Should I use AD DNS Conditional Forwarders or Stub Zones?

Tiras25
Tiras25 used Ask the Experts™
on
When should I use internal Active Directory DNS Conditional Forwarders vs. Stub Zones?  What are the difference?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
You haven't told us tmhienyou want to use them. If one should always be chosen over the other in every scenario then the old technology would have been deprecated long ago.  But both exist because they do different things.

In short, conditional forwarders leave resolving to your DNS server. They do a recursive lookup on the client's behalf. The downside is if things change on the other end, you have to manually uodate the forwarder.

Stub zones actually transfer SOA and NS records so changes made by the partner transfer to the stub zone. Less fragile but some people have concerns about such records being exchanged. The DNS with the stub zone sends the referral of NS records to a client and the  *client* is responsible for contacting a nameserver in the partner organization.

They accomplish similar goals but in very different ways. Which you use depends on the kind of partnership you have and why you need this set up.
Alex AppletonBusiness Technology Analyst

Commented:
Can't say it better myself, so check this out here:

https://www.dell.com/support/article/ca/en/cabsdt1/sln156306/conditional-forwarders-and-stub-zones-in-windows-dns?lang=en

Stub zones are updated locally from the master servers and stored (and replicated) in Active Directory.  Conditional forwarders are like normal DNS forwarding, except you are pointing to a specific name server.  

If the destination DNS server address changes frequently then use stub zones.  Otherwise use conditional forwarders.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
If this related to a domain migration or FIM/MIM identity management, use conditional forwarders
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The use it to connect to the production DNS servers in AWS.  Currently the forwarders setup on few Domain Controllers.  But I think its better to set it up as Conditional Forwarders or Stub Zones.   Just trying to decide what's better suitable.
Distinguished Expert 2018
Commented:
If everything is managed by one business entity then a secondary zone might make more sense. Conditional forwarders or stub zones USUALLY are used when needing DNS from a partner organization.  Or in other cases where a boundary needs to be maintained (such as a resource forest or similar where, as another contributor commented, you might also find FIM.)

Author

Commented:
Got it.  Thanks Cliff!  So that would be my 3rd Option - Secondary Zone.  That's probably a good idea.  I'll consider it as well.

Author

Commented:
Hi Cliff, wondering about the secondary zone tho.  Does it mean it'll have to replicate from primary dns zone?  Do I need it?
Distinguished Expert 2018
Commented:
You don't need it, and yes it'd replicate from a primary. But replication only when records change is usually better than forwarding that adds both latency and uses bandwidth for every lookup. The benefits almost always outweigh the costs in this scenario.

I'd only use conditional or stubs when wanting DNS from a partner organization. I wouldn't use it for DNS within a single organization except in rare edge cases.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial