"Adrian" <Adrian@discussions.microsoft.com> wrote in message
news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
> Hey all,
>
> A little unsure about DNS and forwarders could you check to see if my
> logic
> is flawed.
>
> Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>
> Under the DNS mmc some of the servers have "Enable Forwarders" ticked and
> some don't. The two DCs in head office are the main DNS servers.

Why do you enable Forwarders?

If the answer is that your DNS servers don't hold ALL of your
internal zone, or that you wish to resolve THE Internet then
likely EVER DNS server should enable forwarders if any of
them do.

There are two general ways for a DNS server to resolve names it doesn't
'know directly' (i.e., for zones it doesn't hold):

1) Recurse physically (root down)
2) Forward

Theorectically some of your DNS servers might be recursing
and others might forward but why would they be different?

> Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
> pointing
> back to our main DNS servers? Any reason why they shouldn't?

You don't want your fowarding chains to be TOO long but this
might make perfect sense if your WAN lines are fairly slow since
your branch DNS will only make ONE forwarding request to the
"Main DNS" which may have the answer in cache (since other
DNS servers and it's direct clients may recently have asked the
same question) OR it will make all of the subsequent requests
(either forward or recursing) for the name and likely be "closer"
to the Internet.

If every branch had its own direct connection to The Internet then
this might not be so ful.

> Shouldn't it be PC -> local DNS server, if this cant resolve it, it should
> point it back to the main DNS servers which if again cant resolve then
> goes
> to the root hints.
> So PC -> Local DNS -> Main DNS -> Root hints

That can work, but without a full reading of (and perhaps testing
on) your actual WAN lines we cannot say for sure.

> Hope this makes sense, thanks

How does it work currently?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


> Regards
> Adrian

Thanks Herb for your detailed response.

Our 7 servers are all "Active Directory Integrated Zones"

Unfortunaly I don't know why some of the servers have "enable forwarders"
ticked and others dont, Ive only recently moved to this firm so Im trying to
make sense how/why it was setup this way.

All the sites are connected to the internet through our proxy server at head
office, the WAN links are all quite good running at 512 -1Mb on dedicated
lines so I dont think its a bandwidth issue.

All the sites have the exact same hardware and should be identical to each
other configuration wise but some where along the lines someone has made
changes so now I trying to get them all back looking the same again.

How do you think we should be setup in terms if best practice?

"Herb Martin" wrote:

> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
> > Hey all,
> >
> > A little unsure about DNS and forwarders could you check to see if my
> > logic
> > is flawed.
> >
> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
> >
> > Under the DNS mmc some of the servers have "Enable Forwarders" ticked and
> > some don't. The two DCs in head office are the main DNS servers.
>
> Why do you enable Forwarders?
>
> If the answer is that your DNS servers don't hold ALL of your
> internal zone, or that you wish to resolve THE Internet then
> likely EVER DNS server should enable forwarders if any of
> them do.
>
> There are two general ways for a DNS server to resolve names it doesn't
> 'know directly' (i.e., for zones it doesn't hold):
>
> 1) Recurse physically (root down)
> 2) Forward
>
> Theorectically some of your DNS servers might be recursing
> and others might forward but why would they be different?
>
> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
> > pointing
> > back to our main DNS servers? Any reason why they shouldn't?
>
> You don't want your fowarding chains to be TOO long but this
> might make perfect sense if your WAN lines are fairly slow since
> your branch DNS will only make ONE forwarding request to the
> "Main DNS" which may have the answer in cache (since other
> DNS servers and it's direct clients may recently have asked the
> same question) OR it will make all of the subsequent requests
> (either forward or recursing) for the name and likely be "closer"
> to the Internet.
>
> If every branch had its own direct connection to The Internet then
> this might not be so ful.
>
> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it should
> > point it back to the main DNS servers which if again cant resolve then
> > goes
> > to the root hints.
> > So PC -> Local DNS -> Main DNS -> Root hints
>
> That can work, but without a full reading of (and perhaps testing
> on) your actual WAN lines we cannot say for sure.
>
> > Hope this makes sense, thanks
>
> How does it work currently?
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
> > Regards
> > Adrian
>
>
>

ADI zones, if all servers hold all the same zones, should be identical.
Every site with a local Internet connection could have a forwarder to the
local ISP's DNS server. As Herb pointed out, it MIGHT have some value to
forward from a site that doesn't have it's own internet service to a DNS
server in a site that does, so that only one forward query and one reply
will traverse the WAN, and further forward queries or recursive lookups are
performed from a site with a separate Internet connection to conserver WAN
bandwidth. I see no point in having both. Herb?

....kurt


"Adrian" <Adrian@discussions.microsoft.com> wrote in message
news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
> Thanks Herb for your detailed response.
>
> Our 7 servers are all "Active Directory Integrated Zones"
>
> Unfortunaly I don't know why some of the servers have "enable forwarders"
> ticked and others dont, Ive only recently moved to this firm so Im trying
> to
> make sense how/why it was setup this way.
>
> All the sites are connected to the internet through our proxy server at
> head
> office, the WAN links are all quite good running at 512 -1Mb on dedicated
> lines so I dont think its a bandwidth issue.
>
> All the sites have the exact same hardware and should be identical to each
> other configuration wise but some where along the lines someone has made
> changes so now I trying to get them all back looking the same again.
>
> How do you think we should be setup in terms if best practice?
>
> "Herb Martin" wrote:
>
>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
>> > Hey all,
>> >
>> > A little unsure about DNS and forwarders could you check to see if my
>> > logic
>> > is flawed.
>> >
>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>> >
>> > Under the DNS mmc some of the servers have "Enable Forwarders" ticked
>> > and
>> > some don't. The two DCs in head office are the main DNS servers.
>>
>> Why do you enable Forwarders?
>>
>> If the answer is that your DNS servers don't hold ALL of your
>> internal zone, or that you wish to resolve THE Internet then
>> likely EVER DNS server should enable forwarders if any of
>> them do.
>>
>> There are two general ways for a DNS server to resolve names it doesn't
>> 'know directly' (i.e., for zones it doesn't hold):
>>
>> 1) Recurse physically (root down)
>> 2) Forward
>>
>> Theorectically some of your DNS servers might be recursing
>> and others might forward but why would they be different?
>>
>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
>> > pointing
>> > back to our main DNS servers? Any reason why they shouldn't?
>>
>> You don't want your fowarding chains to be TOO long but this
>> might make perfect sense if your WAN lines are fairly slow since
>> your branch DNS will only make ONE forwarding request to the
>> "Main DNS" which may have the answer in cache (since other
>> DNS servers and it's direct clients may recently have asked the
>> same question) OR it will make all of the subsequent requests
>> (either forward or recursing) for the name and likely be "closer"
>> to the Internet.
>>
>> If every branch had its own direct connection to The Internet then
>> this might not be so ful.
>>
>> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it
>> > should
>> > point it back to the main DNS servers which if again cant resolve then
>> > goes
>> > to the root hints.
>> > So PC -> Local DNS -> Main DNS -> Root hints
>>
>> That can work, but without a full reading of (and perhaps testing
>> on) your actual WAN lines we cannot say for sure.
>>
>> > Hope this makes sense, thanks
>>
>> How does it work currently?
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>> > Regards
>> > Adrian
>>
>>
>>

"Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
news:12hlmnrr1d4dvf1@corp.supernews.com...
> ADI zones, if all servers hold all the same zones, should be identical.

Forwarder setting is however NOT a zone setting so
he can easily set different servers to different forwarding
options.

> Every site with a local Internet connection could have a forwarder to the
> local ISP's DNS server. As Herb pointed out, it MIGHT have some value to
> forward from a site that doesn't have it's own internet service to a DNS
> server in a site that does, so that only one forward query and one reply
> will traverse the WAN, and further forward queries or recursive lookups
> are performed from a site with a separate Internet connection to conserver
> WAN bandwidth. I see no point in having both. Herb?

Of course you are correct that he should use AD Integrated
DNS for all of his own zones. (Unless compelling reasons
suggest otherwise, e.g., no DC but need another DNS for
fault tolerance etc) this is always our first choice for our
Microsoft domain DNS.

As to forwarders I agree again.

Generally it is a NICE IDEA to have ONLY ONE DNS server
(or set) at the FIREWALL/DMZ/Gateway to the Internet which
does ALL of the public lookups.

Two reasons for this: I don't want those DC-DNS servers out
on the Internet AT ALL, especially not recursing to places like
EvilHackersRUs.com <grin>.

And, by doing this we consolidate cache for every other DNS
server that forwarders there so we get more cache successes
without even crossing the WAN to the Internet or ISP.

As to branch offices, if there can forward to that "gatewayDMZ"
DNS directly that is usually there best choice since we now
avoid adding multiple forwarder chains (which may work but
eventually become excessive -- testing required.)

So the actual forwarder should (generally) NOT be an AD-DNS
but might just be a feature of your hardware routers/firewalls.

(This DNS holds NO zones, in a perfect world, and would have
nothing to do with resolving YOUR resources for people on
the Internet. Properly that job is done by SEPARATE DNS
servers and for most companies is best left at the REGISTRAR.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> ...kurt
>
>
> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
> news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
>> Thanks Herb for your detailed response.
>>
>> Our 7 servers are all "Active Directory Integrated Zones"
>>
>> Unfortunaly I don't know why some of the servers have "enable forwarders"
>> ticked and others dont, Ive only recently moved to this firm so Im trying
>> to
>> make sense how/why it was setup this way.
>>
>> All the sites are connected to the internet through our proxy server at
>> head
>> office, the WAN links are all quite good running at 512 -1Mb on dedicated
>> lines so I dont think its a bandwidth issue.
>>
>> All the sites have the exact same hardware and should be identical to
>> each
>> other configuration wise but some where along the lines someone has made
>> changes so now I trying to get them all back looking the same again.
>>
>> How do you think we should be setup in terms if best practice?
>>
>> "Herb Martin" wrote:
>>
>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
>>> > Hey all,
>>> >
>>> > A little unsure about DNS and forwarders could you check to see if my
>>> > logic
>>> > is flawed.
>>> >
>>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>>> >
>>> > Under the DNS mmc some of the servers have "Enable Forwarders" ticked
>>> > and
>>> > some don't. The two DCs in head office are the main DNS servers.
>>>
>>> Why do you enable Forwarders?
>>>
>>> If the answer is that your DNS servers don't hold ALL of your
>>> internal zone, or that you wish to resolve THE Internet then
>>> likely EVER DNS server should enable forwarders if any of
>>> them do.
>>>
>>> There are two general ways for a DNS server to resolve names it doesn't
>>> 'know directly' (i.e., for zones it doesn't hold):
>>>
>>> 1) Recurse physically (root down)
>>> 2) Forward
>>>
>>> Theorectically some of your DNS servers might be recursing
>>> and others might forward but why would they be different?
>>>
>>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
>>> > pointing
>>> > back to our main DNS servers? Any reason why they shouldn't?
>>>
>>> You don't want your fowarding chains to be TOO long but this
>>> might make perfect sense if your WAN lines are fairly slow since
>>> your branch DNS will only make ONE forwarding request to the
>>> "Main DNS" which may have the answer in cache (since other
>>> DNS servers and it's direct clients may recently have asked the
>>> same question) OR it will make all of the subsequent requests
>>> (either forward or recursing) for the name and likely be "closer"
>>> to the Internet.
>>>
>>> If every branch had its own direct connection to The Internet then
>>> this might not be so ful.
>>>
>>> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it
>>> > should
>>> > point it back to the main DNS servers which if again cant resolve then
>>> > goes
>>> > to the root hints.
>>> > So PC -> Local DNS -> Main DNS -> Root hints
>>>
>>> That can work, but without a full reading of (and perhaps testing
>>> on) your actual WAN lines we cannot say for sure.
>>>
>>> > Hope this makes sense, thanks
>>>
>>> How does it work currently?
>>>
>>> --
>>> Herb Martin, MCSE, MVP
>>> Accelerated MCSE
>>> http://www.LearnQuick.Com
>>> [phone number on web site]
>>>
>>>
>>> > Regards
>>> > Adrian
>>>
>>>
>>>
>
>

