Saturday, March 10, 2012

Understanding forwarders

Print Friendly and PDF

Scenario: Your network is a multiple-domain Active Directory with two forests, each containing multiple child domains. Full trust is configured among the domains.
When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain. Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains.
What Are Domain and Forest Trusts? 

The network includes several branch offices with computers in the branch offices running Windows 7 or Windows Server 2008 R2 over low-bandwidth links.

Each branch office has a Dynamic Host Configuration Protocol (DHCP) server. Each branch office has at least one domain controller configured as a Domain Name System (DNS) server and hosts an Active Directory-integrated DNS zone.

Computers in the branch offices need to use resources throughout the network. You want to configure name resolution for the branch offices. You need to keep the traffic generated by fully qualified domain name (FQDN) resolution attempts to a minimum.

What should you do to accomplish this?

You need to configure a conditional forwarder in each branch office. A conditional forwarder can be configured to forward name requests directly to a specific authoritative DNS server for each DNS domain. This helps to keep traffic generated by name requests to a minimum.

Specify Other DNS Servers as Authoritative for a Zone

Understanding forwarders

You should not deploy a stub zone server in each branch office. This does not resolve the situation. A stub zone does not contain the full DNS database. It contains only the records necessary for pointing to authoritative DNS servers.
This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
Understanding Stub Zones

You should not configure each DHCP server to provide a complete list of DNS servers. DNS servers are queried in the order in which they are listed, so this solution could result in multiple query requests for each name resolution requirement.

Understanding DNS Client Settings

You should not create a Global Name Zone (GNZ) and enable the zone on all DNS servers. The GNZ provides simple single-name host name resolution, including support across forest boundaries. It does nothing to improve resolution of FQDNs.

DNS Server

By Mördel (Own work) [CC-BY-3.0 (], via Wikimedia Commons
DNS Technical Reference

Installing a DNS Server Role in Windows Server 2008

Configure the DNS Server Role

Configuring and Troubleshooting DHCP

Tips on How to Configure DNS Zones

No comments:

Post a Comment

"Comment As:" anonymous if you would rather not sign into an account!