DNS Parent Servers - Best Practice

Posted on 2007-10-01
Last Modified: 2008-01-09
I have 4 DNS Servers in my network.
(2) W2003 for Active Directory and (2) W2000 for public websites
I have registered as NS records at parent servers (to the Registry) the (2) W2000 for public websites

When I run I get a WARNING
FAIL: You have one or more missing (stealth) nameservers.
The following nameserver(s) are listed (at your nameservers) as nameservers for your domain,
but are not listed at the parent nameservers
--... list of my (2) W2003 for Active Directory

What is the best practice to declare as Primary/Secondary DNS at parent level? (Registry)
My AD DNS servers -or- the public ones? (and what issues are involved in each case that i should be aware for?)
Question by:AkisC
    LVL 6

    Accepted Solution

    I think you possibly have the right configuration. These are the stealth NS records (sitting inside ur network) in your Authoritative servers.

    Should not add these to the parent servers and as long as these servers are working OK, you are doing fine. You need to make sure that your public DNS servers do not leak these NS server information in non NS queries
    LVL 11

    Author Comment

    Thank you rbkumaran
    I'll just wait for some other or similar opinion because...
    I have had some issues (not all the time) -peculiar ones- like I'm not able to authenticate a sertain user to some domain computers or I'm not able to remote login with mcs console. I beleive this has to do something with how the 4 DNS must connection with the parent dns
    You get (at least) 50% of the points, for your time spend for me, that I appreciate a lot.
    LVL 6

    Expert Comment


    I think the issue you have mentioned are more likely a client config related ones. As you may be aware, if a client cannot see the right DNS servers (your AD ones) then there is a problem straight away in getting the user to authenticate. So should be the remote console access.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now