Right, that's why I qualified it with "if all the servers hold the same
zones". I'm probably assuming too much here, but I gathered from the OP's
reference to the singular "domain" rather than "domains" probably means
there is only one authoritative zone, and since he confirmed that it is ADI
that all DNS servers would have a copy.

....kurt


"Herb Martin" <news@LearnQuick.com> wrote in message
news:eimjvku4GHA.1188@TK2MSFTNGP05.phx.gbl...
> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
> news:12hlmnrr1d4dvf1@corp.supernews.com...
>> ADI zones, if all servers hold all the same zones, should be identical.
>
> Forwarder setting is however NOT a zone setting so
> he can easily set different servers to different forwarding
> options.
>
>> Every site with a local Internet connection could have a forwarder to the
>> local ISP's DNS server. As Herb pointed out, it MIGHT have some value to
>> forward from a site that doesn't have it's own internet service to a DNS
>> server in a site that does, so that only one forward query and one reply
>> will traverse the WAN, and further forward queries or recursive lookups
>> are performed from a site with a separate Internet connection to
>> conserver WAN bandwidth. I see no point in having both. Herb?
>
> Of course you are correct that he should use AD Integrated
> DNS for all of his own zones. (Unless compelling reasons
> suggest otherwise, e.g., no DC but need another DNS for
> fault tolerance etc) this is always our first choice for our
> Microsoft domain DNS.
>
> As to forwarders I agree again.
>
> Generally it is a NICE IDEA to have ONLY ONE DNS server
> (or set) at the FIREWALL/DMZ/Gateway to the Internet which
> does ALL of the public lookups.
>
> Two reasons for this: I don't want those DC-DNS servers out
> on the Internet AT ALL, especially not recursing to places like
> EvilHackersRUs.com <grin>.
>
> And, by doing this we consolidate cache for every other DNS
> server that forwarders there so we get more cache successes
> without even crossing the WAN to the Internet or ISP.
>
> As to branch offices, if there can forward to that "gatewayDMZ"
> DNS directly that is usually there best choice since we now
> avoid adding multiple forwarder chains (which may work but
> eventually become excessive -- testing required.)
>
> So the actual forwarder should (generally) NOT be an AD-DNS
> but might just be a feature of your hardware routers/firewalls.
>
> (This DNS holds NO zones, in a perfect world, and would have
> nothing to do with resolving YOUR resources for people on
> the Internet. Properly that job is done by SEPARATE DNS
> servers and for most companies is best left at the REGISTRAR.)
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>>
>> ...kurt
>>
>>
>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>> news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
>>> Thanks Herb for your detailed response.
>>>
>>> Our 7 servers are all "Active Directory Integrated Zones"
>>>
>>> Unfortunaly I don't know why some of the servers have "enable
>>> forwarders"
>>> ticked and others dont, Ive only recently moved to this firm so Im
>>> trying to
>>> make sense how/why it was setup this way.
>>>
>>> All the sites are connected to the internet through our proxy server at
>>> head
>>> office, the WAN links are all quite good running at 512 -1Mb on
>>> dedicated
>>> lines so I dont think its a bandwidth issue.
>>>
>>> All the sites have the exact same hardware and should be identical to
>>> each
>>> other configuration wise but some where along the lines someone has made
>>> changes so now I trying to get them all back looking the same again.
>>>
>>> How do you think we should be setup in terms if best practice?
>>>
>>> "Herb Martin" wrote:
>>>
>>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>>>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
>>>> > Hey all,
>>>> >
>>>> > A little unsure about DNS and forwarders could you check to see if my
>>>> > logic
>>>> > is flawed.
>>>> >
>>>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>>>> >
>>>> > Under the DNS mmc some of the servers have "Enable Forwarders" ticked
>>>> > and
>>>> > some don't. The two DCs in head office are the main DNS servers.
>>>>
>>>> Why do you enable Forwarders?
>>>>
>>>> If the answer is that your DNS servers don't hold ALL of your
>>>> internal zone, or that you wish to resolve THE Internet then
>>>> likely EVER DNS server should enable forwarders if any of
>>>> them do.
>>>>
>>>> There are two general ways for a DNS server to resolve names it doesn't
>>>> 'know directly' (i.e., for zones it doesn't hold):
>>>>
>>>> 1) Recurse physically (root down)
>>>> 2) Forward
>>>>
>>>> Theorectically some of your DNS servers might be recursing
>>>> and others might forward but why would they be different?
>>>>
>>>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
>>>> > pointing
>>>> > back to our main DNS servers? Any reason why they shouldn't?
>>>>
>>>> You don't want your fowarding chains to be TOO long but this
>>>> might make perfect sense if your WAN lines are fairly slow since
>>>> your branch DNS will only make ONE forwarding request to the
>>>> "Main DNS" which may have the answer in cache (since other
>>>> DNS servers and it's direct clients may recently have asked the
>>>> same question) OR it will make all of the subsequent requests
>>>> (either forward or recursing) for the name and likely be "closer"
>>>> to the Internet.
>>>>
>>>> If every branch had its own direct connection to The Internet then
>>>> this might not be so ful.
>>>>
>>>> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it
>>>> > should
>>>> > point it back to the main DNS servers which if again cant resolve
>>>> > then
>>>> > goes
>>>> > to the root hints.
>>>> > So PC -> Local DNS -> Main DNS -> Root hints
>>>>
>>>> That can work, but without a full reading of (and perhaps testing
>>>> on) your actual WAN lines we cannot say for sure.
>>>>
>>>> > Hope this makes sense, thanks
>>>>
>>>> How does it work currently?
>>>>
>>>> --
>>>> Herb Martin, MCSE, MVP
>>>> Accelerated MCSE
>>>> http://www.LearnQuick.Com
>>>> [phone number on web site]
>>>>
>>>>
>>>> > Regards
>>>> > Adrian
>>>>
>>>>
>>>>
>>
>>
>
>

"Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
news:12hocn579o7r66f@corp.supernews.com...
> Right, that's why I qualified it with "if all the servers hold the same
> zones". I'm probably assuming too much here, but I gathered from the OP's
> reference to the singular "domain" rather than "domains" probably means
> there is only one authoritative zone, and since he confirmed that it is
> ADI that all DNS servers would have a copy.
>

That was implied (if never stated explicitly) and I was in
no way disagreeing with or correcting you, just elaborating.

Ultimately we would need to get full particulars and perhaps
test to give him a an EASY "best answer" rather than good
-- and very explicit -- design principles that will teach how
to solve most any similar problem.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> ...kurt
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eimjvku4GHA.1188@TK2MSFTNGP05.phx.gbl...
>> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
>> news:12hlmnrr1d4dvf1@corp.supernews.com...
>>> ADI zones, if all servers hold all the same zones, should be identical.
>>
>> Forwarder setting is however NOT a zone setting so
>> he can easily set different servers to different forwarding
>> options.
>>
>>> Every site with a local Internet connection could have a forwarder to
>>> the local ISP's DNS server. As Herb pointed out, it MIGHT have some
>>> value to forward from a site that doesn't have it's own internet service
>>> to a DNS server in a site that does, so that only one forward query and
>>> one reply will traverse the WAN, and further forward queries or
>>> recursive lookups are performed from a site with a separate Internet
>>> connection to conserver WAN bandwidth. I see no point in having both.
>>> Herb?
>>
>> Of course you are correct that he should use AD Integrated
>> DNS for all of his own zones. (Unless compelling reasons
>> suggest otherwise, e.g., no DC but need another DNS for
>> fault tolerance etc) this is always our first choice for our
>> Microsoft domain DNS.
>>
>> As to forwarders I agree again.
>>
>> Generally it is a NICE IDEA to have ONLY ONE DNS server
>> (or set) at the FIREWALL/DMZ/Gateway to the Internet which
>> does ALL of the public lookups.
>>
>> Two reasons for this: I don't want those DC-DNS servers out
>> on the Internet AT ALL, especially not recursing to places like
>> EvilHackersRUs.com <grin>.
>>
>> And, by doing this we consolidate cache for every other DNS
>> server that forwarders there so we get more cache successes
>> without even crossing the WAN to the Internet or ISP.
>>
>> As to branch offices, if there can forward to that "gatewayDMZ"
>> DNS directly that is usually there best choice since we now
>> avoid adding multiple forwarder chains (which may work but
>> eventually become excessive -- testing required.)
>>
>> So the actual forwarder should (generally) NOT be an AD-DNS
>> but might just be a feature of your hardware routers/firewalls.
>>
>> (This DNS holds NO zones, in a perfect world, and would have
>> nothing to do with resolving YOUR resources for people on
>> the Internet. Properly that job is done by SEPARATE DNS
>> servers and for most companies is best left at the REGISTRAR.)
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>>
>>> ...kurt
>>>
>>>
>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>>> news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
>>>> Thanks Herb for your detailed response.
>>>>
>>>> Our 7 servers are all "Active Directory Integrated Zones"
>>>>
>>>> Unfortunaly I don't know why some of the servers have "enable
>>>> forwarders"
>>>> ticked and others dont, Ive only recently moved to this firm so Im
>>>> trying to
>>>> make sense how/why it was setup this way.
>>>>
>>>> All the sites are connected to the internet through our proxy server at
>>>> head
>>>> office, the WAN links are all quite good running at 512 -1Mb on
>>>> dedicated
>>>> lines so I dont think its a bandwidth issue.
>>>>
>>>> All the sites have the exact same hardware and should be identical to
>>>> each
>>>> other configuration wise but some where along the lines someone has
>>>> made
>>>> changes so now I trying to get them all back looking the same again.
>>>>
>>>> How do you think we should be setup in terms if best practice?
>>>>
>>>> "Herb Martin" wrote:
>>>>
>>>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>>>>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
>>>>> > Hey all,
>>>>> >
>>>>> > A little unsure about DNS and forwarders could you check to see if
>>>>> > my
>>>>> > logic
>>>>> > is flawed.
>>>>> >
>>>>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>>>>> >
>>>>> > Under the DNS mmc some of the servers have "Enable Forwarders"
>>>>> > ticked and
>>>>> > some don't. The two DCs in head office are the main DNS servers.
>>>>>
>>>>> Why do you enable Forwarders?
>>>>>
>>>>> If the answer is that your DNS servers don't hold ALL of your
>>>>> internal zone, or that you wish to resolve THE Internet then
>>>>> likely EVER DNS server should enable forwarders if any of
>>>>> them do.
>>>>>
>>>>> There are two general ways for a DNS server to resolve names it
>>>>> doesn't
>>>>> 'know directly' (i.e., for zones it doesn't hold):
>>>>>
>>>>> 1) Recurse physically (root down)
>>>>> 2) Forward
>>>>>
>>>>> Theorectically some of your DNS servers might be recursing
>>>>> and others might forward but why would they be different?
>>>>>
>>>>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
>>>>> > pointing
>>>>> > back to our main DNS servers? Any reason why they shouldn't?
>>>>>
>>>>> You don't want your fowarding chains to be TOO long but this
>>>>> might make perfect sense if your WAN lines are fairly slow since
>>>>> your branch DNS will only make ONE forwarding request to the
>>>>> "Main DNS" which may have the answer in cache (since other
>>>>> DNS servers and it's direct clients may recently have asked the
>>>>> same question) OR it will make all of the subsequent requests
>>>>> (either forward or recursing) for the name and likely be "closer"
>>>>> to the Internet.
>>>>>
>>>>> If every branch had its own direct connection to The Internet then
>>>>> this might not be so ful.
>>>>>
>>>>> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it
>>>>> > should
>>>>> > point it back to the main DNS servers which if again cant resolve
>>>>> > then
>>>>> > goes
>>>>> > to the root hints.
>>>>> > So PC -> Local DNS -> Main DNS -> Root hints
>>>>>
>>>>> That can work, but without a full reading of (and perhaps testing
>>>>> on) your actual WAN lines we cannot say for sure.
>>>>>
>>>>> > Hope this makes sense, thanks
>>>>>
>>>>> How does it work currently?
>>>>>
>>>>> --
>>>>> Herb Martin, MCSE, MVP
>>>>> Accelerated MCSE
>>>>> http://www.LearnQuick.Com
>>>>> [phone number on web site]
>>>>>
>>>>>
>>>>> > Regards
>>>>> > Adrian
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>

Wow thanks again for the detailed response guys.

I have to admit through that some of it is going a little over myhead, Im
quite new to this, but thats ok I like to learn.

I going to do a little more research on the MS site and hopefully then I
will be better able to answer your Questions because I think that this is
obviously something which you need to learn how to do correctly.

>Ultimately we would need to get full particulars and perhaps
>test to give him a an EASY "best answer" rather than good
>-- and very explicit -- design principles that will teach how
>to solve most any similar problem.

This would probably alot, I can run any test you think might .



"Herb Martin" wrote:

> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
> news:12hocn579o7r66f@corp.supernews.com...
> > Right, that's why I qualified it with "if all the servers hold the same
> > zones". I'm probably assuming too much here, but I gathered from the OP's
> > reference to the singular "domain" rather than "domains" probably means
> > there is only one authoritative zone, and since he confirmed that it is
> > ADI that all DNS servers would have a copy.
> >
>
> That was implied (if never stated explicitly) and I was in
> no way disagreeing with or correcting you, just elaborating.
>
> Ultimately we would need to get full particulars and perhaps
> test to give him a an EASY "best answer" rather than good
> -- and very explicit -- design principles that will teach how
> to solve most any similar problem.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> > ...kurt
> >
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:eimjvku4GHA.1188@TK2MSFTNGP05.phx.gbl...
> >> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
> >> news:12hlmnrr1d4dvf1@corp.supernews.com...
> >>> ADI zones, if all servers hold all the same zones, should be identical.
> >>
> >> Forwarder setting is however NOT a zone setting so
> >> he can easily set different servers to different forwarding
> >> options.
> >>
> >>> Every site with a local Internet connection could have a forwarder to
> >>> the local ISP's DNS server. As Herb pointed out, it MIGHT have some
> >>> value to forward from a site that doesn't have it's own internet service
> >>> to a DNS server in a site that does, so that only one forward query and
> >>> one reply will traverse the WAN, and further forward queries or
> >>> recursive lookups are performed from a site with a separate Internet
> >>> connection to conserver WAN bandwidth. I see no point in having both.
> >>> Herb?
> >>
> >> Of course you are correct that he should use AD Integrated
> >> DNS for all of his own zones. (Unless compelling reasons
> >> suggest otherwise, e.g., no DC but need another DNS for
> >> fault tolerance etc) this is always our first choice for our
> >> Microsoft domain DNS.
> >>
> >> As to forwarders I agree again.
> >>
> >> Generally it is a NICE IDEA to have ONLY ONE DNS server
> >> (or set) at the FIREWALL/DMZ/Gateway to the Internet which
> >> does ALL of the public lookups.
> >>
> >> Two reasons for this: I don't want those DC-DNS servers out
> >> on the Internet AT ALL, especially not recursing to places like
> >> EvilHackersRUs.com <grin>.
> >>
> >> And, by doing this we consolidate cache for every other DNS
> >> server that forwarders there so we get more cache successes
> >> without even crossing the WAN to the Internet or ISP.
> >>
> >> As to branch offices, if there can forward to that "gatewayDMZ"
> >> DNS directly that is usually there best choice since we now
> >> avoid adding multiple forwarder chains (which may work but
> >> eventually become excessive -- testing required.)
> >>
> >> So the actual forwarder should (generally) NOT be an AD-DNS
> >> but might just be a feature of your hardware routers/firewalls.
> >>
> >> (This DNS holds NO zones, in a perfect world, and would have
> >> nothing to do with resolving YOUR resources for people on
> >> the Internet. Properly that job is done by SEPARATE DNS
> >> servers and for most companies is best left at the REGISTRAR.)
> >>
> >>
> >> --
> >> Herb Martin, MCSE, MVP
> >> Accelerated MCSE
> >> http://www.LearnQuick.Com
> >> [phone number on web site]
> >>
> >>>
> >>> ...kurt
> >>>
> >>>
> >>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
> >>> news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
> >>>> Thanks Herb for your detailed response.
> >>>>
> >>>> Our 7 servers are all "Active Directory Integrated Zones"
> >>>>
> >>>> Unfortunaly I don't know why some of the servers have "enable
> >>>> forwarders"
> >>>> ticked and others dont, Ive only recently moved to this firm so Im
> >>>> trying to
> >>>> make sense how/why it was setup this way.
> >>>>
> >>>> All the sites are connected to the internet through our proxy server at
> >>>> head
> >>>> office, the WAN links are all quite good running at 512 -1Mb on
> >>>> dedicated
> >>>> lines so I dont think its a bandwidth issue.
> >>>>
> >>>> All the sites have the exact same hardware and should be identical to
> >>>> each
> >>>> other configuration wise but some where along the lines someone has
> >>>> made
> >>>> changes so now I trying to get them all back looking the same again.
> >>>>
> >>>> How do you think we should be setup in terms if best practice?
> >>>>
> >>>> "Herb Martin" wrote:
> >>>>
> >>>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
> >>>>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
> >>>>> > Hey all,
> >>>>> >
> >>>>> > A little unsure about DNS and forwarders could you check to see if
> >>>>> > my
> >>>>> > logic
> >>>>> > is flawed.
> >>>>> >
> >>>>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
> >>>>> >
> >>>>> > Under the DNS mmc some of the servers have "Enable Forwarders"
> >>>>> > ticked and
> >>>>> > some don't. The two DCs in head office are the main DNS servers.
> >>>>>
> >>>>> Why do you enable Forwarders?
> >>>>>
> >>>>> If the answer is that your DNS servers don't hold ALL of your
> >>>>> internal zone, or that you wish to resolve THE Internet then
> >>>>> likely EVER DNS server should enable forwarders if any of
> >>>>> them do.
> >>>>>
> >>>>> There are two general ways for a DNS server to resolve names it
> >>>>> doesn't
> >>>>> 'know directly' (i.e., for zones it doesn't hold):
> >>>>>
> >>>>> 1) Recurse physically (root down)
> >>>>> 2) Forward
> >>>>>
> >>>>> Theorectically some of your DNS servers might be recursing
> >>>>> and others might forward but why would they be different?
> >>>>>
> >>>>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked and
> >>>>> > pointing
> >>>>> > back to our main DNS servers? Any reason why they shouldn't?
> >>>>>
> >>>>> You don't want your fowarding chains to be TOO long but this
> >>>>> might make perfect sense if your WAN lines are fairly slow since
> >>>>> your branch DNS will only make ONE forwarding request to the
> >>>>> "Main DNS" which may have the answer in cache (since other
> >>>>> DNS servers and it's direct clients may recently have asked the
> >>>>> same question) OR it will make all of the subsequent requests
> >>>>> (either forward or recursing) for the name and likely be "closer"
> >>>>> to the Internet.
> >>>>>
> >>>>> If every branch had its own direct connection to The Internet then
> >>>>> this might not be so ful.
> >>>>>
> >>>>> > Shouldn't it be PC -> local DNS server, if this cant resolve it, it
> >>>>> > should
> >>>>> > point it back to the main DNS servers which if again cant resolve
> >>>>> > then
> >>>>> > goes
> >>>>> > to the root hints.
> >>>>> > So PC -> Local DNS -> Main DNS -> Root hints
> >>>>>
> >>>>> That can work, but without a full reading of (and perhaps testing
> >>>>> on) your actual WAN lines we cannot say for sure.
> >>>>>
> >>>>> > Hope this makes sense, thanks
> >>>>>
> >>>>> How does it work currently?
> >>>>>
> >>>>> --
> >>>>> Herb Martin, MCSE, MVP
> >>>>> Accelerated MCSE
> >>>>> http://www.LearnQuick.Com
> >>>>> [phone number on web site]
> >>>>>
> >>>>>
> >>>>> > Regards
> >>>>> > Adrian
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>
>

"Adrian" <Adrian@discussions.microsoft.com> wrote in message
news:AA5DFEF5-DE9B-4604-945D-E6A08F8DBDC4@microsoft.com...
> Wow thanks again for the detailed response guys.

