Use Secondary Zones or Forward For Domains

[Fred Yarbrough]

We originally designed our Split-Brain (Separate Public DNS and Private DNS)
Windows 2000 AD DNS scheme with multiple domains (NET, SisterCompany1,
SisterCompany2) to use Secondary Zones for each other. All of our domains
Private DNS servers forward to our Public DNS servers.

Example:

The private DNS servers for our domain NET is setup as follows:
NET.Company.com -----> AD Integrated Zone
SisterCompany1.Company1.com ----> Secondary Zone
SisterCompany2.Company2.com -----> Secondary Zone
* Forward any other request to NET's public DNS

The private DNS servers for our sister company 1 is setup as follows:
SisterCompany1.Company1.com ----> AD Integrated Zone
NET.Company.com -----> Secondary Zone
SisterCompany2.Company2.com -----> Secondary Zone
* Forward any other request to NET's public DNS

The private DNS servers for our sister company 2 is setup as follows:
SisterCompany2.Company2.com -----> AD Integrated Zone
NET.Company.com -----> Secondary Zone
SisterCompany1.Company1.com -----> Secondary Zone
* Forward any other request to NET's public DNS


When we upgraded our Windows 2000 AD to Windows 2003 AD, we now have the
option of using specific domain forwarding instead of secondary zones. My
question is what is the best to use secondary zones as shown above or just
to add specific domain forwarding to the other Private DNS servers instead?




Thanks,
Fred

 

[William Stacey]

Using secondaries can handle laps in connectivity for resolving as the info
is local. However, if the link is down, getting the address probably will
not help much (the client will just fail at different stage which may be
ok.) Forward zones, kinda simplify your dns topology as your not supporting
secondary zones and xfrs all over the place. I would probably lean to
forwarding if all dns servers are w3k on both sides. If you have a mix, I
would probably stick with secondaries.

 

[Alan Wood [MSFT]]

Hi All,
I agree with William.
The only other thing that really needs to be taken into consideration is
possible bandwidth. What uses more and what uses less. If there are alot
of updates occuring in a zone I would preffer forwarding while if the zone
was fairly stagnent I would stick with the Secondary. These being all
Directory Services zones I would image they change quit frequently.

Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Fred Yarbrough]

Thanks Guys! I was also thinking that we may just want to Forward for these
internal domains instead of maintaining the Secondary zone. When I
originally designed this AD topology, W2K did not have this ability. After
reading and upgrading to W2K3, I caught this little enhancement to DNS and
wanted to get someone else's professional opinion. As William stated,
having a secondary zone will not matter if the link goes down and they can't
get there anyway. All I am interested in is making sure that name
resolution occurs if the link is there to use. Since we are using all W2K3
servers I believe that I will set them up to simply forward for particular
domains.


Thanks,
Fred

 

[Jonathan de Boyne Pollard]

FY> [...] we upgraded our Windows 2000 AD to Windows 2003 AD [...]
FY> what is the best to use secondary zones as shown [...] or
FY> just to add specific domain forwarding to the other
FY> Private DNS servers instead?

Neither. The best would actually be to use a "stub zone" and no global
forwarding. Conditional forwarding has the disadvantages of unnecessarily
transferring the burden of the grunt work of query resolution onto the
forwardee and of requiring manual updates if content DNS servers for the
"zone" are added or removed in the future. A secondary "zone" has the
disadvantages of (repeatedly) transferring (identical) data across the link
that actually might not ever be requested, of requiring explicit support to be
configured at the content DNS server whose database is being replicated, and
of imposing extra and ongoing maintenance burdens on the administrator of that
server.

The second best would be to use global forwarding and conditional forwarding
(on the grounds that if one is going for a setup where the grunt work of query
resolution is handed over to other entities anyway, one might as well employ
that design uniformly throughout the entire system and for all cases).