DNS resolution, forwarders in small domains

[guest]

I have a question that cascades depending on how initial answers come out.

Starting with a single DC and server environment, like SBS would present, is a forwarder on the DNS server redundant because that is what it does anyway? In other words, the DNS server (and only domain server) attempts to resolve a name and does so from a local zone, cache, hint, or sends out a query to have it resolved and returned. Is that correct? A forwarder added would not change that, right?

If that is correct, is it good practice, bad practice, or neutral to have the DHCP server use a scope that puts this DNS server first and another, public DNS server second? The reason to do that would be that if for any reason the server were temporarily unavailable, client machines could still have DNS resolution for Internet access (think a reboot scenario, for example). As an additional piece of information, the server only has itself as a DNS server in its static address configuration.

Now a multi-server domain. More than one server (but not a lot), all inside the firewall, all DNS capable. No zones that are not AD integrated. Each server has only itself in its DNS configuration, but what about client machines? Would DHCP scope be configured to point to multiple DNS servers with the preferred servers listed first? That would add some resiliency in case a server were unavailable, but does it create any issues? Similarly, could an outside, public DNS server be added after the server ones?

As a corollary to this question, should the primary DNS server be listed as a forwarder by the secondary, internal DNS servers? That way, it seems, the cache would build up in this single server. On the other hand, if each client machine got that server in its DHCP scope as the first DNS server, isn't that the exact same thing in actual operation?

Aside from yes or no to these questions, can you explain why it is right or wrong or .... to do it as you suggest?

To toss another element in, would the way this is done in any way affect autodiscovery for Exchange and Outlook?


--------------------------------------------------------------------------------

[guest]

Forwarders are usually used for name resolution accross trusted domains, or when your DNS server, for any reason, cannot contact the root hint servers, or when you have a single DNS server that has internet access and you want other DNS servers to use it for internet name resolution.

The normal senario is to have at least two DCs that are configured as DNS servers, these servers can use root hints to resolve internet addresses, or, for security reasons, these servers can forward internet requests to a stand alone DNS server that has internet access if you prefer not to allow internet access on the DCs.

As for the client configuration, the clients should be configured to use these DNS servers for name resolution and not the ISP's DNS. We should keep in mind that a client contacts the secondary DNS server if the primary server is offline, or if the primary server does not return an authoritative answer, so the client might contact the external DNS server more often than you might think, I beleive this will result in lots of delays and name resolution problems that you will prefer to avoid.

[guest]

Root hints is used to query top level domain where as Forwarder perform recursive query using iterative query.

Frequently asked questions about Windows DNS

http://support.microsoft.com/kb/291382

Understanding Forwarders


http://technet.microsoft.com/en-us/libr ... 10%29.aspx

Understanding roothints.


http://technet.microsoft.com/en-us/libr ... 10%29.aspx

Discussion


http://social.technet.microsoft.com/For ... 2a34c49391

You should not configure Public IP on client Nic directly as it is bad & from security point its a big risk & vulnerable to attack which might expose domain too.