You are certainly welcome.

> I have to admit through that some of it is going a little over myhead, Im
> quite new to this, but thats ok I like to learn.

Then you might wish to quote the message (or pertinent sections)
and ask your questions (or better state your understanding) for each
significant point that seems to be unclear to you.....

> I going to do a little more research on the MS site and hopefully then I
> will be better able to answer your Questions because I think that this is
> obviously something which you need to learn how to do correctly.

You would probably get faster answers and learn both better and
faster if you just tried the response technique above rather than
read a lot of (unfocused) sources.

Frequently we can point you right to your misunderstandings or
you to focus on the KEY points you have not yet learned.

>>Ultimately we would need to get full particulars and perhaps
>>test to give him a an EASY "best answer" rather than good
>>-- and very explicit -- design principles that will teach how
>>to solve most any similar problem.
>
> This would probably alot, I can run any test you think might .

Actually, I am strongly suggesting you would benefit more by
understanding those design principles yourself, and then you
could run your own tests as necessary.

We aren't there where we can "see your stuff" so trying to actually
OPTIMIZE a system is a bit difficult remotely. (I have a reputation
-- good or bad <grin> -- as an optimization specialist but yet I
will tell you straight out it is a "black art" not a science even though
one must actually PERFORM each such analysis in a scientific and
rigorous fashion: first measuring current response, guessing an
improvement, and then performing anther measurement and tests
to determine the improvement AND to feed the next guess for another
change.)

