Should I use AD DNS Conditional Forwarders or Stub Zones?

When should I use internal Active Directory DNS Conditional Forwarders vs. Stub Zones?  What are the difference?
LVL 17
Tiras25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You haven't told us tmhienyou want to use them. If one should always be chosen over the other in every scenario then the old technology would have been deprecated long ago.  But both exist because they do different things.

In short, conditional forwarders leave resolving to your DNS server. They do a recursive lookup on the client's behalf. The downside is if things change on the other end, you have to manually uodate the forwarder.

Stub zones actually transfer SOA and NS records so changes made by the partner transfer to the stub zone. Less fragile but some people have concerns about such records being exchanged. The DNS with the stub zone sends the referral of NS records to a client and the  *client* is responsible for contacting a nameserver in the partner organization.

They accomplish similar goals but in very different ways. Which you use depends on the kind of partnership you have and why you need this set up.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alex AppletonBusiness Technology AnalystCommented:
Can't say it better myself, so check this out here:

https://www.dell.com/support/article/ca/en/cabsdt1/sln156306/conditional-forwarders-and-stub-zones-in-windows-dns?lang=en

Stub zones are updated locally from the master servers and stored (and replicated) in Active Directory.  Conditional forwarders are like normal DNS forwarding, except you are pointing to a specific name server.  

If the destination DNS server address changes frequently then use stub zones.  Otherwise use conditional forwarders.
Shaun VermaakTechnical SpecialistCommented:
If this related to a domain migration or FIM/MIM identity management, use conditional forwarders
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Tiras25Author Commented:
The use it to connect to the production DNS servers in AWS.  Currently the forwarders setup on few Domain Controllers.  But I think its better to set it up as Conditional Forwarders or Stub Zones.   Just trying to decide what's better suitable.
Cliff GaliherCommented:
If everything is managed by one business entity then a secondary zone might make more sense. Conditional forwarders or stub zones USUALLY are used when needing DNS from a partner organization.  Or in other cases where a boundary needs to be maintained (such as a resource forest or similar where, as another contributor commented, you might also find FIM.)
Tiras25Author Commented:
Got it.  Thanks Cliff!  So that would be my 3rd Option - Secondary Zone.  That's probably a good idea.  I'll consider it as well.
Tiras25Author Commented:
Hi Cliff, wondering about the secondary zone tho.  Does it mean it'll have to replicate from primary dns zone?  Do I need it?
Cliff GaliherCommented:
You don't need it, and yes it'd replicate from a primary. But replication only when records change is usually better than forwarding that adds both latency and uses bandwidth for every lookup. The benefits almost always outweigh the costs in this scenario.

I'd only use conditional or stubs when wanting DNS from a partner organization. I wouldn't use it for DNS within a single organization except in rare edge cases.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.