Windows Server

Jerry · Guest

Hi. I'm Running Windows Server 2003, SP1. I have 5 sites connected through
T1 WAN links. My internet connection is at Site A, and all other sites
(I'll call them the "remote sites") use the same internet connection. At
each site I have a DC, which is also running DNS, and at Site A I have a
second DC with DNS for redundancy. Each one of these DNS servers is
configured with forwarders, which are servers at my ISP. Clients at Site A
are configured with the main DNS server at Site A as the primary, and the
redundant server at Site A as the secondary. Clients at remote sites are
configured with the DNS server at their site as the primary, and the main
DNS server at Site A as the secondary.

Recently, a consultant suggested that I either:
1) Remove forwarders altogether and use root hints.
2) Remove the ISP forwarder entries from all the remote sites and replace
them with the address of the main DNS server at Site A. Then only the main
DNS server at Site A would use internet traffic to forward queries to the
ISP's resolvers.

I'm not sure which of these options is better or how exactly they'll affect
DNS resolution. If I went with option 2, is it even necessary to specify a
forwarder at the remote sites, or will DNS "figure it out?" Also, I would
guess that with this option, I would still want to keep the ISP forwarder
entries on my redundant DNS server at Site A in case the main DNS server
went down?

I'm also not sure if I should check or uncheck the "Do not use recursion for
this domain" checkbox on the Forwarders tab in any of the scenarios I've
listed, including my current configuration.

Looking for a little guidance, please.

Thank you,
Jerry

Steven Wang [MSFT] · Guest

Hello Jerry,

Thank you for posting.

This is a quick note to let you know that I am researching your issue and
will get back to you as soon as possible. I appreciate your patience.

Have a great weekend!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Steven Wang [MSFT] · Guest

Hello Jerry,

Sorry for my delayed response due to the weekend. I hope this has not
caused you too much inconvenience, and I appreciate your patience.

From your post, my understanding of this issue is: You would like to know
which is better regarding the following two DNS configuration scenarios,
and some related questions:
1. Remove forwarders altogether and use root hints.
2. Remove the ISP forwarder entries from all the remote sites and replace
them with the address of the main DNS server at Site A.

If this is not correct, please feel free to let me know.

Based on my experience, I would suggest we use the option 2. If we use the
option 1, all DNS servers can send queries outside of a network using their
root hints. As a result, a lot of internal, and possibly critical, DNS
information can be exposed on the Internet. In addition to this security
and privacy issue, this method of resolution can result in a large volume
of external traffic that is costly and inefficient for a network with a
slow Internet connection or a company with high Internet service costs.

If we use the option 2, you make that forwarder responsible for handling
external traffic, thereby limiting DNS server exposure to the Internet. A
forwarder will build up a large cache of external DNS information because
all of the external DNS queries in the network are resolved through it. In
a small amount of time, a forwarder will resolve a good portion of external
DNS queries using this cached data and thereby decrease the Internet
traffic over the network and the response time for DNS clients.

In addition, I would suggest we configure the forwarder entries on all the
DNS servers on remote sites with both the addresses of the main and
redundant DNS server at Site A. Also keep the ISP forwarder entries on the
redundant DNS server at Site A.

Regarding your question, "If I went with option 2, is it even necessary to
specify a forwarder at the remote sites, or will DNS "figure it out?", I am
not sure what you mean. Even with your current configuration, there is not
a forwarder at the remote sites. It is unnecessary to specify a forwarder
at the remote sites.

Regarding the "Do not use recursion for this domain" option, I would like
to explain that there are two name querying methods in the DNS name
queries: recursive and iterative queries. With a recursive name query, the
DNS client requires that the DNS server respond to the client with either
the requested resource record or an error message stating that the record
or domain name does not exist. The DNS server cannot just refer the DNS
client to a different DNS server.

An iterative name query is one in which a DNS client allows the DNS server
to return the best answer it can give based on its cache or zone data. If
the queried DNS server does not have an exact match for the queried name,
the best possible information it can return is a referral (that is, a
pointer to a DNS server authoritative for a lower level of the domain
namespace). The DNS client can then query the DNS server for which it
obtained a referral. It continues this process until it locates a DNS
server that is authoritative for the queried name, or until an error or
time-out condition is met.

This option is not checked by default, and usually, we should not check it.

More Information
==============
Deploying Domain Name System (DNS): Using Forwarding:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/0104be3c-0405-4455-b011-6950875c0446.mspx>

Understanding forwarders:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a3cf0184-0594-4e78-8247-609f03843438.mspx>

Managing DNS Servers: Using forwarders:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/1cd13da9-ed0a-4814-b0bb-e46e8ac1e321.mspx>

Recursive and Iterative Queries
<http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit
/en-us/cnet/cncc_dns_eqhi.asp>

Recursive Name Resolution
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/b9b888e5-895e-4f63-a327-ec9137372787.mspx>

Hope the above information is able to address your concern. If anything is
unclear or you have any concerns, please feel free to post back. I am glad
to be of assistance.

Have a nice day!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Jerry · Guest

Steven,

Thank you for your thorough response - it is very helpful. I have changed
my configuration as you've suggested and am not having any problems.
Although DNS resolution has been working fine on my network up to this
point, I'm sure these changes provide a much cleaner and efficient setup.

In regard to my question about whether or not I would need forwarder
entries on my remote DNS servers, I thought there might be a chance that
with DNS in 2003 Server, there would be some cohesion by which the DNS
servers would "know" to look to another DNS server on the domain.
Obviously, that's not the case, and using forwarders to the primary DNS
servers is the way to go.

Thanks again,
Jerry

"Steven Wang [MSFT]" <v-stwang@online.microsoft.com> wrote in message
news:ip4UtEF5FHA.3936@TK2MSFTNGXA01.phx.gbl...

Steven Wang [MSFT] · Guest

Hi Jerry,

I appreciate your update and response, and I am glad to hear that the
information is able to address your concern. Your prompt and detailed
responses have not only made my job much easier but also more enjoyable.
It has been a pleasure to work with you on this service request.

If you have any other questions or concerns, please do not hesitate to
contact us. It is always our pleasure to be of assistance.

Have a nice day!

Steven Wang
Microsoft CSS Online Newsgroup Support

--------------------

	Windows Server Forum Index -> DNS	All times are GMT
Page 1 of 1