Optimization without measurement is like gambling in a crooked game:
You aren't likely to win anyway, but even if you do your winnings
will be stolen. (Really)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
>
>
> "Herb Martin" wrote:
>
>> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
>> news:12hocn579o7r66f@corp.supernews.com...
>> > Right, that's why I qualified it with "if all the servers hold the same
>> > zones". I'm probably assuming too much here, but I gathered from the
>> > OP's
>> > reference to the singular "domain" rather than "domains" probably means
>> > there is only one authoritative zone, and since he confirmed that it is
>> > ADI that all DNS servers would have a copy.
>> >
>>
>> That was implied (if never stated explicitly) and I was in
>> no way disagreeing with or correcting you, just elaborating.
>>
>> Ultimately we would need to get full particulars and perhaps
>> test to give him a an EASY "best answer" rather than good
>> -- and very explicit -- design principles that will teach how
>> to solve most any similar problem.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>> > ...kurt
>> >
>> >
>> > "Herb Martin" <news@LearnQuick.com> wrote in message
>> > news:eimjvku4GHA.1188@TK2MSFTNGP05.phx.gbl...
>> >> "Kurt" <lorentzenkurt@nospam.hotmail.com> wrote in message
>> >> news:12hlmnrr1d4dvf1@corp.supernews.com...
>> >>> ADI zones, if all servers hold all the same zones, should be
>> >>> identical.
>> >>
>> >> Forwarder setting is however NOT a zone setting so
>> >> he can easily set different servers to different forwarding
>> >> options.
>> >>
>> >>> Every site with a local Internet connection could have a forwarder to
>> >>> the local ISP's DNS server. As Herb pointed out, it MIGHT have some
>> >>> value to forward from a site that doesn't have it's own internet
>> >>> service
>> >>> to a DNS server in a site that does, so that only one forward query
>> >>> and
>> >>> one reply will traverse the WAN, and further forward queries or
>> >>> recursive lookups are performed from a site with a separate Internet
>> >>> connection to conserver WAN bandwidth. I see no point in having both.
>> >>> Herb?
>> >>
>> >> Of course you are correct that he should use AD Integrated
>> >> DNS for all of his own zones. (Unless compelling reasons
>> >> suggest otherwise, e.g., no DC but need another DNS for
>> >> fault tolerance etc) this is always our first choice for our
>> >> Microsoft domain DNS.
>> >>
>> >> As to forwarders I agree again.
>> >>
>> >> Generally it is a NICE IDEA to have ONLY ONE DNS server
>> >> (or set) at the FIREWALL/DMZ/Gateway to the Internet which
>> >> does ALL of the public lookups.
>> >>
>> >> Two reasons for this: I don't want those DC-DNS servers out
>> >> on the Internet AT ALL, especially not recursing to places like
>> >> EvilHackersRUs.com <grin>.
>> >>
>> >> And, by doing this we consolidate cache for every other DNS
>> >> server that forwarders there so we get more cache successes
>> >> without even crossing the WAN to the Internet or ISP.
>> >>
>> >> As to branch offices, if there can forward to that "gatewayDMZ"
>> >> DNS directly that is usually there best choice since we now
>> >> avoid adding multiple forwarder chains (which may work but
>> >> eventually become excessive -- testing required.)
>> >>
>> >> So the actual forwarder should (generally) NOT be an AD-DNS
>> >> but might just be a feature of your hardware routers/firewalls.
>> >>
>> >> (This DNS holds NO zones, in a perfect world, and would have
>> >> nothing to do with resolving YOUR resources for people on
>> >> the Internet. Properly that job is done by SEPARATE DNS
>> >> servers and for most companies is best left at the REGISTRAR.)
>> >>
>> >>
>> >> --
>> >> Herb Martin, MCSE, MVP
>> >> Accelerated MCSE
>> >> http://www.LearnQuick.Com
>> >> [phone number on web site]
>> >>
>> >>>
>> >>> ...kurt
>> >>>
>> >>>
>> >>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>> >>> news:9FAA110C-BAC3-43E0-924E-254D1389EB56@microsoft.com...
