We help IT Professionals succeed at work.

Best Practices - DNS

Jay_Jay70 asked
Medium Priority
Last Modified: 2012-05-05
Bit of a query on how other networkers do this more than a technical question

picture a multi level Forest

                             Root Domain
            Child Domain1      Child Domain2            Child Domain3
                                    |          |  
                                   |            |
              SUBCHILDDOMAIN1      SUBCHILDOMAIN2            
                             |         |
                            |           |

I know this isnt best practice so we wont go there as its political crap standing in the way

my question is regarding the installation of DNS

ROOT DOMAIN is fine. Say i have that setup all is happy and cheery. When i go to create a child domain, what is best practice
(Both textbook and from experience - the latter prefered)

I know i can set up my new server, install DNS and add a forwarder to the root DNS server and then run DCPROMO and go from there

I also know i could set up zones on the root server and then load them in the child domains

Is it best off to just add the forwared and let DNS create is structure the way it wants to rather than manipulating it?

Also, what about the lower level Domains ie, SUBCHILDDOMAIN1? when settings up DNS prior to Promotion, where should its forwarder
be pointing to  CHILDDOMAIN1??

The idea of this will be for a user sitting at any of the CHILDDOMAIN's (second level) to be able to resolve any client within the

Anyone with experience like this, i am just after an opinion, i know the technical side (well most of it!) sorry about the diagram....
Watch Question


Dns best practice is to follow a top down configuration.  Therefore if you have the described setup you delegate the appropriate records to the child domains and then forward back up to the parent domains, where you then configure the root hints within the parent domain for the appropriate root server/s.
Subdomains can be directed to there immediate parents as there master servers to cut down on replication traffic, e.g lowsubdomain uses subdomain as its master server.  If you choose to configure the servers with no zones and just forwarders then you are creating caching only servers which are good for low bandwidth connections to primary zones but I have never seen this done throughout a forest.
If I was deciding a configuration for your current setup I would create AD intergrated child zones, which forward to the root(delegating the approp records to each child).  Create secondary zones in the subdomains( with the child domains as there master servers) and lower subdomains ( which would point to the subdomains as there master servers).  Conditional forwarding could be used at the child level to support resolution to the other domains in the forest.

Chris DentPowerShell Developer
Top Expert 2010


For an AD Forest I would ditch Forwarders entirely.

Change the Zone properties for your Root Domain and set it to Replicate to All Domain Controllers in the Forest. This should make the zone available to every DC by default. The same can be done with a Reverse Lookup zone if you have your Forest operating over the same Range (i.e. 10.x).

The advantages of this approach are that it leaves you with a very simple configuration. You don't have to configure a large number of Forwarders (Conditional or otherwise) or Secondary Zones to worry about transferring.

So you end up with a single Root Domain that's available on every DC in your environment via AD replication (which is going on anyway, the addition of a DNS Zone is trivial). Then each individual Domain can resolve names in alternate domains via that zone which will contain delegations for each direct sub-domain.

I would also restrict the number of servers responsible for handling name resolution. Realistically speaking you a couple of servers can handle a huge domain. We have 2 used for 3500 users in the UK with remaining DCs only running a DNS service in case we ever need it.

Remember that if you need to resolve by Hostname only you're going to have to include a large number of DNS Suffixes in the client search list.

Top Expert 2006


Cheers both,

both ideas are useful but here is the catch   500 ish Domains with a min of 1 DC per site............ i dont want replication cranking throught that many domains..... :)!

next catch is its a mixed 2000 and 2003 Domain which means conditional forwarding is going to well......not happen to great!!

now with each domain being a separate business and trying to reduce the amount of replication traffic, would forwarders seem like a better option again?
If your talking about configuring forwarding to all other domains, and therefore creating a long list of forwarding addresses, then this may reduce replication traffic but will run system resources into the ground.  Thats the issue with traditional forwarding, it is so non specific.  If the root is delegating to the child domains, then configure those domains to use there root hints to perform resolution to the root zone/domain, which will direct queries to the appropriate child domain/s within the forest.  Then configure the subdomains to forward to there parent domains, which in turn will follow the root hints back up to the root domain and follow the resolution process as described earlier.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
PowerShell Developer
Top Expert 2010

That's the best bit of storing the Root Zone in the forest, so unless you have 500 forests then you're only adding one domain to the inter-site replication, that zone will allow your DNS Servers to find every other child domain and subdomain within the forest as it will include all the Name Server records it wouldn't have normally (basically it includes the root information, it can work down the tree again from there).

In addition to that you're not introducing any points of failure into your network, and you're not increasing the network load on any specific DNS Server. Remember that resolution speed is also quite important if you have any applications dependant on it, for that I would stay well away from a long chain of Forwarders.

Practically speaking if you're forwarding you're going to be forwarding every request from 500 domains to your root DC (or something else that can provide answers or directions for everything in the domain), if you're happy with that then it does have a few advantages in terms of a larger cache base to work from.

Top Expert 2006


thankyou very much to both

if i get stuck through implementation ill no doubt be posting

cheers for your time
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.