Determine if Server 2016 DNS is set to forward external IP address requests to public DNS servers

How can I determine if a Server 2016 DNS server is set to forward external IP address requests to public DNS servers on the internet?

An organization I consult for currently has these DNS server addresses assigned to client computers via DHCP: (internal IP address of primary domain controller (PDC) (secondary DNS server IP address) (third DNS server IP)

I would like to change this DHCP DNS scope to be: (internal IP address of primary domain controller (PDC) (internal IP address of second Active Directory domain controller) (third DNS server IP address)

This second set of DNS server addresses will provide better redundancy in case the primary domain controller (PDC) goes down.

But before doing this I want to test these two Server 2016 domain controller DNS servers to make sure that they will forward any external IP addresses to the public internet.

How can this type of testing or evaluation be done?
IT GuyNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
First, don't include

NEVER include a public DNS server when using Active Directory. Full stop. No excuses. If both DCs are down simultaneously, you have bigger problems.  There is NEVER a reason to do this. And it does cause problems.  

As for testing, the DNS server has this built in.  Out of the box it uses root hints and I usually don't recommend changing this behavior.  As for testing, open the DNS server MMC.  Right click on the DNS server (you can do this for remote servers as well) and hit properties.  Hit the monitoring tab. There are two checkboxes to test simple and recursive queries.  

Test done.
yo_beeDirector of Information TechnologyCommented:
First and for most never set an external dns server on your domain. DHCP should only advertise your DC's.  

To if forwarding is enabled open DNS.msc and right click the server > properties > there is a forwarding tab. There you enter in your external dns servers (

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Is DNS (Service) installed and running on the server?

If installed and running, please check what forwarders (if any) you have setup in DNS on that server, and if root hints are also configured.

If so, then that server will forward DNS queries, for which it does not already know the answer, to either root hints (best option) or one of the forwarders (if configured) which is a second best option in my opinion (unless there is a cogent reason for it).

Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

yo_beeDirector of Information TechnologyCommented:
Note from personal experience leave the default timeout at 3 seconds. I changed mine to 1 second and it caused issues.

Also I am sorry for any repeated information. At the time I started to write up something there were no replies, but it just enforces that no external dns should ever be pushed to internal computers.

I only use external dns when troubleshooting and that is manually set on a single client.
Echo Cliff's and yo_bee statement on NEVER EVER EVER including public DNS servers to the AD member systems.
IMHO!, these days using forwarders to google or opendns is an unnecessary complication for the following reason.  Your DNS server have dual roles, serving YOUR AD and fulfilling your users requests. When queried directly, your DNS servers cache the responses such that it does not generate unnecessary requests. When using forwarders one you are reliant on the remote servers, dependent on a path to those servers, while not caching meaning
If two users want to go to without forwarders, your server will generate a single request to resolve the name to IP, and provided it is receiving the request thin the specified time of the record validity (TTL) the second and subsequent response will be from its own memory.

In a forwarding setup each request will be sent out.

Conditional forwarders for a specific domain to a specific IP and this is often only used when traffic needs to be routed through a VPN. Or other custom needs.

Why would you want Google to know the destination, sites you/your organization frequents? (They'll know it based on the ads loaded in your user's browsers.
I also echo previous comments NEVER use external DNS servers when you have AD.  It can slow down or stop AD related stuff happennig from logons to accessing file shares etc.  

And to repeat the above, I always set up external forwarders on the servers I manage.  I use Open DNS ( and google (

There was a Server 2008 bug which meant that certain sites didn't resolve without forwarders or repeated DNS restarts.  This is gone in 2016,m but I still like to use forwarders.  This improves performance for recursive queries.  

I'm not bothered about google knowing the sites we browse by looking at DNS requests, because google analytics is on most sites and most searches are through google, so they know anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.