4

I was wondering how to properly setup DNS forwarders on Windows Server 2008 R2. I have three Domain Controllers. Each of the DC's have have following:

  1. AD Role
  2. DNS Role
  3. DHCP Role
  4. Static IP Address
  5. Windows Server 2008 R2 SP1
  6. 64 Bit

I noticed under DNS Forwarders, that each DC only has one other DC listed and not both DC's. Here is a picture:

enter image description here

Is it correct to only have one DC listed, or should I list the other DC as well?

nate
  • 407
  • 5
  • 7
  • 17

3 Answers3

9

You shouldn't have a reason to forward to other AD servers, as DNS should be replicating between them already.

The only reason I can think of for this would be if you wanted only one DNS server to be the one querying the internet for non-authoritative FQDNs.

Usually the forwarders (used to resolve non-authoritative lookups) are set to external DNS servers like your ISP's or a common public resolver like 8.8.8.8 or just use Root Hint servers.

Conditional forwarding is different though...

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • one reason to forward to other AD servers: they are in another Forest – makerofthings7 Mar 19 '14 at 20:41
  • 1
    @makerofthings7 - yeah, I think that'd be conditional forwarding though...not default forwarders. – TheCleaner Mar 19 '14 at 20:42
  • I agree. Conditional forwarding would be the typical way to do that. – joeqwerty Mar 19 '14 at 20:42
  • So I should remove to forwording from all my servers? And instead add the other server in root hits? – nate Mar 19 '14 at 20:44
  • @nate - you want to find out if you are using AD-integrated DNS, like makerofthings7 said in his answer. If you are, and DNS replication is working fine (check eventvwr), then yes, I would remove the forwarding and replace it with the proper external forwarder. But you need to be aware of what you are doing here. DNS is so tightly woven into AD and the web that you need to make sure you have it configured right or people won't be happy with you. – TheCleaner Mar 19 '14 at 20:46
5

Not knowing how your environment is set up and what your goals are I'll risk suggesting that you shouldn't have your DC/DNS servers using any other DC/DNS servers as forwarders.

The only scenario where I've seen internal DNS servers using other internal DNS servers as forwarders is when the security policy restricts outbound DNS traffic to a few secured DNS servers. All other DNS servers forward non-authoritative queries to these secured DNS servers. I'm making an assumption that this is not the case in your scenario.

If that's true then remove the DC's from the forwarders tab and use the root hints or add forwarders to external DNS servers (8.8.8.8, etc.) for non-authoritative queries.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
2

Its possible that AD Integrated DNS isn't configured for that Zone.

A general practice is to enable AD Integrated DNS, and disable forwarding

makerofthings7
  • 8,821
  • 28
  • 115
  • 196