hqpsystems
asked on
DNS Root Hints
I have been perfomring a health check on my 2003 Active Directory and found an error running DCDIAG /test:DNS whereby a root hint is stated as invalid. I have conditional forwarding set up for three domains configured with 'Do Not Use Recursion for this Domain' which go to DNS servers in our parent company. 'All other DNS Domains' is set with No IP address as we have no resolution via the internet. However, we have one Root Hint in the root hint list: a.root-servers.net [198.41.0.4] which is obviously inaccessible (hence the error above) as we have no access out to the Internet. Should I remove this root hint completely, or will this have a negative effect on name resolution at all?
Darius Ghassem
You can remove the Root Hint you will not have any issues after removal since this is an external Root hint.
Just get rid of the root hints - I would be tempted to put in a non-cconditional forwarder to your parent company to resolve any external DNS
ASKER
Would the current situation have any bearing on slow logon times etc from users, as this is where I'm ultimately going with this? Would removing the root hint mean faster logon times as I assume any lookup beyond the authoritative domain for my DNS or the domains of the three conditional forwarders would push the DNS query to trying to query the invalid root hint? Thanks.
No, if you are using Forwarders then DNS root hints are not used at all.
So, for slow logon usually you would need to look where the user is actually authenticating too and if this DC should be authenticating these users.
Users should authenticate to their local DCs but the local DC should be a GC and the clients should be pointing for primary DNS to this DC.
So, for slow logon usually you would need to look where the user is actually authenticating too and if this DC should be authenticating these users.
Users should authenticate to their local DCs but the local DC should be a GC and the clients should be pointing for primary DNS to this DC.
When machines log on then they will query DNS to find a DC, this query is amde to the internal DNS server, so ideally you need a Windows DNS server on your site to prevent the a cross-site query having to be made.
Once DNS has supplied the DC information then the DC is contacted - again a local DC will prevent the need for cross-site traffic. External DNS servers are not used for logon/authentication etc.
Once DNS has supplied the DC information then the DC is contacted - again a local DC will prevent the need for cross-site traffic. External DNS servers are not used for logon/authentication etc.
ASKER
I thought that as I'm using conditional forwarding, any DNS query outside of the domains specified in the forwarders would got to the 'All other DNS Domains'. As this is not configured, I assumed it would try and use any root hints listed?
I have 2 DCs based on site and two DCs based in Oxfordhsire. All DCs are GCs and we have a 100MB pipe between the two physical sites. Currently within my AD I have only one site so I have notiiced that the DC that users connect to can sometimes be locally and sometimes the otehr physical site.
I have 2 DCs based on site and two DCs based in Oxfordhsire. All DCs are GCs and we have a 100MB pipe between the two physical sites. Currently within my AD I have only one site so I have notiiced that the DC that users connect to can sometimes be locally and sometimes the otehr physical site.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Root Hints are only needed when you do a recursive lookup.
In that case you need to know where to start.
There are 13 of them spread around the globe, named a.root-servers.net ... m.root-servers.net
dig -t ns .
will supply them.
In that case you need to know where to start.
There are 13 of them spread around the globe, named a.root-servers.net ... m.root-servers.net
dig -t ns .
will supply them.