How to KILL Root Hints!!!

  • Thread starter Thread starter Fred Yarbrough
  • Start date Start date
F

Fred Yarbrough

We have an all W2K3 AD domain setup and are using the split (separate Public
and Private) DNS model. We have 2 Private Microsoft AD Integrated DNS
servers that forward any unknown zone lookups to our Public DNS servers. On
these 2 Private AD Integrated DNS servers we have deleted the Root Hints and
the cache.dns files so that there are no Root Hints defined. This has
worked as designed for a year without any issues or populations of Root
Hints.

Last week we introduced a 3rd Private AD Integrated DNS server and when the
machine was brought up, the cache.dns file had not been deleted. Before we
could delete this cache.dns file to get rid of the Root Hints they evidently
replicated into our AD. Now even though there is no cache.dns file residing
on any of our servers these Root Hints get populated into our servers. Even
though we manually delete them from the DNS properties, they keep coming
back. We don't want them in our Private DNS because there is no need in
them being there. Our Private DNS servers simply forward ALL unresolved DNS
queries to our Public DNS servers by design. My question is where in AD are
these things kept and how can I safely delete them? I have used ADSIEDIT
with a custom connection point at DomainDNSZones and see a RootDNSServers
entry which list all of the Root servers. I have deleted the
a.Root-server...........m.Root-server entries and replicated the AD but they
keep coming back. Any ideas?


Thanks,
Fred
 
In
Fred Yarbrough said:
We have an all W2K3 AD domain setup and are using the split (separate
Public and Private) DNS model. We have 2 Private Microsoft AD
Integrated DNS servers that forward any unknown zone lookups to our
Public DNS servers. On these 2 Private AD Integrated DNS servers we
have deleted the Root Hints and the cache.dns files so that there are
no Root Hints defined. This has worked as designed for a year
without any issues or populations of Root Hints.

Last week we introduced a 3rd Private AD Integrated DNS server and
when the machine was brought up, the cache.dns file had not been
deleted. Before we could delete this cache.dns file to get rid of
the Root Hints they evidently replicated into our AD. Now even
though there is no cache.dns file residing on any of our servers
these Root Hints get populated into our servers. Even though we
manually delete them from the DNS properties, they keep coming back.
We don't want them in our Private DNS because there is no need in
them being there. Our Private DNS servers simply forward ALL
unresolved DNS queries to our Public DNS servers by design. My
question is where in AD are these things kept and how can I safely
delete them? I have used ADSIEDIT with a custom connection point at
DomainDNSZones and see a RootDNSServers entry which list all of the
Root servers. I have deleted the
a.Root-server...........m.Root-server entries and replicated the AD
but they keep coming back. Any ideas?


Thanks,
Fred
Click to expand...

If you simply check the box on the forwarder tab "Do not use recursion" this
will stop DNS from referring to the root servers. That is all the check box
does, so don't worry about what else it does. It does not disable recursion,
it forwards recursive queries to the defined forwarder.
 
I think that this document is assuming that the cache.dns file is not
deleted otherwise where would it get the RootHints to start with. We have
run this setup over a year without the RootHints being repopulated until
this latest DC/DNS was introduced.

Thanks!
Fred
 
Want a work around?

Convert the zones Standard ones, and then remove the root
hints files. Afterwards, if you prefer, conver them back.

Sounds like you didn't set up an internal root zone,
therefore all these troubles...
 
Or you can delete the hint entries and then do a forced
replication from that server before the next scheduled
replication (default 15 min?).
 
Been there done that, does not work! These entries are integrated within AD
now and they will have to be removed manually somehow. Microsoft is working
it with me but the first level of support is not sure where these are
located.


Fred
 
after delete, restart DNS, if still not there, means you
removed them from AD. Then do the forced replication,
the other two servers should get the copy of the modified
AD from this server.

But if they come back right away, it may means it is
still stored somewhere locally. It could be the
registry, in that case, you may want to check there.
 
Back
Top