution is working fine, but I'm anyway not > sure, if this is really configured fine or if there is any better > solution. because if DC3 is down, then no dns resolution will work... If it works it is correct since there is nothing technically wrong with it. To be sure of a DNS configuration you must model (put yourself in the position of the client making the) DNS request. Client asks DC1 (or DC2) a question, what happens? DC1-2 knows the answer, or forwards to DC3 and returns the answer (what it knows or whatever answer DC3 gives.) DC3 is asked a question (by DC1-2 or a regular client, doesn't matter much which as LONG AS DC3 NEVER FORWARDS to one of the servers forwarding to it -- this would setup a nearly infinite loop -- it wouldn't BE infinite because it would fail.) DC3 either knows the answer or forwards to the ISP (we'll ignore being it's "own Root hint" for now.) What can wrong? DC3 is asked a question that ONLY DC1 or DC2 knows. There is no way (as set) for this to work and forwarding to someone who forwards to you is NOT allowed. Weird things where ISP fails but we'll ignore that. What other choices are there (for what works above)? DC1 and DC2 COULD just forward directly to the Internet but what is the difference? 1) Then they don't use a consolidated cache on DC3 2) DC3 might have answers that DC1 and DC2 cannot get from the Internet (in which case YOUR design is THE correct one.) 3) DC3 might be "closer" to the Internet (more efficient) 4) BUT DC1 and DC2 could resolve the Internet when DC3 is down The following solves a design issue I don't believe AFFECTS YOU: What about the problem of DC1 or DC2 having zones not known to DC3? In such cases (especially with Windows 2000) you can have DC1 and/or DC2 hold a secondary copy of ANY OTHER zones held by DC3. (I call these cross-secondaries because DNS servers in separate trees usually hold these mutually, i.e., in a "cross" fashion.) In Win2003 there are more choices: (cross) stubs, conditional forwarding (limited to specific zones/domains), or even AD Integrated replication across a forest if all of these are in a single forest. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site]

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email