Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Are Root DNS necessary for AD Integrated DNS ?

Posted on 2007-03-28
8
Medium Priority
?
384 Views
Last Modified: 2010-03-17
We have a small (only three Domain Controllers) Windows 2000 based Active Directory domain separated by a firewall from the rest of the corporate INTRANET.
This is a Honeywell process control network domain and needs to be separated form the corporate users.

DNS is integrated with Active Directory and they all show up as 'roots'.

I'd like to configure the DNS so that it can use the 'forwarders'.
In other words, if they can not resolve the names (on behalf of their clients), they should forward the request to DNS servers on the corporate network.

However, when I click on the 'Forwarders' tab, it comes back with an error telling me that this feature is not available for the 'root servers' !?

QUESTION: How to configure 'Forwarders' on my small domain ?
                   Do these DNS servers (AD integrated) need to be 'roots' ?
                   How to change them not to be 'roots' ?

TIA,

Mike
0
Comment
Question by:luckymilos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18810858
The error message is likely referring to the "root zone" To remove this and enable forwarders see the following Microsoft article under "To Remove the Root DNS Zone"
http://support.microsoft.com/kb/300202
0
 

Author Comment

by:luckymilos
ID: 18814704
Thanks Rob, but it appears that your suggested solution refers to a standlone DNS configuration.

My DNS is Active Directory integrated.

Is the procedure the same for AD integrated DNS ?

Could tehre be any negative effects to my AD domain if I delete/remove "root zones" ?

Since I have three AD Domain Controllers (i.e. DNS servers), I assume one of them will be pointing to the forwarder and the other two will point to the first one ?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 520 total points
ID: 18816370
>>"Is the procedure the same for AD integrated DNS ?"
Yes.

Another article specific to the root zone removal:
http://support.microsoft.com/kb/298148
Petri site addresses root zones:
http://www.petri.co.il/no_forwarding_or_root_hints_on_dns_server.htm

To be hones I am not a DNS wizard. As to implications (short term) of doing so with multiple DNS servers, I cannot say. I don't foresee any, but you may want a second opinion. I'll get a DNS wiz to have a look for you. Different time zone so you may not hear for 8-10 hours.
Cheers!
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 480 total points
ID: 18820323
Morning!

The idea behind a root zone is that say in an organisation where you dont want recursion occuring (names resolved by servers up the tree), you configure a root zone (.) ...This is not all that common a configuration but it has its places

In answer toy our Question, Yes, the process is the same in AD integrated zones as it is to standard zones, in effect, the entire zone is the same, its just stored within the AD metadata.

If you want to control your forwarding a little more for security and control, i would take a look at conditional forwarding rather than straight out forwarding..This way you can control exactly what is allowed to use recursion

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Good luck!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18820526
The master is here !  
Thanks Jay_Jay70
Great article by the way.
--Rob
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18820587
Hardly! But thank you!

And that site is always great
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18821582
Thanks luckymilos...and Jay_Jay70.
Cheers !
--Rob
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18821762
pleasure - thanks Rob!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question