>> >>>> Thanks Herb for your detailed response.
>> >>>>
>> >>>> Our 7 servers are all "Active Directory Integrated Zones"
>> >>>>
>> >>>> Unfortunaly I don't know why some of the servers have "enable
>> >>>> forwarders"
>> >>>> ticked and others dont, Ive only recently moved to this firm so Im
>> >>>> trying to
>> >>>> make sense how/why it was setup this way.
>> >>>>
>> >>>> All the sites are connected to the internet through our proxy server
>> >>>> at
>> >>>> head
>> >>>> office, the WAN links are all quite good running at 512 -1Mb on
>> >>>> dedicated
>> >>>> lines so I dont think its a bandwidth issue.
>> >>>>
>> >>>> All the sites have the exact same hardware and should be identical
>> >>>> to
>> >>>> each
>> >>>> other configuration wise but some where along the lines someone has
>> >>>> made
>> >>>> changes so now I trying to get them all back looking the same again.
>> >>>>
>> >>>> How do you think we should be setup in terms if best practice?
>> >>>>
>> >>>> "Herb Martin" wrote:
>> >>>>
>> >>>>> "Adrian" <Adrian@discussions.microsoft.com> wrote in message
>> >>>>> news:E1CDE7B2-4207-460B-A90C-E1C98BB156CF@microsoft.com...
>> >>>>> > Hey all,
>> >>>>> >
>> >>>>> > A little unsure about DNS and forwarders could you check to see
>> >>>>> > if
>> >>>>> > my
>> >>>>> > logic
>> >>>>> > is flawed.
>> >>>>> >
>> >>>>> > Win 2000 domain, 7 Dcs, 5 around the country and 2 in head office
>> >>>>> >
>> >>>>> > Under the DNS mmc some of the servers have "Enable Forwarders"
>> >>>>> > ticked and
>> >>>>> > some don't. The two DCs in head office are the main DNS servers.
>> >>>>>
>> >>>>> Why do you enable Forwarders?
>> >>>>>
>> >>>>> If the answer is that your DNS servers don't hold ALL of your
>> >>>>> internal zone, or that you wish to resolve THE Internet then
>> >>>>> likely EVER DNS server should enable forwarders if any of
>> >>>>> them do.
>> >>>>>
>> >>>>> There are two general ways for a DNS server to resolve names it
>> >>>>> doesn't
>> >>>>> 'know directly' (i.e., for zones it doesn't hold):
>> >>>>>
>> >>>>> 1) Recurse physically (root down)
>> >>>>> 2) Forward
>> >>>>>
>> >>>>> Theorectically some of your DNS servers might be recursing
>> >>>>> and others might forward but why would they be different?
>> >>>>>
>> >>>>> > Shouldn't all the DNS servers have "Enabled Forwarders" ticked
>> >>>>> > and
>> >>>>> > pointing
>> >>>>> > back to our main DNS servers? Any reason why they shouldn't?
>> >>>>>
>> >>>>> You don't want your fowarding chains to be TOO long but this
>> >>>>> might make perfect sense if your WAN lines are fairly slow since
>> >>>>> your branch DNS will only make ONE forwarding request to the
>> >>>>> "Main DNS" which may have the answer in cache (since other
>> >>>>> DNS servers and it's direct clients may recently have asked the
>> >>>>> same question) OR it will make all of the subsequent requests
>> >>>>> (either forward or recursing) for the name and likely be "closer"
>> >>>>> to the Internet.
>> >>>>>
>> >>>>> If every branch had its own direct connection to The Internet then
>> >>>>> this might not be so ful.
>> >>>>>
>> >>>>> > Shouldn't it be PC -> local DNS server, if this cant resolve it,
>> >>>>> > it
>> >>>>> > should
>> >>>>> > point it back to the main DNS servers which if again cant resolve
>> >>>>> > then
>> >>>>> > goes
>> >>>>> > to the root hints.
>> >>>>> > So PC -> Local DNS -> Main DNS -> Root hints
>> >>>>>
>> >>>>> That can work, but without a full reading of (and perhaps testing
>> >>>>> on) your actual WAN lines we cannot say for sure.
>> >>>>>
>> >>>>> > Hope this makes sense, thanks
>> >>>>>
>> >>>>> How does it work currently?
>> >>>>>
>> >>>>> --
>> >>>>> Herb Martin, MCSE, MVP
>> >>>>> Accelerated MCSE
>> >>>>> http://www.LearnQuick.Com
>> >>>>> [phone number on web site]
>> >>>>>
>> >>>>>
>> >>>>> > Regards
>> >>>>> > Adrian
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>>