Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Proper DNS configuration for single forest with multiple domains.

Posted on 2008-06-15
Medium Priority
Last Modified: 2010-09-13
Hello, I have inherited a network with some dns issues. I need some insight on how the dns servers should be configured. Here is what I have:

A root domain we will call root.local, it has 2 sub domains, sub1.root.local and sub2.root.local

Root.local and sub1.root.local are here in the data center, sub2.root.local is a remote location connected to the data center via VPN through a 10 Mb bonded pri.

There is one ADC (active directory controller) for root.local
There are 2 ADCs for sub1.root.local
There are 2 ADCs for sub2.root.local

The ADCs for sub2.root.local, one is at the remote location, on is in the local data center. (Mind you, I did not set the up.)

Currently, the remote location ADC dns in the tcp/ip config on the nic is pointed to the dns server on ADC DNS server for root.local in the data center. The DNS server  at the remote location seems to be setup as a standalone server, no forwarding. Just setup to use root server for lookup.  At this time, I do not know if its DNS is setup as AD integrated.

Here is the problem, when the WAN link went down, the remote users could not authenticate.  After doing my initial survey, it does appear that DNS is the culprit.  I have not setup DNS for multiple domains before, but it seems that the remote server should be looking to itself for dns.

What I need to know is how to properly setup the dns servers for root.local sub1.root.local and sub2.root.local so they communicate and replicate their information for the forest properly.

This is a pure server 2003 environment.

What I think: (Please tell me where I am wrong)
I think that the ADCs for root.local should be the primary DNS server, setting up the DNS server for sub1.root.local and sub2.root.local as secondary DNS servers, forwarding to the DNS server for root.local.  Or a possibly a conditional forward for local domain name lookups.

I guess what I dont understand is how the DNS servers replicate information to each other, rather than just forwarding requests. I have scoured the net and experts-exchange with no specific answer.

A crash course in how this works would be great, if I need to break this down into other questions just let me know.


Question by:chris_nt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 48

Accepted Solution

Jay_Jay70 earned 1000 total points
ID: 21790720
your root DC's should be looking at themselves for DNS - in the case that you only have one, you should have it looking at itself only. You need to also ensure that the DNS Zones are AD integrated

At the root level, you have two options for name resolution for the child
1) Host a Stub zone forch child domain (this will require AD integrated Zones)
2) Create Delegation in the root Domain to the child domains

I personally prefer a stub zone scenario as its not tied to any Name Servers in the child domain

For your Child domains, Again, they should be AD integrated Zones. Each DC should look at itself first, and the second DC as a secondary. These are the only entries that should be in the local TCP/IP configuration.

I would also include some conditional forwarding in the child domains, IF you need to have name resolution between the child domains. So dc.child1.local would forward all requests for child2.local through to the servers in the Second Child domain
And Dc1.Child2.local would forward all request for child1.local through to the servers in the first child domain

You can configure forwarding for all other request either out through your Root Domain OR you can forward externally. If you forward request externally, make sure you configure conditional forwarding for the root.local domain to the root Domains DNS Servers

make sure you also configure sites and services for the domains to control localised traffic

LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 21791893

Hey Chris (and James :)),

Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local.

2. Configure Delegation

I prefer Delegation, I find it neater for multi-domain topologies; centralised vs de-centralised configuration.

The advantage of a centralised configuration such as Delegation is that you can add these to the root.local zone and you're done with it. Because of item 1 above child domains will receive correct paths to the other DNS Servers.

Stub Zones are marginally less configuration in some circumstances, but you'd need to add zones for each child domain (for each remote child domain). You also have the problem that you cannot just do that once at Root and set it to Forest-wide replication because of the existing zones on the child domain DNS Servers. The same applies for Conditional Forwarders in this scenario.

The disadvantage of Delegation is that you need to remember to modify the NS records for the delegation should a Child Domain DNS server change.

It's up to you which you go with in the end, the above is only my opinion on the subject.

3. Child Zones

Child Zones should be configured to replicate to all DNS Servers within their Domain. That loads the Zone Data into:


4. Configure Clients

Clients (including Servers) for each network should refer to DNS Servers for their local domain. This removes reliance on any indirect name resolution source and places it on the DCs they use for Authentication.

I assume you have more than one DC in each Domain (root and children)?

5. Configure Internet Name Resolution

You get quite a few choices about how this works. This is my preferred approach.

If a client site / child domain has a local connection to the internet, the DNS requests should be handled by the local DNS Server. That means that the DNS Server on the site should either Forward to an external DNS Server, or use Root Hints to resolve requests.

Conversely, if clients on a child domain must go through a hub site to get to the Internet then it would be beneficial for the Child Domain DNS Servers to Forward internet (all other domain) queries to the Root Domain DNS Servers.

This stands aside from the configuration from the domain.



Author Closing Comment

ID: 31467443
Thanks guys, I find each post equally informative, so I am splitting the points evenly.  

Thanks for your help and quick response.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 71

Expert Comment

by:Chris Dent
ID: 21793990

Glad I / we could help out :)

LVL 48

Expert Comment

ID: 21797934
Hey Chris & Chris :)

Nice work old son - Chris Dent is probably our topmost DNS guru on the site - so heed his advice - taught me DNS for years :)

Expert Comment

ID: 33662600

Per your advice, won't this allow the child domain admins full read/write access to the root dns zones? since it's now replicated to their dns servers?  Is fowarding a better option to configure on the child dns servers than replicating the root zone to all domain controllers forest wide?

"Here's a short-list of what I would do on your network:

1. Change the zone for root.local to replicate to all DNS Servers in the Forest.

By default only _msdcs uses that replication mode for a Forest. However doing so for the full root domain removes the need to configure Forwarders (to root) in each child domain.

In most domain topologies the Root Domain is tiny so changing the replication scope like this has only a very small impact on bandwidth usage (if that is an issue).

Setting a zone to Forest replication changes it to store data in DC=ForestDNSZones,DC=root,DC=local"

LVL 71

Expert Comment

by:Chris Dent
ID: 33662890

Yes it will. Your domain admins cannot be trusted? :)

You can maintain forwarders or even Stub Zones if you feel that more appropriate, I certainly appreciate that the method I use above may not be suitable in all cases.


Expert Comment

ID: 33663066
Thanks Chris for the speedy reply.  Are there any pros/cons with using either forwarders or stub zones?

I trust them all but you just never know.

All of our child domain admins have full rights to their domain controllers and dns servers but since they don't have access to the root ADUC then they shouldn't have access to manage the root dns zone either.  
LVL 71

Expert Comment

by:Chris Dent
ID: 33663242

Stub zones need a bit more on the network, TCP 53 and Zone Transfers available if I remember correctly. On the plus side they maintain themselves (or should). With conditional forwards you must remember to keep them up to date.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question