Best Practices - DNS

Bit of a query on how other networkers do this more than a technical question

picture a multi level Forest

                             Root Domain
            Child Domain1      Child Domain2            Child Domain3
                                    |          |  
                                   |            |
              SUBCHILDDOMAIN1      SUBCHILDOMAIN2            
                             |         |
                            |           |

I know this isnt best practice so we wont go there as its political crap standing in the way

my question is regarding the installation of DNS

ROOT DOMAIN is fine. Say i have that setup all is happy and cheery. When i go to create a child domain, what is best practice
(Both textbook and from experience - the latter prefered)

I know i can set up my new server, install DNS and add a forwarder to the root DNS server and then run DCPROMO and go from there

I also know i could set up zones on the root server and then load them in the child domains

Is it best off to just add the forwared and let DNS create is structure the way it wants to rather than manipulating it?

Also, what about the lower level Domains ie, SUBCHILDDOMAIN1? when settings up DNS prior to Promotion, where should its forwarder
be pointing to  CHILDDOMAIN1??

The idea of this will be for a user sitting at any of the CHILDDOMAIN's (second level) to be able to resolve any client within the

Anyone with experience like this, i am just after an opinion, i know the technical side (well most of it!) sorry about the diagram....
LVL 48
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dns best practice is to follow a top down configuration.  Therefore if you have the described setup you delegate the appropriate records to the child domains and then forward back up to the parent domains, where you then configure the root hints within the parent domain for the appropriate root server/s.
Subdomains can be directed to there immediate parents as there master servers to cut down on replication traffic, e.g lowsubdomain uses subdomain as its master server.  If you choose to configure the servers with no zones and just forwarders then you are creating caching only servers which are good for low bandwidth connections to primary zones but I have never seen this done throughout a forest.
If I was deciding a configuration for your current setup I would create AD intergrated child zones, which forward to the root(delegating the approp records to each child).  Create secondary zones in the subdomains( with the child domains as there master servers) and lower subdomains ( which would point to the subdomains as there master servers).  Conditional forwarding could be used at the child level to support resolution to the other domains in the forest.

Chris DentPowerShell DeveloperCommented:

For an AD Forest I would ditch Forwarders entirely.

Change the Zone properties for your Root Domain and set it to Replicate to All Domain Controllers in the Forest. This should make the zone available to every DC by default. The same can be done with a Reverse Lookup zone if you have your Forest operating over the same Range (i.e. 10.x).

The advantages of this approach are that it leaves you with a very simple configuration. You don't have to configure a large number of Forwarders (Conditional or otherwise) or Secondary Zones to worry about transferring.

So you end up with a single Root Domain that's available on every DC in your environment via AD replication (which is going on anyway, the addition of a DNS Zone is trivial). Then each individual Domain can resolve names in alternate domains via that zone which will contain delegations for each direct sub-domain.

I would also restrict the number of servers responsible for handling name resolution. Realistically speaking you a couple of servers can handle a huge domain. We have 2 used for 3500 users in the UK with remaining DCs only running a DNS service in case we ever need it.

Remember that if you need to resolve by Hostname only you're going to have to include a large number of DNS Suffixes in the client search list.

Jay_Jay70Author Commented:
Cheers both,

both ideas are useful but here is the catch   500 ish Domains with a min of 1 DC per site............ i dont want replication cranking throught that many domains..... :)!

next catch is its a mixed 2000 and 2003 Domain which means conditional forwarding is going to well......not happen to great!!

now with each domain being a separate business and trying to reduce the amount of replication traffic, would forwarders seem like a better option again?
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

If your talking about configuring forwarding to all other domains, and therefore creating a long list of forwarding addresses, then this may reduce replication traffic but will run system resources into the ground.  Thats the issue with traditional forwarding, it is so non specific.  If the root is delegating to the child domains, then configure those domains to use there root hints to perform resolution to the root zone/domain, which will direct queries to the appropriate child domain/s within the forest.  Then configure the subdomains to forward to there parent domains, which in turn will follow the root hints back up to the root domain and follow the resolution process as described earlier.

Chris DentPowerShell DeveloperCommented:

That's the best bit of storing the Root Zone in the forest, so unless you have 500 forests then you're only adding one domain to the inter-site replication, that zone will allow your DNS Servers to find every other child domain and subdomain within the forest as it will include all the Name Server records it wouldn't have normally (basically it includes the root information, it can work down the tree again from there).

In addition to that you're not introducing any points of failure into your network, and you're not increasing the network load on any specific DNS Server. Remember that resolution speed is also quite important if you have any applications dependant on it, for that I would stay well away from a long chain of Forwarders.

Practically speaking if you're forwarding you're going to be forwarding every request from 500 domains to your root DC (or something else that can provide answers or directions for everything in the domain), if you're happy with that then it does have a few advantages in terms of a larger cache base to work from.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay_Jay70Author Commented:
thankyou very much to both

if i get stuck through implementation ill no doubt be posting

cheers for your time
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.