Are Root DNS necessary for AD Integrated DNS ?

We have a small (only three Domain Controllers) Windows 2000 based Active Directory domain separated by a firewall from the rest of the corporate INTRANET.
This is a Honeywell process control network domain and needs to be separated form the corporate users.

DNS is integrated with Active Directory and they all show up as 'roots'.

I'd like to configure the DNS so that it can use the 'forwarders'.
In other words, if they can not resolve the names (on behalf of their clients), they should forward the request to DNS servers on the corporate network.

However, when I click on the 'Forwarders' tab, it comes back with an error telling me that this feature is not available for the 'root servers' !?

QUESTION: How to configure 'Forwarders' on my small domain ?
                   Do these DNS servers (AD integrated) need to be 'roots' ?
                   How to change them not to be 'roots' ?

TIA,

Mike
luckymilosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
The error message is likely referring to the "root zone" To remove this and enable forwarders see the following Microsoft article under "To Remove the Root DNS Zone"
http://support.microsoft.com/kb/300202
0
luckymilosAuthor Commented:
Thanks Rob, but it appears that your suggested solution refers to a standlone DNS configuration.

My DNS is Active Directory integrated.

Is the procedure the same for AD integrated DNS ?

Could tehre be any negative effects to my AD domain if I delete/remove "root zones" ?

Since I have three AD Domain Controllers (i.e. DNS servers), I assume one of them will be pointing to the forwarder and the other two will point to the first one ?
0
Rob WilliamsCommented:
>>"Is the procedure the same for AD integrated DNS ?"
Yes.

Another article specific to the root zone removal:
http://support.microsoft.com/kb/298148
Petri site addresses root zones:
http://www.petri.co.il/no_forwarding_or_root_hints_on_dns_server.htm

To be hones I am not a DNS wizard. As to implications (short term) of doing so with multiple DNS servers, I cannot say. I don't foresee any, but you may want a second opinion. I'll get a DNS wiz to have a look for you. Different time zone so you may not hear for 8-10 hours.
Cheers!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Jay_Jay70Commented:
Morning!

The idea behind a root zone is that say in an organisation where you dont want recursion occuring (names resolved by servers up the tree), you configure a root zone (.) ...This is not all that common a configuration but it has its places

In answer toy our Question, Yes, the process is the same in AD integrated zones as it is to standard zones, in effect, the entire zone is the same, its just stored within the AD metadata.

If you want to control your forwarding a little more for security and control, i would take a look at conditional forwarding rather than straight out forwarding..This way you can control exactly what is allowed to use recursion

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Good luck!
0
Rob WilliamsCommented:
The master is here !  
Thanks Jay_Jay70
Great article by the way.
--Rob
0
Jay_Jay70Commented:
Hardly! But thank you!

And that site is always great
0
Rob WilliamsCommented:
Thanks luckymilos...and Jay_Jay70.
Cheers !
--Rob
0
Jay_Jay70Commented:
pleasure - thanks Rob!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.